[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#36154: 26.2; read-passwd function creates a security issue
|
From: |
Ahmet BASTUG |
|
Subject: |
bug#36154: 26.2; read-passwd function creates a security issue |
|
Date: |
Sun, 9 Jun 2019 23:01:52 +0300 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.0 |
read-passwd function which is located in "subr.el" causes kind of a
security issue. When function is used, user is prompted with a promt and
everything user typed is displayed as '.' characters. If any kind of
kill operation is performed on the prompt minibuffer, real value is
saved into kill-ring. Then you can yank it anywhere you want. I'm not
sure this is meant this way but I think not.
--text follows this line--
In GNU Emacs 26.2 (build 1, x86_64-pc-linux-gnu, GTK+ Version 3.24.8)
of 2019-04-12 built on juergen
Windowing system distributor 'The X.Org Foundation', version 11.0.12004000
System Description: Manjaro Linux
Recent messages:
Type C-c C-c to finish, or C-c C-k to cancel
When done with a buffer, type C-c C-c
Saving file /home/kosantosbik/projects/bot/.git/COMMIT_EDITMSG...
Wrote /home/kosantosbik/projects/bot/.git/COMMIT_EDITMSG
Git finished
Running git push -v origin master:refs/heads/master
Git finished
C-x C-g is undefined
""
Mark set
Configured using:
'configure --prefix=/usr --sysconfdir=/etc --libexecdir=/usr/lib
--localstatedir=/var --with-x-toolkit=gtk3 --with-xft --with-modules
'CFLAGS=-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong
-fno-plt' CPPFLAGS=-D_FORTIFY_SOURCE=2
LDFLAGS=-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now'
Configured features:
XPM JPEG TIFF GIF PNG RSVG IMAGEMAGICK SOUND GPM DBUS GSETTINGS GLIB
NOTIFY ACL GNUTLS LIBXML2 FREETYPE M17N_FLT LIBOTF XFT ZLIB
TOOLKIT_SCROLL_BARS GTK3 X11 XDBE XIM MODULES THREADS LIBSYSTEMD LCMS2
Important settings:
value of $LC_MONETARY: tr_TR.UTF-8
value of $LC_NUMERIC: tr_TR.UTF-8
value of $LC_TIME: tr_TR.UTF-8
value of $LANG: en_US.UTF-8
locale-coding-system: utf-8-unix
Major mode: Lisp Interaction
Minor modes in effect:
global-magit-file-mode: t
magit-auto-revert-mode: t
global-git-commit-mode: t
async-bytecomp-package-mode: t
shell-dirtrack-mode: t
global-atomic-chrome-edit-mode: t
server-mode: t
save-place-mode: t
savehist-mode: t
doom-modeline-mode: t
global-auto-revert-mode: t
ace-pinyin-global-mode: t
ace-pinyin-mode: t
global-aggressive-indent-mode: t
aggressive-indent-mode: t
global-anzu-mode: t
anzu-mode: t
drag-stuff-global-mode: t
drag-stuff-mode: t
global-hungry-delete-mode: t
hungry-delete-mode: t
global-undo-tree-mode: t
undo-tree-mode: t
fancy-narrow-mode: t
counsel-projectile-mode: t
counsel-mode: t
diredfl-global-mode: t
ivy-rich-mode: t
ivy-mode: t
delete-selection-mode: t
company-box-mode: t
global-company-mode: t
company-mode: t
yas-global-mode: t
yas-minor-mode: t
global-hl-line-mode: t
show-paren-mode: t
global-hl-todo-mode: t
hl-todo-mode: t
diff-hl-flydiff-mode: t
global-diff-hl-mode: t
diff-auto-refine-mode: t
volatile-highlights-mode: t
persp-mode-projectile-bridge-mode: t
persp-mode: t
winner-mode: t
ace-window-display-mode: t
shackle-mode: t
which-key-mode: t
flycheck-posframe-mode: t
display-line-numbers-mode: t
goto-address-prog-mode: t
subword-mode: t
origami-mode: t
symbol-overlay-mode: t
highlight-indent-guides-mode: t
rainbow-mode: t
rainbow-delimiters-mode: t
whitespace-mode: t
electric-pair-mode: t
persistent-scratch-autosave-mode: t
global-flycheck-mode: t
flycheck-mode: t
projectile-rails-global-mode: t
projectile-mode: t
dap-ui-mode: t
dap-mode: t
dumb-jump-mode: t
editorconfig-mode: t
recentf-mode: t
override-global-mode: t
tooltip-mode: t
global-eldoc-mode: t
eldoc-mode: t
electric-indent-mode: t
mouse-wheel-mode: t
prettify-symbols-mode: t
file-name-shadow-mode: t
global-font-lock-mode: t
font-lock-mode: t
blink-cursor-mode: t
auto-composition-mode: t
auto-encryption-mode: t
auto-compression-mode: t
size-indication-mode: t
column-number-mode: t
line-number-mode: t
transient-mark-mode: t
Load-path shadows:
None found.
