Re: [Mutt] #580: mutt stores PGP passphrase insecurely
- To: md@xxxxxxxx, arturcz@xxxxxxx, brendan@xxxxxxxxxx, brian@xxxxxxxxxxxxx, invalid@xxxxxxxxxxxxxx, ttakah@xxxxxxxxxxxxxxxxx, roessler@xxxxxxxxxxxxxxxxxx, wk@xxxxxxxxx, antonio@xxxxxxxx, paul@xxxxxxxxxxxxxxx, pdmef@xxxxxxx, petr.pisar@xxxxxxxx
- Subject: Re: [Mutt] #580: mutt stores PGP passphrase insecurely
- From: Mutt <fleas@xxxxxxxx>
- Date: Mon, 27 Jul 2009 15:42:52 -0000
- Auto-submitted: auto-generated
- Cc: mutt-dev@xxxxxxxx, 96144@xxxxxxxxxxxxxxx
- In-reply-to: <058.5fa77f122be3996dabecb666b4de6ee9@xxxxxxxx>
- Mail-followup-to: fleas@xxxxxxxx
- References: <058.5fa77f122be3996dabecb666b4de6ee9@xxxxxxxx>
- Reply-to: fleas@xxxxxxxx
#580: mutt stores PGP passphrase insecurely
-----------------------------------------+----------------------------------
Reporter: Marco d'Itri <md@xxxxxxxx> | Owner: mutt-dev
Type: defect | Status: reopened
Priority: trivial | Milestone:
Component: crypto | Version: 1.5.19
Resolution: | Keywords:
-----------------------------------------+----------------------------------
Comment(by petr_p):
I looked through the code how passwords are processed. Whereas PGP and
SMIME code are straightforward and the password is stored in static buffer
only, the ACCOUNT password (used for SASL, SMTP etc.) is really one big
mess where the buffer is copied and copied.
I can't see any easy way how to catch all password occurrences and to get
balanced mlock-munlock dance around them.
To have things worse, the code (even the PGP and SMIME) is written in a
fashion to get the password and sometimes erase password buffer just
before getting new password. That means the password is practically
`never' removed, even after password life time elapses.
So it's reasonable to mlock buffers for PGP and SMIME on mutt start and
never unlock them. Thus we will have possibly 2 pages (8 kB on x86) locked
forever. However I don't know what to do with the rest of password
buffers.
If somebody interests I wrote simple counting memory page locking manager
solving problems described in my previous comment (address alignment, page
sharing). However due to mutt style, it's unusable in this situation.
--
Ticket URL: <http://dev.mutt.org/trac/ticket/580#comment:20>
Mutt <http://www.mutt.org/>
The Mutt mail user agent