gpgme's override-session-key property leaks into the process table

Daniel Kahn Gillmor dkg at
Wed Nov 16 07:22:11 CET 2016

Hi all--

Werner, thanks for integrating the session-key stuff in gpgme!

I just noticed that setting the session key via gpgme will leak the
session key to the process table. :(

That seems a little troubling: it means that on a typical machine (with
global process table visibility) someone who sees an encrypted message
in transit and monitors the process table could grab the session key
From a user who uses a tool that uses this feature.

Fixing this would probably require fixing gpg itself
(e.g. --override-session-key-fd or --override-session-key-envvar) and
then adjusting how it's invoked in gpgme.

i don't plan on using --override-session-key immediately (harvesting
with --export-session-key comes first), but eventually someone will, and
this could be a bad outcome.  Should we add a warning to the
documentation at the moment in lieu of a fix?  or should we just fix it
before release?

sorry to raise these concerns when we're trying to do a release, i want
to make sure we're clear about the tradeoffs to any developers who might
rely on gpgme for this.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 962 bytes
Desc: not available
URL: </pipermail/attachments/20161116/d8000c37/attachment.sig>

More information about the Gnupg-devel mailing list