From ${URL} : Hi, I would like to request two CVE identifiers for the two security issues described below affecting TrueCrypt 7.1a (latest version) and its fork VeraCrypt 1.14 (latest version) running on all versions of Windows. These issues were reported by James Forshaw (Google). Issue 1: Local Elevation of Privilege on Windows by abusing drive letter handling. Issue 2: Local Elevation of Privilege on Windows caused by incorrect Impersonation Token Handling. Issue 1 is critical. A fix has already been developed. Version 1.15 of VeraCrypt will be released soon to address those issues. @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Since it is abandoned upstream, I'd suggest to mask the package.
(In reply to Agostino Sarubbo from comment #1) > Since it is abandoned upstream, I'd suggest to mask the package. I agree, we need to remove it from tree. Do you want me to mask it?
Only the Windows Versions are affected. So does not concern us Gentoo users ;-) No need to remove it now. Btw. It would be nice if some Dev could maintain Veracrypt and bring it into the main tree. Working Ebuilds are attached here: https://bugs.gentoo.org/show_bug.cgi?id=522186 Thus, the user could migrate.
(In reply to Frank Krömmelbein from comment #3) > Only the Windows Versions are affected. > So does not concern us Gentoo users ;-) > No need to remove it now. > > Btw. > It would be nice if some Dev could maintain Veracrypt and bring it into the > main tree. Working Ebuilds are attached here: > https://bugs.gentoo.org/show_bug.cgi?id=522186 > Thus, the user could migrate. too much patches, even truecrypt never actually maintained either, each version of kernel breaks it, very difficult to maintain. nobody of crypto actually use it, and there are much better secure and simple alternatives for linux.
(In reply to Alon Bar-Lev from comment #4) > (In reply to Frank Krömmelbein from comment #3) > > Only the Windows Versions are affected. > > So does not concern us Gentoo users ;-) > > No need to remove it now. > > > > Btw. > > It would be nice if some Dev could maintain Veracrypt and bring it into the > > main tree. Working Ebuilds are attached here: > > https://bugs.gentoo.org/show_bug.cgi?id=522186 > > Thus, the user could migrate. > > too much patches, even truecrypt never actually maintained either, each > version of kernel breaks it, very difficult to maintain. nobody of crypto > actually use it, and there are much better secure and simple alternatives > for linux. I'm in favor of masking it for removal, myself. Non-maintained crypto / security related software doesn't belong anywhere except maybe an museum/attic overlay.
(In reply to Kristian Fiskerstrand from comment #5) > I'm in favor of masking it for removal, myself. Non-maintained crypto / > security related software doesn't belong anywhere except maybe an > museum/attic overlay. OK with CCing treecleaners then? :|
Can you postpone removal until there is a suitable alternative in the main tree, such as VeraCrypt? An ebuild seems to be in the works: https://bugs.gentoo.org/show_bug.cgi?id=522186
(In reply to Pastafarianist from comment #7) > Can you postpone removal until there is a suitable alternative in the main > tree, such as VeraCrypt? An ebuild seems to be in the works: > https://bugs.gentoo.org/show_bug.cgi?id=522186 We won't add this package, there was enough issues with truecrypt, and this package is no different. You may maintain it at an overlay.
(In reply to Alon Bar-Lev from comment #8) > (In reply to Pastafarianist from comment #7) > > Can you postpone removal until there is a suitable alternative in the main > > tree, such as VeraCrypt? An ebuild seems to be in the works: > > https://bugs.gentoo.org/show_bug.cgi?id=522186 > > We won't add this package, there was enough issues with truecrypt, and this > package is no different. You may maintain it at an overlay. Forgot to mention, in case you are not aware app-crypt/tc-play[1] package should be a good solution for most. [1] https://packages.gentoo.org/packages/app-crypt/tc-play
I am myself using dm-crypt, however this is not portable to other platforms. Therefore I was using truecrypt whenever I needed to exchange data with Mac or Windows. Is there a suitable alternative to truecrypt that also works on mac/windows?
(In reply to Till Korten from comment #10) > I am myself using dm-crypt, however this is not portable to other platforms. > Therefore I was using truecrypt whenever I needed to exchange data with Mac > or Windows. Is there a suitable alternative to truecrypt that also works on > mac/windows? as far as I understand tc-play is based on dm-crypt while managing the native truecrypt partition. you can use truecrypt in windows while tc-play in linux.
removed
Package removed per previous comments. GLSA needed?
Package removed from tree per [1]. [1]: https://archives.gentoo.org/gentoo-dev/message/67240888bb49c83e26731062d29042e8