Features:
(shadow sort vc-mtn vc-hg vc-bzr vc-src vc-sccs vc-svn vc-cvs vc-rcs
mail-extr emacsbug sendmail pager rng-xsd xsd-regexp rng-cmpct
nxml-mode-expansions rng-nxml rng-valid rng-loc rng-uri rng-parse
nxml-parse rng-match rng-dt rng-util rng-pttrn nxml-ns nxml-mode
nxml-outln nxml-rap html-mode-expansions sgml-mode dom nxml-util
nxml-enc xmltok magit-extras forge-list forge-commands forge-semi
forge-bitbucket buck forge-gogs gogs forge-gitea gtea forge-gitlab glab
forge-github ghub-graphql treepy graphql ghub forge-notify forge-revnote
forge-pullreq forge-issue forge-topic bug-reference forge-post
forge-repo forge forge-core forge-db closql emacsql-sqlite emacsql
emacsql-compiler url-http url-auth url-gw url url-proxy url-privacy
url-expand url-methods url-history mailcap magit-bookmark
magit-submodule magit-obsolete magit-popup magit-blame magit-stash
magit-reflog magit-bisect magit-push magit-pull magit-fetch magit-clone
magit-remote magit-commit magit-sequence magit-notes magit-worktree
magit-tag magit-merge magit-branch magit-reset magit-files magit-refs
magit-status magit magit-repos magit-apply magit-wip magit-log
which-func magit-diff smerge-mode magit-core magit-autorevert
magit-margin magit-transient magit-process magit-mode transient
git-commit magit-git magit-section magit-utils crm log-edit message
rfc822 mml mml-sec epa derived epg gnus-util rmail rmail-loaddefs
mm-decode mm-bodies mm-encode mail-parse rfc2231 rfc2047 rfc2045 mm-util
ietf-drums mail-prsvr mailabbrev mail-utils gmm-utils mailheader
pcvs-util add-log with-editor async-bytecomp amx mwim pulse vc-git
dap-python yapfify view python-el-fgallina-expansions python tramp-sh
company-shell docker-tramp tramp-cache tramp tramp-compat tramp-loaddefs
trampver ucs-normalize bash-completion shell pcomplete parse-time
format-spec async face-remap disp-table atomic-chrome websocket
url-cookie url-domsuf let-alist server saveplace savehist doom-modeline
doom-modeline-segments doom-modeline-env doom-modeline-core shrink-path
autorevert ace-link ace-pinyin pinyinlib aggressive-indent anzu
drag-stuff smart-region easy-kill-mc easy-kill multiple-cursors
mc-hide-unmatched-lines-mode mc-separate-operations
rectangular-region-mode mc-mark-pop mc-mark-more mc-cycle-cursors
mc-edit-lines multiple-cursors-core rect expand-region
subword-mode-expansions text-mode-expansions ruby-mode-expansions
er-basic-expansions expand-region-core expand-region-custom
hungry-delete undo-tree fancy-narrow counsel-projectile counsel xdg
dired-x diredfl dired dired-loaddefs swiper ivy-rich ivy flx delsel
colir ivy-overlay ffap company-box company-box-doc company-box-icons
company-oddmuse company-keywords company-etags company-gtags
company-dabbrev-code company-dabbrev company-files company-capf
company-cmake company-xcode company-clang company-semantic company-eclim
company-template company-bbdb company yasnippet-snippets yasnippet time
linum all-the-icons all-the-icons-faces data-material data-weathericons
data-octicons data-fileicons data-faicons data-alltheicons memoize
hl-line paren hl-todo diff-hl-flydiff diff diff-hl vc-dir vc
vc-dispatcher diff-mode volatile-highlights persp-mode-projectile-bridge
persp-mode windmove winner ace-window avy shackle trace which-key
solaire-mode flycheck-posframe posframe display-line-numbers goto-addr
flyspell ispell cap-words superword subword origami origami-parsers
