GNU bug report logs - #37196
27.0.50; auth-source no longer obfuscates passwords

Previous Next

Package: emacs;

Reported by: Lars Ingebrigtsen <larsi <at> gnus.org>

Date: Tue, 27 Aug 2019 10:30:02 UTC

Severity: normal

Tags: fixed, security

Found in version 27.0.50

Fixed in version 27.1

Done: Lars Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

Full log

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Lars Ingebrigtsen <larsi <at> gnus.org>
To: bug-gnu-emacs <at> gnu.org
Subject: 27.0.50; auth-source no longer obfuscates passwords
Date: Tue, 27 Aug 2019 12:29:43 +0200

Emacs got a better pretty printer for compiled code sometime over the
last few years, and that means that the obfuscator that auth-source uses
no longer works.  (It puts the password into a closure.)

With the following in ~/.authinfo

machine foo.bar login zot password foobar

we get

(auth-source-search :max 1 :host "foo.bar")
=> ((:host "foo.bar" :user "zot" :secret #[0 "<binary>" [("foobar") (nil)] 3]))

with the "foobar" clearly printed out.  This should be fixed by
obfuscating the password in a different way.

Similarly, the printed representation of auth-source-netrc-cache also
has the password in clear text now.



In GNU Emacs 27.0.50 (build 27, x86_64-pc-linux-gnu, GTK+ Version 3.22.11)
 of 2019-08-23 built on marnie
Repository revision: b4065de33cf397b80e15c22740d34b4a03cfdc17
Repository branch: master
Windowing system distributor 'The X.Org Foundation', version 11.0.11902000
System Description: Debian GNU/Linux 9 (stretch)


-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no
This bug report was last modified 5 years and 244 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.