GNU bug report logs - #36154
read-passwd allows copying typed in password to kill-ring

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 36154 in the body.
You can then email your comments to 36154 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Ahmet BASTUG <bastugn <at> itu.edu.tr>
To: bug-gnu-emacs <at> gnu.org
Subject: 26.2; read-passwd function creates a security issue
Date: Sun, 9 Jun 2019 23:01:52 +0300

read-passwd function which is located in "subr.el" causes kind of a 
security issue. When function is used, user is prompted with a promt and 
everything user typed is displayed as '.' characters. If any kind of 
kill operation is performed on the prompt minibuffer, real value is 
saved into kill-ring. Then you can yank it anywhere you want. I'm not 
sure this is meant this way but I think not.

--text follows this line--




In GNU Emacs 26.2 (build 1, x86_64-pc-linux-gnu, GTK+ Version 3.24.8)
 of 2019-04-12 built on juergen
Windowing system distributor 'The X.Org Foundation', version 11.0.12004000
System Description:    Manjaro Linux

Recent messages:
Type C-c C-c to finish, or C-c C-k to cancel
When done with a buffer, type C-c C-c
Saving file /home/kosantosbik/projects/bot/.git/COMMIT_EDITMSG...
Wrote /home/kosantosbik/projects/bot/.git/COMMIT_EDITMSG
Git finished
Running git push -v origin master:refs/heads/master
Git finished
C-x C-g is undefined
""
Mark set

Configured using:
 'configure --prefix=/usr --sysconfdir=/etc --libexecdir=/usr/lib
--localstatedir=/var --with-x-toolkit=gtk3 --with-xft --with-modules
'CFLAGS=-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong
-fno-plt' CPPFLAGS=-D_FORTIFY_SOURCE=2
LDFLAGS=-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now'

Configured features:
XPM JPEG TIFF GIF PNG RSVG IMAGEMAGICK SOUND GPM DBUS GSETTINGS GLIB
NOTIFY ACL GNUTLS LIBXML2 FREETYPE M17N_FLT LIBOTF XFT ZLIB
TOOLKIT_SCROLL_BARS GTK3 X11 XDBE XIM MODULES THREADS LIBSYSTEMD LCMS2

Important settings:
  value of $LC_MONETARY: tr_TR.UTF-8
  value of $LC_NUMERIC: tr_TR.UTF-8
  value of $LC_TIME: tr_TR.UTF-8
  value of $LANG: en_US.UTF-8
  locale-coding-system: utf-8-unix

Major mode: Lisp Interaction

Minor modes in effect:
  global-magit-file-mode: t
  magit-auto-revert-mode: t
  global-git-commit-mode: t
  async-bytecomp-package-mode: t
  shell-dirtrack-mode: t
  global-atomic-chrome-edit-mode: t
  server-mode: t
  save-place-mode: t
  savehist-mode: t
  doom-modeline-mode: t
  global-auto-revert-mode: t
  ace-pinyin-global-mode: t
  ace-pinyin-mode: t
  global-aggressive-indent-mode: t
  aggressive-indent-mode: t
  global-anzu-mode: t
  anzu-mode: t
  drag-stuff-global-mode: t
  drag-stuff-mode: t
  global-hungry-delete-mode: t
  hungry-delete-mode: t
  global-undo-tree-mode: t
  undo-tree-mode: t
  fancy-narrow-mode: t
  counsel-projectile-mode: t
  counsel-mode: t
  diredfl-global-mode: t
  ivy-rich-mode: t
  ivy-mode: t
  delete-selection-mode: t
  company-box-mode: t
  global-company-mode: t
  company-mode: t
  yas-global-mode: t
  yas-minor-mode: t
  global-hl-line-mode: t
  show-paren-mode: t
  global-hl-todo-mode: t
  hl-todo-mode: t
  diff-hl-flydiff-mode: t
  global-diff-hl-mode: t
  diff-auto-refine-mode: t
  volatile-highlights-mode: t
  persp-mode-projectile-bridge-mode: t
  persp-mode: t
  winner-mode: t
  ace-window-display-mode: t
  shackle-mode: t
  which-key-mode: t
  flycheck-posframe-mode: t
  display-line-numbers-mode: t
  goto-address-prog-mode: t
  subword-mode: t
  origami-mode: t
  symbol-overlay-mode: t
  highlight-indent-guides-mode: t
  rainbow-mode: t
  rainbow-delimiters-mode: t
  whitespace-mode: t
  electric-pair-mode: t
  persistent-scratch-autosave-mode: t
  global-flycheck-mode: t
  flycheck-mode: t
  projectile-rails-global-mode: t
  projectile-mode: t
  dap-ui-mode: t
  dap-mode: t
  dumb-jump-mode: t
  editorconfig-mode: t
  recentf-mode: t
  override-global-mode: t
  tooltip-mode: t
  global-eldoc-mode: t
  eldoc-mode: t
  electric-indent-mode: t
  mouse-wheel-mode: t
  prettify-symbols-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  blink-cursor-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t
  size-indication-mode: t
  column-number-mode: t
  line-number-mode: t
  transient-mark-mode: t

