gpgme's override-session-key property leaks into the process table
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Nov 16 07:22:11 CET 2016
Hi all--
Werner, thanks for integrating the session-key stuff in gpgme!
I just noticed that setting the session key via gpgme will leak the
session key to the process table. :(
That seems a little troubling: it means that on a typical machine (with
global process table visibility) someone who sees an encrypted message
in transit and monitors the process table could grab the session key
From a user who uses a tool that uses this feature.
Fixing this would probably require fixing gpg itself
(e.g. --override-session-key-fd or --override-session-key-envvar) and
then adjusting how it's invoked in gpgme.
i don't plan on using --override-session-key immediately (harvesting
with --export-session-key comes first), but eventually someone will, and
this could be a bad outcome. Should we add a warning to the
documentation at the moment in lieu of a fix? or should we just fix it
before release?
sorry to raise these concerns when we're trying to do a release, i want
to make sure we're clear about the tradeoffs to any developers who might
rely on gpgme for this.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 962 bytes
Desc: not available
URL: </pipermail/attachments/20161116/d8000c37/attachment.sig>
More information about the Gnupg-devel
mailing list