GNU bug report logs - #23915
24.5; editing *.gpg file through emacs presents an unclean (and unsafe) round trip

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: emacs; Reported by: Daniel Kahn Gillmor <dkg@HIDDEN>; Keywords: security; dated Fri, 8 Jul 2016 10:14:02 UTC; Maintainer for emacs is bug-gnu-emacs@HIDDEN.

Message received at submit <at>

Received: (at submit) by; 8 Jul 2016 10:13:45 +0000
From debbugs-submit-bounces <at> Fri Jul 08 06:13:45 2016
Received: from localhost ([]:41758
	by with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at>>)
	id 1bLSn3-0002IZ-DW
	for submit <at>; Fri, 08 Jul 2016 06:13:45 -0400
Received: from ([]:37567)
 by with esmtp (Exim 4.84_2)
 (envelope-from <dkg@HIDDEN>) id 1bLSn2-0002IO-1O
 for submit <at>; Fri, 08 Jul 2016 06:13:44 -0400
Received: from Debian-exim by with spam-scanned (Exim 4.71)
 (envelope-from <dkg@HIDDEN>) id 1bLSmv-0001rW-Fa
 for submit <at>; Fri, 08 Jul 2016 06:13:38 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled
Received: from ([2001:4830:134:3::11]:40863)
 by with esmtp (Exim 4.71)
 (envelope-from <dkg@HIDDEN>) id 1bLSmv-0001rR-C9
 for submit <at>; Fri, 08 Jul 2016 06:13:37 -0400
Received: from ([2001:4830:134:3::10]:56771)
 by with esmtp (Exim 4.71)
 (envelope-from <dkg@HIDDEN>) id 1bLSms-0006NP-N6
 for bug-gnu-emacs@HIDDEN; Fri, 08 Jul 2016 06:13:36 -0400
Received: from Debian-exim by with spam-scanned (Exim 4.71)
 (envelope-from <dkg@HIDDEN>) id 1bLSmp-0001qq-CO
 for bug-gnu-emacs@HIDDEN; Fri, 08 Jul 2016 06:13:34 -0400
Received: from ([]:54662)
 by with esmtp (Exim 4.71)
 (envelope-from <dkg@HIDDEN>) id 1bLSmp-0001qW-7z
 for bug-gnu-emacs@HIDDEN; Fri, 08 Jul 2016 06:13:31 -0400
Received: from (unknown [])
 by (Postfix) with ESMTPSA id A1420F997
 for <bug-gnu-emacs@HIDDEN>; Fri,  8 Jul 2016 06:13:24 -0400 (EDT)
Received: by (Postfix, from userid 1000)
 id 1F444200A1; Thu,  7 Jul 2016 19:56:25 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@HIDDEN>
To: bug-gnu-emacs@HIDDEN
Subject: 24.5;
 editing *.gpg file through emacs presents an unclean (and unsafe)
 round trip
User-Agent: Notmuch/0.22+69~gd812194 ( Emacs/24.5.1
Date: Thu, 07 Jul 2016 19:56:24 -0400
Message-ID: <87mvlthujb.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-detected-operating-system: by GNU/Linux 2.2.x-3.x [generic]
X-detected-operating-system: by GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at>
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <>
List-Unsubscribe: <>, 
 <mailto:debbugs-submit-request <at>>
List-Archive: <>
List-Post: <mailto:debbugs-submit <at>>
List-Help: <mailto:debbugs-submit-request <at>>
List-Subscribe: <>, 
 <mailto:debbugs-submit-request <at>>
Errors-To: debbugs-submit-bounces <at>
Sender: "Debbugs-submit" <debbugs-submit-bounces <at>>
X-Spam-Score: -5.0 (-----)

If i edit a file whose name matches the glob *.gpg in emacs, gpg
decrypts it (i'm prompted by the gpg-agent for my passphrase) and i am
presented with the cleartext version of the file to edit.

when i save, it re-encrypts the file.

This is a sensible workflow in general, but there are several strange
properties that make it not a clean round-trip:

 a) the original file may or may not have been ascii-armored.  The saved
    file is always raw (not ascii-armored).

 b) the original file may have had an OpenPGP signature inside the
    encryption.  the saved file never has a signature.

 c) the original file may have been encrypted to multiple recipients (in
    OpenPGP terms, there are multiple PKESKs, one for each recipient).
    The saved file will be encrypted to every recipient whose public key
    (as identified by the key ID in the PKESKs) are present in the
    editor's keyring.  (if the file also was passphrase-encrypted, the
    SKESK is dropped)

I think the right approach to resolve these would be:

 A) remember whether the file was ASCII-armored initially or not, and
    use that value when saving.

 B) If an OpenPGP signature was present in the document when opening,
    warn (with e.g. *Messages* ? prompting for confirmation?) when
    trying to save that the resulting file will destroy the signature.

 C) if more than a single PKESK or SKESK is present when opening, warn
    (again, with *Messages* ? prompting for confirmation?) when trying
    to save that all other PKESKs or SKESKs will be dropped for the
    re-saved file.

The resolution (C) is unsatisfying, but there is no safe/complete answer
given the OpenPGP data structure:

On the one hand, we can't guarantee replication of the full set of
recipients PKESKs, because the editor may not have the associated public
keys in her keyring.

On the other hand, the PKESKs are not cryptographically-authenticated at
all.  So if we re-encrypt to all, an attack presents itself:

 * Mallory knows that Alice and Bob are planning something;

 * Mallory knows the secret key according to some encryption-capable
   public key X in Alice's public keyring;

 * Mallory intercepts an encrypted document D sent from Bob to Alice.

