GNU bug report logs -
#8427
[SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing
Previous Next
Reported by: Jari Aalto <jari.aalto <at> cante.net>
Date: Tue, 5 Apr 2011 11:28:01 UTC
Severity: normal
Tags: security
Found in version 23.2+1-7
Fixed in version 29.1
Done: Stefan Kangas <stefan <at> marxist.se>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
---------- Forwarded message ---------
From: Andrew Hyatt <ahyatt <at> gmail.com>
Date: lör 19 okt. 2019 kl 04:07
Subject: Re: bug#8427: [SECURITY] sql.el -- comint process passwords
are leaked to ps(1) listing
To: Stefan Kangas <stefan <at> marxist.se>
I'm attaching the fix. The fix for MySQL was fairly straightforward. I
tried it out, and it works. I looked through sql.el for similar issues,
and was able to fix Vertica as well, although I've never heard of
Vertica before and couldn't test it out. Parameters were set according
to the docs at
https://www.vertica.com/docs/9.2.x/HTML/Content/Authoring/ConnectingToVertica/vsql/CommandLineOptions.htm,
which does match the existing code.
If this looks good to you, I will submit it (I have commit access).
Stefan Kangas <stefan <at> marxist.se> writes:
> Andrew Hyatt <ahyatt <at> gmail.com> writes:
>
>>> Could you perhaps send your patch here for review?
>>
>> I no longer know where my changes are. It's been a while. But I think I can probably recreate them, which I'll try to do this week.
> [...]
>> The idea is that instead of connecting with the --password arg, it can be left out entirely, in which case the program should ask for it (which is secure).
>
> Sounds good, thanks.
>
> Best regards,
> Stefan Kangas
[0001-Enable-password-less-connections-for-sql-where-possi.patch (application/x-patch, attachment)]
This bug report was last modified 3 years and 201 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.