#580: mutt stores PGP passphrase insecurely -----------------------------------------+---------------------------------- Reporter: Marco d'Itri <m...@linux.it> | Owner: mutt-dev Type: defect | Status: reopened Priority: trivial | Milestone: Component: crypto | Version: 1.5.19 Resolution: | Keywords: -----------------------------------------+---------------------------------- Changes (by pdmef):
* component: mutt => crypto Old description: > {{{ > Package: mutt > Version: 1.3.15-2 > > [NOTE: this bug report has been submitted to the debian BTS as Bug#96144. > Please Cc all your replies to 96...@bugs.debian.org.] > > From: Brian Ristuccia <br...@ristuccia.com> > Subject: mutt stores PGP passphrase insecurely > Date: Thu, 3 May 2001 01:44:50 -0400 > > When caching passphrases, mutt uses memory that's not locked. The > passphrase > can be recovered if that part of mutt's address space is swapped to disk. > In > order for the secret key to remain secure in the event that the machine > is > lost or stolen, the memory area occupied by the passphrase must be locked > to > prevent the swap file from being contaminated with the passphrase. Note > that > mutt zeros out the passphrase when it times out, but there's no guarantee > that any old blocks on the swap space will be overwritten before the > machine > is shut down or stolen. This issue is of particular importance with > laptop > computers, since PGP encryption is the only thing standing between an > unauthorized reader and your email should the machine get stolen. > > Since Linux 2.2.x and 2.4.x don't seem to allow ordinary users to lock > even > small amounts of memory, one potential solution would be to have mutt > executed by a wrapper program that passes it a locked shared memory > segment > just big enough to hold the passphrase. Swap over an encrypted loopback > filesystem initialized with a throwaway key at each reboot is a > workaround. > But using an encrypted loopback filesystem is computationally intensive > and > might drain batteries prematurely, especially on smaller laptops. A > kernel > level swap cleaner daemon that overwrites recently freed swap blocks > would > also work, but with a similar battery life penalty. > > -- > Brian Ristuccia > br...@ristuccia.com > brist...@cs.uml.edu > > > >How-To-Repeat: > >Fix: > }}} New description: {{{ Package: mutt Version: 1.3.15-2 [NOTE: this bug report has been submitted to the debian BTS as Bug#96144. Please Cc all your replies to 96...@bugs.debian.org.] From: Brian Ristuccia <br...@ristuccia.com> Subject: mutt stores PGP passphrase insecurely Date: Thu, 3 May 2001 01:44:50 -0400 When caching passphrases, mutt uses memory that's not locked. The passphrase can be recovered if that part of mutt's address space is swapped to disk. In order for the secret key to remain secure in the event that the machine is lost or stolen, the memory area occupied by the passphrase must be locked to prevent the swap file from being contaminated with the passphrase. Note that mutt zeros out the passphrase when it times out, but there's no guarantee that any old blocks on the swap space will be overwritten before the machine is shut down or stolen. This issue is of particular importance with laptop computers, since PGP encryption is the only thing standing between an unauthorized reader and your email should the machine get stolen. Since Linux 2.2.x and 2.4.x don't seem to allow ordinary users to lock even small amounts of memory, one potential solution would be to have mutt executed by a wrapper program that passes it a locked shared memory segment just big enough to hold the passphrase. Swap over an encrypted loopback filesystem initialized with a throwaway key at each reboot is a workaround. But using an encrypted loopback filesystem is computationally intensive and might drain batteries prematurely, especially on smaller laptops. A kernel level swap cleaner daemon that overwrites recently freed swap blocks would also work, but with a similar battery life penalty. -- Brian Ristuccia br...@ristuccia.com brist...@cs.uml.edu >How-To-Repeat: >Fix: }}} -- -- Ticket URL: <http://dev.mutt.org/trac/ticket/580#comment:18> Mutt <http://www.mutt.org/> The Mutt mail user agent -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org