 * Mallory prepends D with a phony PKESK with the key ID of X, creating
   new document D'

 * Mallory replaces D with D' in Bob's message to Alice.

 * Alice edits the document, creating new document E, and sends E back
   to Bob.

 * Mallory intercepts E, decrypts it with X, strips the extra
   PKESK creating E', and forwards E' on to Bob.

Hope this makes sense!  Happy to clarify if you have any questions.


In GNU Emacs 24.5.1 (x86_64-pc-linux-gnu, GTK+ Version 3.18.9)
 of 2016-04-08 on binet, modified by Debian
Windowing system distributor `The X.Org Foundation', version 11.0.11803000
System Description:	Debian GNU/Linux testing/unstable

Configured using:
 `configure --build x86_64-linux-gnu --prefix=/usr
 --sharedstatedir=/var/lib --libexecdir=/usr/lib
 --localstatedir=/var/lib --infodir=/usr/share/info
 --mandir=/usr/share/man --with-pop=yes
 --build x86_64-linux-gnu --prefix=/usr --sharedstatedir=/var/lib
 --libexecdir=/usr/lib --localstatedir=/var/lib
 --infodir=/usr/share/info --mandir=/usr/share/man --with-pop=yes
 --with-x=yes --with-x-toolkit=gtk3 --with-toolkit-scroll-bars
 'CFLAGS=-g -O2 -fstack-protector-strong -Wformat
 -Werror=format-security -Wall' 'CPPFLAGS=-Wdate-time

Important settings:
  value of $LANG: en_US.UTF-8
  locale-coding-system: utf-8-unix

Major mode: Fundamental

Minor modes in effect:
  diff-auto-refine-mode: t
  savehist-mode: t
  display-time-mode: t
  tooltip-mode: t
  electric-indent-mode: t
  mouse-wheel-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  blink-cursor-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t
  line-number-mode: t
  transient-mark-mode: t

Recent messages:
Loading /etc/emacs/site-start.d/51debian-el.el (source)...done
No desktop file.
For information about GNU Emacs and the GNU system, type C-h C-a.
Decrypting /home/dkg/tmp/foo.gpg...done
End of buffer
Saving file /home/dkg/tmp/foo.gpg...
Buffer foo.gpg does not end in newline.  Add one? (y or n) y
Encrypting /home/dkg/tmp/foo.gpg... [2 times]
Wrote /home/dkg/tmp/foo.gpg [2 times]

Load-path shadows:
/usr/share/emacs24/site-lisp/cmake-data/cmake-mode hides /usr/share/emacs/site-lisp/cmake-mode
/usr/share/emacs/24.5/site-lisp/debian-startup hides /usr/share/emacs/site-lisp/debian-startup
/usr/share/emacs/site-lisp/rst hides /usr/share/emacs/24.5/lisp/textmodes/rst

(shadow sort gnus-util mail-extr emacsbug epa-file epa derived epg
package epg-config notmuch hl-line notmuch-maildir-fcc notmuch-hello
wid-edit notmuch-tree notmuch-show notmuch-message notmuch-print
notmuch-crypto notmuch-mua notmuch-address notmuch-company
notmuch-parser notmuch-wash diff-mode coolj notmuch-query goto-addr
thingatpt icalendar diary-lib diary-loaddefs cal-menu calendar
cal-loaddefs notmuch-tag crm notmuch-lib advice notmuch-version cl gv
message sendmail format-spec rfc822 mailabbrev mail-utils gmm-utils
mailheader mm-view mml-smime smime password-cache dig mailcap mml
easymenu mml-sec mm-decode mm-bodies mm-encode mail-parse rfc2231
rfc2047 rfc2045 ietf-drums mm-util help-fns mail-prsvr savehist time
desktop frameset cl-loaddefs cl-lib debian-el debian-el-loaddefs
haskell-mode-autoloads emacs-goodies-el emacs-goodies-custom
emacs-goodies-loaddefs easy-mmode dpkg-dev-el dpkg-dev-el-loaddefs
bbdb-autoloads time-date tooltip electric uniquify ediff-hook vc-hooks
lisp-float-type mwheel x-win x-dnd tool-bar dnd fontset image regexp-opt
fringe tabulated-list newcomment lisp-mode prog-mode register page
menu-bar rfn-eshadow timer select scroll-bar mouse jit-lock font-lock
syntax facemenu font-core frame cham georgian utf-8-lang misc-lang
vietnamese tibetan thai tai-viet lao korean japanese hebrew greek
romanian slovak czech european ethiopic indian cyrillic chinese
case-table epa-hook jka-cmpr-hook help simple abbrev minibuffer nadvice
loaddefs button faces cus-face macroexp files text-properties overlay
sha1 md5 base64 format env code-pages mule custom widget
hashtable-print-readable backquote make-network-process dbusbind
gfilenotify dynamic-setting system-font-setting font-render-setting
move-toolbar gtk x-toolkit x multi-tty emacs)

Memory information:
((conses 16 113554 6541)
 (symbols 48 22919 0)
 (miscs 40 43 86)
 (strings 32 25862 4332)
 (string-bytes 1 791709)
 (vectors 16 14367)
 (vector-slots 8 431934 2841)
 (floats 8 79 326)
 (intervals 56 269 9)
 (buffers 960 12)
 (heap 1024 37164 997))

Acknowledgement sent to Daniel Kahn Gillmor <dkg@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-gnu-emacs@HIDDEN. Full text available.
Report forwarded to bug-gnu-emacs@HIDDEN:
bug#23915; Package emacs. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Mon, 25 Nov 2019 12:00:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.