symbol-overlay highlight-indent-guides rainbow-mode xterm-color
rainbow-delimiters whitespace lsp-clients lsp-clojure lsp-go lsp-xml
lsp-css lsp-intelephense lsp-vetur lsp-html lsp-solargraph lsp-rust
lsp-pyls elec-pair persistent-scratch flycheck find-func
projectile-rails rake inflections inf-ruby ruby-mode smie cl projectile
grep ibuf-ext ibuffer ibuffer-loaddefs dap-ui gdb-mi bindat gud bui
bui-list bui-info bui-entry bui-core bui-history bui-button bui-utils
cus-edit cus-start cus-load tree-mode dap-mode dap-overlays lsp lsp-mode
ewoc markdown-mode color noutline outline url-util subr-x spinner
network-stream puny nsm rmc starttls tls gnutls json map inline imenu ht
filenotify em-glob esh-util dash-functional flymake-proc flymake compile
comint ansi-color warnings thingatpt dumb-jump popup f dash s etags xref
project editorconfig init-prog init-web init-elixir init-ruby
init-python init-go init-c init-emacs-lisp init-dap init-lsp
init-projectile init-flycheck init-vcs init-utils init-elfeed init-org
init-markdown init-shell init-eshell init-treemacs init-window
init-persp init-kill-ring init-ibuffer ibuf-macs init-highlight
init-dired init-dashboard diminish dashboard dashboard-widgets recentf
tree-widget wid-edit page-break-lines cal-china-x cal-china lunar solar
cal-dst holidays hol-loaddefs cal-menu calendar cal-loaddefs bookmark pp
init-calendar init-yasnippet init-company init-ivy init-edit hydra ring
lv init-ui doom-themes-treemacs doom-themes-org doom-one-theme
doom-themes doom-themes-common init-funcs init-basic
exec-path-from-shell init-package cl-extra help-mode use-package
use-package-ensure use-package-delight use-package-diminish
use-package-bind-key bind-key easy-mmode use-package-core finder-inf
edmacro kmacro rx info advice package easymenu epg-config url-handlers
url-parse auth-source cl-seq eieio eieio-core cl-macs eieio-loaddefs
password-cache url-vars seq byte-opt bytecomp byte-compile cconv
cl-loaddefs cl-lib pcase init-custom init-const gv time-date mule-util
tooltip eldoc electric uniquify ediff-hook vc-hooks lisp-float-type
mwheel term/x-win x-win term/common-win x-dnd tool-bar dnd fontset image
regexp-opt fringe tabulated-list replace newcomment text-mode elisp-mode
lisp-mode prog-mode register page menu-bar rfn-eshadow isearch timer
select scroll-bar mouse jit-lock font-lock syntax facemenu font-core
term/tty-colors frame cl-generic cham georgian utf-8-lang misc-lang
vietnamese tibetan thai tai-viet lao korean japanese eucjp-ms cp51932
hebrew greek romanian slovak czech european ethiopic indian cyrillic
chinese composite charscript charprop case-table epa-hook jka-cmpr-hook
help simple abbrev obarray minibuffer cl-preloaded nadvice loaddefs
button faces cus-face macroexp files text-properties overlay sha1 md5
base64 format env code-pages mule custom widget hashtable-print-readable
backquote threads dbusbind inotify lcms2 dynamic-setting
system-font-setting font-render-setting move-toolbar gtk x-toolkit x
multi-tty make-network-process emacs)
Memory information:
((conses 16 997073 100529)
(symbols 48 61911 1)
(miscs 40 2523 1603)
(strings 32 204635 32422)
(string-bytes 1 5901869)
(vectors 16 114421)
(vector-slots 8 2156740 42766)
(floats 8 2076 1129)
(intervals 56 17136 3688)
(buffers 992 47))
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- bug#36154: 26.2; read-passwd function creates a security issue,
Ahmet BASTUG <=