Load-path shadows:
None found.

Features:
(shadow sort vc-mtn vc-hg vc-bzr vc-src vc-sccs vc-svn vc-cvs vc-rcs
mail-extr emacsbug sendmail pager rng-xsd xsd-regexp rng-cmpct
nxml-mode-expansions rng-nxml rng-valid rng-loc rng-uri rng-parse
nxml-parse rng-match rng-dt rng-util rng-pttrn nxml-ns nxml-mode
nxml-outln nxml-rap html-mode-expansions sgml-mode dom nxml-util
nxml-enc xmltok magit-extras forge-list forge-commands forge-semi
forge-bitbucket buck forge-gogs gogs forge-gitea gtea forge-gitlab glab
forge-github ghub-graphql treepy graphql ghub forge-notify forge-revnote
forge-pullreq forge-issue forge-topic bug-reference forge-post
forge-repo forge forge-core forge-db closql emacsql-sqlite emacsql
emacsql-compiler url-http url-auth url-gw url url-proxy url-privacy
url-expand url-methods url-history mailcap magit-bookmark
magit-submodule magit-obsolete magit-popup magit-blame magit-stash
magit-reflog magit-bisect magit-push magit-pull magit-fetch magit-clone
magit-remote magit-commit magit-sequence magit-notes magit-worktree
magit-tag magit-merge magit-branch magit-reset magit-files magit-refs
magit-status magit magit-repos magit-apply magit-wip magit-log
which-func magit-diff smerge-mode magit-core magit-autorevert
magit-margin magit-transient magit-process magit-mode transient
git-commit magit-git magit-section magit-utils crm log-edit message
rfc822 mml mml-sec epa derived epg gnus-util rmail rmail-loaddefs
mm-decode mm-bodies mm-encode mail-parse rfc2231 rfc2047 rfc2045 mm-util
ietf-drums mail-prsvr mailabbrev mail-utils gmm-utils mailheader
pcvs-util add-log with-editor async-bytecomp amx mwim pulse vc-git
dap-python yapfify view python-el-fgallina-expansions python tramp-sh
company-shell docker-tramp tramp-cache tramp tramp-compat tramp-loaddefs
trampver ucs-normalize bash-completion shell pcomplete parse-time
format-spec async face-remap disp-table atomic-chrome websocket
url-cookie url-domsuf let-alist server saveplace savehist doom-modeline
doom-modeline-segments doom-modeline-env doom-modeline-core shrink-path
autorevert ace-link ace-pinyin pinyinlib aggressive-indent anzu
drag-stuff smart-region easy-kill-mc easy-kill multiple-cursors
mc-hide-unmatched-lines-mode mc-separate-operations
rectangular-region-mode mc-mark-pop mc-mark-more mc-cycle-cursors
mc-edit-lines multiple-cursors-core rect expand-region
subword-mode-expansions text-mode-expansions ruby-mode-expansions
er-basic-expansions expand-region-core expand-region-custom
hungry-delete undo-tree fancy-narrow counsel-projectile counsel xdg
dired-x diredfl dired dired-loaddefs swiper ivy-rich ivy flx delsel
colir ivy-overlay ffap company-box company-box-doc company-box-icons
company-oddmuse company-keywords company-etags company-gtags
company-dabbrev-code company-dabbrev company-files company-capf
company-cmake company-xcode company-clang company-semantic company-eclim
company-template company-bbdb company yasnippet-snippets yasnippet time
linum all-the-icons all-the-icons-faces data-material data-weathericons
data-octicons data-fileicons data-faicons data-alltheicons memoize
hl-line paren hl-todo diff-hl-flydiff diff diff-hl vc-dir vc
vc-dispatcher diff-mode volatile-highlights persp-mode-projectile-bridge
