GNU bug report logs - #8427
[SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing

Previous Next

Full log

Message #62 received at 8427 <at> debbugs.gnu.org (full text, mbox):

From: Andrew Hyatt <ahyatt <at> gmail.com>
To: Michael Mauger <mmauger <at> protonmail.com>
Cc: 8427 <at> debbugs.gnu.org, Stefan Kangas <stefan <at> marxist.se>
Subject: Re: bug#8427: [SECURITY] sql.el -- comint process passwords are
 leaked to ps(1) listing
Date: Wed, 18 Dec 2019 01:15:15 -0500

[Message part 1 (text/plain, inline)]

Hi Michael,

I'm happy to merge this in.  I have FSF paperwork done and already have
commit access.

However, I agree with you about pushing logic into comint.  As I mentioned
before, it would help simplify the logic here.  It might be best to not
check this in and see what an alternate solution might be first, based on
comint.  I can work on that soon and get a patch out in the next week or so.

On Mon, Dec 16, 2019 at 10:12 AM Michael Mauger <mmauger <at> protonmail.com>
wrote:

>
> -------- Original Message --------
> On Dec 15, 2019, 11:59 PM, Andrew Hyatt < ahyatt <at> gmail.com> wrote:
> > Any input on this?  I believe this fixes the issue, and would prefer to
> > revise this while I still remember the details.  I'm happy to submit this
> > as well.
>
> >> On Mon, Nov 11, 2019 at 12:31 AM Andrew Hyatt <ahyatt <at> gmail.com> wrote:
>
> >> I've simplified an implementation along the lines you suggest, and
> >> tested it via ert. I'm attaching the latest version of the patch.
> >> Please let me know what you think.
>
> I apologise for not getting back to you sooner-- a new job and the
> holidays have consumed much of my time. My initial look at your latest
> patch raised some concerns but I haven't done any deeper look yet. I'll try
> to take a look in the next week or so. If you don't hear back from me after
> the new year, then let's merge it and we'll address the issues from there.
> (I know I mentioned this before but I don't remember the status-- do you
> have your copyright paperwork all set for Emacs contributions?)
>
> I think my thought was that it may make sense to push some of this back
> onto comint rather than a convoluted sql-only solution, but that may
> require some more negotiation. As I looked at it, using a comint hook might
> serve auth services as well.
>
> Sorry about the silence, you have not been forgotten just buried in
> end-of-year turmoil :)
>
> --
> MICHAEL <at> MAUGER.COM // FSF and EFF member // GNU Emacs sql.el maintainer

[Message part 2 (text/html, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.