[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[vile] vile's security flaw in gnugpg macros

From: Paul Fox
Subject: [vile] vile's security flaw in gnugpg macros
Date: Fri, 11 Apr 2014 13:19:56 -0400

while playing with the gnugpg macros in gnugpg.rc, i noticed that
after an encrypt or decrypt operation, the key used for the operation
is available in plaintext if the user undoes the en/decryption.  (this
is due to the macros making use of the first line of the current
buffer as a holding area for the key -- gpg is invoked as a filter on
that line.)

one fix would be to disable the undo stack across the en/decryption
operation.  i was testing that possibility when i hit the "set" failure
described in my previous mail.

 paul fox, address@hidden (arlington, ma, where it's 66.4 degrees)

reply via email to

[Prev in Thread] Current Thread [Next in Thread]