Issues with gnupg.vim - plaintext leakage, file trashing

307 views
Skip to first unread message

AndrewDaviel

unread,
Feb 21, 2011, 4:56:52 PM2/21/11
to vim_dev
I have gnupg.vim 3026 from
http://www.vim.org/scripts/script.php?script_id=661

This is a plugin to edit a file encrypted with GnuPG.

A few issues:
- when encrypting files, unwiped plaintext is left on the temporary
directory disk. This can be mitigated by setting TMPDIR to point to a
ramdisk

- if using a symmetric key, if the user makes a mistake and mismatches
the password, the file is trashed (set to zero length). There is ane
error message "Message could not be encrypted! File might be empty!
(Press ENTER)"

- if using a public key/private key, if the user's key has expired,
the file can be decrypted and read but on writing the file is trashed
(set to zero length). Specifically, if the private subkey used for
encryption has expired then the file will be trashed.

James Vega

unread,
Feb 22, 2011, 1:43:59 AM2/22/11
to vim_dev, Markus Braun
Adding the author to Cc.

I've attached an updated version of the plugin that I sent to Markus a
while back which I think addresses these problems. I've described below
specifically how the changes should have the desired effect. Would you
mind testing it?

On Mon, Feb 21, 2011 at 01:56:52PM -0800, AndrewDaviel wrote:
> I have gnupg.vim 3026 from
> http://www.vim.org/scripts/script.php?script_id=661
>
> This is a plugin to edit a file encrypted with GnuPG.
>
> A few issues:
> - when encrypting files, unwiped plaintext is left on the temporary
> directory disk. This can be mitigated by setting TMPDIR to point to a
> ramdisk

The plugin is now using Buf{Write,Read}Cmd. This means that it is
directly writing to/reading from gnupg's stdin/stdout and avoiding a
temporary file all together.

> - if using a symmetric key, if the user makes a mistake and mismatches
> the password, the file is trashed (set to zero length). There is ane
> error message "Message could not be encrypted! File might be empty!
> (Press ENTER)"

Due to using BufWriteCmd, the plugin can now properly detect command
errors (like invalid passwords) and abort the write instead of the
current workaround of deleting the contents of the buffer before the
save and restoring it afterward.

This change also means that when there's a failure, the buffer is still
flagged as modified. No more unnoticed failures and then exiting when
the file wasn't truly saved.

> - if using a public key/private key, if the user's key has expired,
> the file can be decrypted and read but on writing the file is trashed
> (set to zero length). Specifically, if the private subkey used for
> encryption has expired then the file will be trashed.

This is similar to the above scenario. Gnupg will return an error code,
which the plugin will now notice and prevent the original file from
being overwritten.

--
James
GPG Key: 1024D/61326D40 2003-09-02 James Vega <jame...@jamessan.com>

gnupg.vim
signature.asc

AndrewDaviel

unread,
Feb 22, 2011, 4:29:59 PM2/22/11
to vim_dev

On Feb 21, 10:43 pm, James Vega <james...@jamessan.com> wrote:

> I've attached an updated version of the plugin that I sent to Markus a
> while back which I think addresses these problems.  I've described below
> specifically how the changes should have the desired effect. Would you
> mind testing it?

Thanks.

On a recent build of vim 7.3, it appears to work, also on vim 7.2.

When writing out a modified encrypted file, the plaintext is still
saved in "4" in the temporary directory, although the ciphertext is
not saved to "2" while reading as with the original plugin.

Our production machines are running SL 5 (~= CENTOS 5) with Vim 7.0.
Editing an encrypted file gives (on stdout, until it's cleared):
Error detected while processing function <SNR>7_GPGDecrypt:
line 92:
E118: Too many arguments for function: shellescape
E15: Invalid expression: "r !" . s:GPGCommand . ' --quiet --decrypt
' . shellescape(filename, 1) . ' ' . s:stderrredirnull
line 96:
E492: Not an editor command: LANG=C LC_ALL=C gpg --trust-model always
--no-use-agent --verbose --decrypt --list-only --dry-run --batch --no-
use-agent --logger-fd 1 '/local/home/advax/CCN/trysym.asc'

Andrew

James Vega

unread,
Feb 22, 2011, 11:49:27 PM2/22/11
to vim_dev
On Tue, Feb 22, 2011 at 01:29:59PM -0800, AndrewDaviel wrote:
>
> On Feb 21, 10:43 pm, James Vega <james...@jamessan.com> wrote:
>
> > I've attached an updated version of the plugin that I sent to Markus a
> > while back which I think addresses these problems.  I've described below
> > specifically how the changes should have the desired effect. Would you
> > mind testing it?
>
> Thanks.
>
> On a recent build of vim 7.3, it appears to work, also on vim 7.2.
>
> When writing out a modified encrypted file, the plaintext is still
> saved in "4" in the temporary directory, although the ciphertext is
> not saved to "2" while reading as with the original plugin.

This is related to the 'shelltemp' option. You can, if your system
supports it, use pipes instead of temp files. I guess the plugin could
do the check and automatically use pipes if supported.

> Our production machines are running SL 5 (~= CENTOS 5) with Vim 7.0.
> Editing an encrypted file gives (on stdout, until it's cleared):
> Error detected while processing function <SNR>7_GPGDecrypt:
> line 92:
> E118: Too many arguments for function: shellescape
> E15: Invalid expression: "r !" . s:GPGCommand . ' --quiet --decrypt
> ' . shellescape(filename, 1) . ' ' . s:stderrredirnull
> line 96:
> E492: Not an editor command: LANG=C LC_ALL=C gpg --trust-model always
> --no-use-agent --verbose --decrypt --list-only --dry-run --batch --no-
> use-agent --logger-fd 1 '/local/home/advax/CCN/trysym.asc'

Yeah, it requires functionality that was introduced after 7.0. I'll
adjust the checks for the necessary functionality to be more thorough so
you get the error message when loading the plugin.

--
James
GPG Key: 1024D/61326D40 2003-09-02 James Vega <jame...@debian.org>

signature.asc

AndrewDaviel

unread,
Feb 23, 2011, 7:53:40 PM2/23/11
to vim_dev


On Feb 22, 8:49 pm, James Vega <james...@jamessan.com> wrote:

> > When writing out a modified encrypted file, the plaintext is still
> > saved in "4" in the temporary directory, although the ciphertext is
> > not saved to "2" while reading as with the original plugin.
>
> This is related to the 'shelltemp' option.  You can, if your system
> supports it, use pipes instead of temp files.  I guess the plugin could
> do the check and automatically use pipes if supported.

That seems to work, if I put "set noshelltemp" in gnupg.vim

runtime/doc/options.txt says shelltemp defaults to off in Vi but on in
Vim, and other docs say that
temp files will be used anyway unless (has("filterpipe"))


Andrew

James Vega

unread,
Mar 7, 2011, 8:09:01 AM3/7/11
to vim_dev

Attached version sets 'noshelltemp' and correctly checks for Vim 7.2 or
newer.

--
James
GPG Key: 1024D/61326D40 2003-09-02 James Vega <jame...@jamessan.com>

gnupg.vim
signature.asc
Reply all
Reply to author
Forward
0 new messages