persp-mode windmove winner ace-window avy shackle trace which-key
solaire-mode flycheck-posframe posframe display-line-numbers goto-addr
flyspell ispell cap-words superword subword origami origami-parsers
symbol-overlay highlight-indent-guides rainbow-mode xterm-color
rainbow-delimiters whitespace lsp-clients lsp-clojure lsp-go lsp-xml
lsp-css lsp-intelephense lsp-vetur lsp-html lsp-solargraph lsp-rust
lsp-pyls elec-pair persistent-scratch flycheck find-func
projectile-rails rake inflections inf-ruby ruby-mode smie cl projectile
grep ibuf-ext ibuffer ibuffer-loaddefs dap-ui gdb-mi bindat gud bui
bui-list bui-info bui-entry bui-core bui-history bui-button bui-utils
cus-edit cus-start cus-load tree-mode dap-mode dap-overlays lsp lsp-mode
ewoc markdown-mode color noutline outline url-util subr-x spinner
network-stream puny nsm rmc starttls tls gnutls json map inline imenu ht
filenotify em-glob esh-util dash-functional flymake-proc flymake compile
comint ansi-color warnings thingatpt dumb-jump popup f dash s etags xref
project editorconfig init-prog init-web init-elixir init-ruby
init-python init-go init-c init-emacs-lisp init-dap init-lsp
init-projectile init-flycheck init-vcs init-utils init-elfeed init-org
init-markdown init-shell init-eshell init-treemacs init-window
init-persp init-kill-ring init-ibuffer ibuf-macs init-highlight
init-dired init-dashboard diminish dashboard dashboard-widgets recentf
tree-widget wid-edit page-break-lines cal-china-x cal-china lunar solar
cal-dst holidays hol-loaddefs cal-menu calendar cal-loaddefs bookmark pp
init-calendar init-yasnippet init-company init-ivy init-edit hydra ring
lv init-ui doom-themes-treemacs doom-themes-org doom-one-theme
doom-themes doom-themes-common init-funcs init-basic
exec-path-from-shell init-package cl-extra help-mode use-package
use-package-ensure use-package-delight use-package-diminish
use-package-bind-key bind-key easy-mmode use-package-core finder-inf
edmacro kmacro rx info advice package easymenu epg-config url-handlers
url-parse auth-source cl-seq eieio eieio-core cl-macs eieio-loaddefs
password-cache url-vars seq byte-opt bytecomp byte-compile cconv
cl-loaddefs cl-lib pcase init-custom init-const gv time-date mule-util
tooltip eldoc electric uniquify ediff-hook vc-hooks lisp-float-type
mwheel term/x-win x-win term/common-win x-dnd tool-bar dnd fontset image
regexp-opt fringe tabulated-list replace newcomment text-mode elisp-mode
lisp-mode prog-mode register page menu-bar rfn-eshadow isearch timer
select scroll-bar mouse jit-lock font-lock syntax facemenu font-core
term/tty-colors frame cl-generic cham georgian utf-8-lang misc-lang
vietnamese tibetan thai tai-viet lao korean japanese eucjp-ms cp51932
hebrew greek romanian slovak czech european ethiopic indian cyrillic
chinese composite charscript charprop case-table epa-hook jka-cmpr-hook
help simple abbrev obarray minibuffer cl-preloaded nadvice loaddefs
button faces cus-face macroexp files text-properties overlay sha1 md5
base64 format env code-pages mule custom widget hashtable-print-readable
backquote threads dbusbind inotify lcms2 dynamic-setting
system-font-setting font-render-setting move-toolbar gtk x-toolkit x
multi-tty make-network-process emacs)

