From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter Jones Subject: org-crypt.el security problem (From: Milan Zamazal) Date: Fri, 04 Mar 2011 08:06:40 -0700 Message-ID: Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from [140.186.70.92] (port=33141 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1PvWak-0007n1-I9 for emacs-orgmode@gnu.org; Fri, 04 Mar 2011 10:06:55 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1PvWaj-0002Jo-GJ for emacs-orgmode@gnu.org; Fri, 04 Mar 2011 10:06:54 -0500 Received: from lo.gmane.org ([80.91.229.12]:57779) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1PvWaj-0002Jk-AE for emacs-orgmode@gnu.org; Fri, 04 Mar 2011 10:06:53 -0500 Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1PvWai-0002xY-LT for emacs-orgmode@gnu.org; Fri, 04 Mar 2011 16:06:52 +0100 Received: from c-67-172-151-101.hsd1.co.comcast.net ([67.172.151.101]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 04 Mar 2011 16:06:52 +0100 Received: from mlists by c-67-172-151-101.hsd1.co.comcast.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 04 Mar 2011 16:06:52 +0100 List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: emacs-orgmode-bounces+geo-emacs-orgmode=m.gmane.org@gnu.org Errors-To: emacs-orgmode-bounces+geo-emacs-orgmode=m.gmane.org@gnu.org To: emacs-orgmode@gnu.org Here is an email I received from Milan Zamazal: ,---- | I don't know whether you are aware of this, but I consider it a serious | security problem of org-crypt.el in (at least) Emacs 23.2: | | I've found out that when I edit a (decrypted) crypt entry and the edited | file is autosaved, the autosaved file contains the given crypt entry in | plain text. So unless the user has got a special arrangement of storing | autosave files to a secure location where they are also deleted | securely, the secret content may be accessed either in the autosave file | directly, or it may be later retrieved by an off-line attacker from the | deleted file content that remained stored somewhere on the disk. | | This should be fixed or at least a big warning should be placed in | org-crypt.el. `---- I don't have time to look into this. Would someone please see if there is a way to prevent it. Off the top of my head, the only thing I can think of is disabling autosave for any org buffer that uses org-crypt. Hopefully there's an autosave hook where you can encrypt the headings and save to disk using a temporary buffer without having to alter the current buffer and interrupt the user by encrypting a heading that is being edited. -- Peter Jones - pmade inc. 303-219-0226 http://pmade.com