#580: mutt stores PGP passphrase insecurely
-+--
Reporter: Marco d'Itri | Owner: mutt-dev
Type: defect | Status: reopened
Priority: trivial | Milestone:
#580: mutt stores PGP passphrase insecurely
-+--
Reporter: Marco d'Itri | Owner: mutt-dev
Type: defect | Status: reopened
Priority: trivial | Milestone:
#580: mutt stores PGP passphrase insecurely
-+--
Reporter: Marco d'Itri | Owner: mutt-dev
Type: defect | Status: reopened
Priority: trivial | Milestone:
#580: mutt stores PGP passphrase insecurely
-+--
Reporter: Marco d'Itri | Owner: mutt-dev
Type: defect | Status: reopened
Priority: trivial | Milestone:
Patch forwarded upstream, let's see what happens
Cheers
Antonio
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
#580: mutt stores PGP passphrase insecurely
-+--
Reporter: Marco d'Itri | Owner: mutt-dev
Type: defect | Status: reopened
Priority: trivial | Milestone:
On Fri, Sep 22, 2006 at 09:03:17AM -0400, David Shaw wrote:
> For portability, it might be good to make the address being locked land on
> a page boundary as the POSIX spec for mlock allows this to be an optional
You're probably right, but I'm afraid I don't know how you do this from
user-space.
On Fri, Sep 22, 2006 at 01:21:19PM +0100, Paul Walker wrote:
> On Thu, Sep 21, 2006 at 06:50:06PM -0400, David Shaw wrote:
>
> > At least on Linux, mutt can do the right thing with storing
> > passphrases securely. This may be true on other systems as well, but
> > I can only say for sure about L
On Fri, Sep 22, 2006 at 13:21:19 +0100, Paul Walker wrote:
> It doesn't do anything except log a debug message if it can't lock/unlock
> memory, which to me seems harmless but it's possible other systems might
> take exception to a non-root process trying to mlock. Could people using
> *BSD, Solari
On Thu, Sep 21, 2006 at 06:50:06PM -0400, David Shaw wrote:
> At least on Linux, mutt can do the right thing with storing
> passphrases securely. This may be true on other systems as well, but
> I can only say for sure about Linux,
A quick experiment seems to show that's true. The attached patch
Synopsis: mutt stores PGP passphrase insecurely
Comment added by paul on Fri, 22 Sep 2006 00:07:57 +0200
This one's going nowhere fast. Nobody's come up with an effective (and
practical) way of securing mutt, and tamo's demo only really proves that
insecure memory is written to swap (
Earlier in this bug it was stated that a process must be root to
mlock() memory under Linux. That was true back then (this is a
long-lived bug), but it is no longer true in more modern kernels.
These days, any process can mlock() however much memory the user
chooses to allow it to lock (set via ul
The following reply was made to PR mutt/580; it has been noted by GNATS.
From: TAKAHASHI Tamotsu <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
Cc:
Subject: Re: mutt/580: mutt stores PGP passphrase insecurely
Date: Mon, 24 Oct 2005 23:13:49 +0900
* Sun Oct 9 2005 Derek Martin <[E
* Sun Oct 9 2005 Derek Martin <[EMAIL PROTECTED]>
> On Fri, Oct 07, 2005 at 02:42:51PM +0200, Thomas Roessler wrote:
> > On 2005-10-07 04:35:02 +0200, Derek Martin wrote:
> > > Admittedly this is not a severe issue, but it is a legitimate
> > > security concern. I think this really ought to be
The following reply was made to PR mutt/580; it has been noted by GNATS.
From: Thomas Roessler <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED], Mutt Developers <[EMAIL PROTECTED]>,
[EMAIL PROTECTED], [EMAIL PROTECTED]
Cc:
Subject: Re: mutt/580: mutt stores PGP passphrase insecurely
Date: Mon, 1
On 2005-10-09 11:03:25 -0400, Derek Martin wrote:
> Well, this is very far from my area of expertise; but we all know
> someone for whom this kind of issue is near and dear... Does
> Werner have anything to say about this? I could do some
> research, but I think it would be better to get input f
The following reply was made to PR mutt/580; it has been noted by GNATS.
From: Derek Martin <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED], Mutt Developers <[EMAIL PROTECTED]>,
[EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: mutt/580: mutt stores PGP passphrase insecurely
Date: Sun, 9 Oct 2005
On Fri, Oct 07, 2005 at 02:42:51PM +0200, Thomas Roessler wrote:
> On 2005-10-07 04:35:02 +0200, Derek Martin wrote:
>
> > Er, well, come on... just because Mutt *can* use an auxiliary
> > program to handle encryption passphrases securely doesn't mean
> > mutt itself should completely ignore t
The following reply was made to PR mutt/580; it has been noted by GNATS.
From: Thomas Roessler <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Cc: Mutt Developers <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
Subject: Re: mutt/580: mutt stores PGP passphrase insecurely
Date: Fri, 7 Oct 2005 14:42:51 +0200
On
On 2005-10-07 04:35:02 +0200, Derek Martin wrote:
> Er, well, come on... just because Mutt *can* use an auxiliary
> program to handle encryption passphrases securely doesn't mean
> mutt itself should completely ignore the issue. As shipped,
> mutt is vulnerable.
> Admittedly this is not a
Synopsis: mutt stores PGP passphrase insecurely
State-Changed-From-To: closed->chatting
State-Changed-By: tamo
State-Changed-When: Fri, 07 Oct 2005 10:54:07 +0200
State-Changed-Why:
Derek complains.
Comment added by tamo on Fri, 07 Oct 2005 10:54:07 +0200
reopen as a doc-bug (chatti
The following reply was made to PR mutt/580; it has been noted by GNATS.
From: Derek Martin <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Cc: Mutt Developers <[EMAIL PROTECTED]>, "Marco d'Itri" <[EMAIL PROTECTED]>,
[EMAIL PROTECTED]
Subject: Re: mutt/580: mutt stores PGP passphrase insecurely
Date:
On Wed, Oct 05, 2005 at 05:55:17AM +0200, Brendan Cully wrote:
> Synopsis: mutt stores PGP passphrase insecurely
> State-Changed-From-To: open->closed
> State-Changed-Why:
> Mutt can use gpg-agent, which pushes this problem outside of mutt's domain.
Er, well, come on... just because Mutt *can* us
Synopsis: mutt stores PGP passphrase insecurely
State-Changed-From-To: open->closed
State-Changed-By: brendan
State-Changed-When: Wed, 05 Oct 2005 05:55:17 +0200
State-Changed-Why:
Mutt can use gpg-agent, which pushes this problem outside of mutt's domain.
Comment added by brendan on Wed,
24 matches
Mail list logo