Memory information:
((conses 16 997073 100529)
 (symbols 48 61911 1)
 (miscs 40 2523 1603)
 (strings 32 204635 32422)
 (string-bytes 1 5901869)
 (vectors 16 114421)
 (vector-slots 8 2156740 42766)
 (floats 8 2076 1129)
 (intervals 56 17136 3688)
 (buffers 992 47))

Message #14 received at 36154 <at> debbugs.gnu.org (full text, mbox):

From: Lars Ingebrigtsen <larsi <at> gnus.org>
To: Ahmet BASTUG <bastugn <at> itu.edu.tr>
Cc: 36154 <at> debbugs.gnu.org
Subject: Re: bug#36154: 26.2; read-passwd function creates a security issue
Date: Thu, 10 Oct 2019 01:25:59 +0200

Ahmet BASTUG <bastugn <at> itu.edu.tr> writes:

> read-passwd function which is located in "subr.el" causes kind of a
> security issue. When function is used, user is prompted with a promt
> and everything user typed is displayed as '.' characters. If any kind
> of kill operation is performed on the prompt minibuffer, real value is 
> saved into kill-ring. Then you can yank it anywhere you want. I'm not
> sure this is meant this way but I think not.

I think it makes sense to allow users to do this -- this is something
that should be up to them whether to do or not.  So I'm closing this bug
report.  If anybody disagrees with this, please feel free to reopen.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

Message #21 received at 36154 <at> debbugs.gnu.org (full text, mbox):

From: Phil Sainty <psainty <at> orcon.net.nz>
To: Lars Ingebrigtsen <larsi <at> gnus.org>
Cc: Ahmet BASTUG <bastugn <at> itu.edu.tr>, 36154 <at> debbugs.gnu.org
Subject: Re: bug#36154: 26.2; read-passwd function creates a security issue
Date: Thu, 10 Oct 2019 13:30:24 +1300

On 2019-10-10 12:25, Lars Ingebrigtsen wrote:
> I think it makes sense to allow users to do this -- this is something
> that should be up to them whether to do or not.  So I'm closing this 
> bug
> report.  If anybody disagrees with this, please feel free to reopen.

A potential solution to this would to make the low-level kill functions
respect a new `inhibit-kill-ring' variable, such that nothing would be
added to the kill ring if that was non-nil.

A user option for the password entry routine could then be added to 
control
whether or the variable was set by `read-passwd' when setting up the
minibuffer.

This facility might also have more general applicability, and perhaps
even warrant a minor mode.  I can certainly envisage `inhibit-kill-ring'
being let-bound by users for specific cases, if they consider that 
unwanted
kill ring pollution was occurring.


-Phil

Message #24 received at 36154 <at> debbugs.gnu.org (full text, mbox):

From: Noam Postavsky <npostavs <at> gmail.com>
To: Phil Sainty <psainty <at> orcon.net.nz>
Cc: Ahmet BASTUG <bastugn <at> itu.edu.tr>, 36154 <at> debbugs.gnu.org,
 Lars Ingebrigtsen <larsi <at> gnus.org>
Subject: Re: bug#36154: 26.2; read-passwd function creates a security issue
Date: Wed, 09 Oct 2019 20:49:56 -0400

Phil Sainty <psainty <at> orcon.net.nz> writes:

> On 2019-10-10 12:25, Lars Ingebrigtsen wrote:
>> I think it makes sense to allow users to do this -- this is something
>> that should be up to them whether to do or not.  So I'm closing this
>> bug
>> report.  If anybody disagrees with this, please feel free to reopen.
>
> A potential solution to this would to make the low-level kill functions
> respect a new `inhibit-kill-ring' variable, such that nothing would be
> added to the kill ring if that was non-nil.

IMO, it would be bettter to rebind the kill commands to corresponding
delete commands in read-passwd-map.

Message #27 received at 36154 <at> debbugs.gnu.org (full text, mbox):

From: Phil Sainty <psainty <at> orcon.net.nz>
To: Noam Postavsky <npostavs <at> gmail.com>
Cc: Ahmet BASTUG <bastugn <at> itu.edu.tr>, 36154 <at> debbugs.gnu.org,
 Lars Ingebrigtsen <larsi <at> gnus.org>
Subject: Re: bug#36154: 26.2; read-passwd function creates a security issue
Date: Thu, 10 Oct 2019 16:01:47 +1300

On 2019-10-10 13:49, Noam Postavsky wrote:
> Phil Sainty <psainty <at> orcon.net.nz> writes:
>> A potential solution to this would to make the low-level kill 
>> functions
>> respect a new `inhibit-kill-ring' variable, such that nothing would be
>> added to the kill ring if that was non-nil.
> 
> IMO, it would be bettter to rebind the kill commands to corresponding
> delete commands in read-passwd-map.

My main argument against that (at least as a complete solution) is that
is necessitates *knowing* what all the kill commands are, and what their
corresponding delete commands would be.

This would also mean maintaining that moving forwards for standard
commands; but that still wouldn't account for arbitrary third-party and
custom commands which call `kill-new'.

I think such remapping of standard commands would be entirely reasonable
as an *additional* step (particularly if it was wrapped into a minor 
mode),
but personally I think there is a greater benefit (with wider 
application)
in the `inhibit-kill-ring' notion.


-Phil

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.