Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 561952 - app-crypt/truecrypt: two privilege escalation
Summary: app-crypt/truecrypt: two privilege escalation
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: ~1 [glsa?]
Keywords:
Depends on:
Blocks: wxwidgets-3.0
  Show dependency tree
 
Reported: 2015-10-01 08:17 UTC by Agostino Sarubbo
Modified: 2016-03-15 08:22 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-10-01 08:17:58 UTC
From ${URL} :

Hi,

I would like to request two CVE identifiers for the two security issues
described below affecting TrueCrypt 7.1a (latest version) and its fork
VeraCrypt 1.14 (latest version) running on all versions of Windows.

These issues were reported by James Forshaw (Google).

Issue 1: Local Elevation of Privilege on Windows by abusing
              drive letter handling.

Issue 2: Local Elevation of Privilege on Windows caused by incorrect
              Impersonation Token Handling.

Issue 1 is critical.

A fix has already been developed. Version 1.15 of VeraCrypt will be
released soon to address those issues.



@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Agostino Sarubbo gentoo-dev 2015-10-01 08:19:19 UTC
Since it is abandoned upstream, I'd suggest to mask the package.
Comment 2 Alon Bar-Lev (RETIRED) gentoo-dev 2015-10-01 08:24:57 UTC
(In reply to Agostino Sarubbo from comment #1)
> Since it is abandoned upstream, I'd suggest to mask the package.

I agree, we need to remove it from tree.
Do you want me to mask it?
Comment 3 Frank Krömmelbein 2015-10-01 08:28:55 UTC
Only the Windows Versions are affected. 
So does not concern us Gentoo users ;-)
No need to remove it now.

Btw.
It would be nice if some Dev could maintain Veracrypt and bring it into the main tree. Working Ebuilds are attached here:
https://bugs.gentoo.org/show_bug.cgi?id=522186
Thus, the user could migrate.
Comment 4 Alon Bar-Lev (RETIRED) gentoo-dev 2015-10-01 08:32:32 UTC
(In reply to Frank Krömmelbein from comment #3)
> Only the Windows Versions are affected. 
> So does not concern us Gentoo users ;-)
> No need to remove it now.
> 
> Btw.
> It would be nice if some Dev could maintain Veracrypt and bring it into the
> main tree. Working Ebuilds are attached here:
> https://bugs.gentoo.org/show_bug.cgi?id=522186
> Thus, the user could migrate.

too much patches, even truecrypt never actually maintained either, each version of kernel breaks it, very difficult to maintain. nobody of crypto actually use it, and there are much better secure and simple alternatives for linux.
Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-10-01 09:01:06 UTC
(In reply to Alon Bar-Lev from comment #4)
> (In reply to Frank Krömmelbein from comment #3)
> > Only the Windows Versions are affected. 
> > So does not concern us Gentoo users ;-)
> > No need to remove it now.
> > 
> > Btw.
> > It would be nice if some Dev could maintain Veracrypt and bring it into the
> > main tree. Working Ebuilds are attached here:
> > https://bugs.gentoo.org/show_bug.cgi?id=522186
> > Thus, the user could migrate.
> 
> too much patches, even truecrypt never actually maintained either, each
> version of kernel breaks it, very difficult to maintain. nobody of crypto
> actually use it, and there are much better secure and simple alternatives
> for linux.

I'm in favor of masking it for removal, myself. Non-maintained crypto / security related software doesn't belong anywhere except maybe an museum/attic overlay.
Comment 6 Pacho Ramos gentoo-dev 2015-10-13 15:07:11 UTC
(In reply to Kristian Fiskerstrand from comment #5) 
> I'm in favor of masking it for removal, myself. Non-maintained crypto /
> security related software doesn't belong anywhere except maybe an
> museum/attic overlay.


OK with CCing treecleaners then? :|
Comment 7 Pastafarianist 2016-01-14 11:16:09 UTC
Can you postpone removal until there is a suitable alternative in the main tree, such as VeraCrypt? An ebuild seems to be in the works: https://bugs.gentoo.org/show_bug.cgi?id=522186
Comment 8 Alon Bar-Lev (RETIRED) gentoo-dev 2016-01-14 11:39:38 UTC
(In reply to Pastafarianist from comment #7)
> Can you postpone removal until there is a suitable alternative in the main
> tree, such as VeraCrypt? An ebuild seems to be in the works:
> https://bugs.gentoo.org/show_bug.cgi?id=522186

We won't add this package, there was enough issues with truecrypt, and this package is no different. You may maintain it at an overlay.
Comment 9 Alon Bar-Lev (RETIRED) gentoo-dev 2016-01-14 11:48:32 UTC
(In reply to Alon Bar-Lev from comment #8)
> (In reply to Pastafarianist from comment #7)
> > Can you postpone removal until there is a suitable alternative in the main
> > tree, such as VeraCrypt? An ebuild seems to be in the works:
> > https://bugs.gentoo.org/show_bug.cgi?id=522186
> 
> We won't add this package, there was enough issues with truecrypt, and this
> package is no different. You may maintain it at an overlay.

Forgot to mention, in case you are not aware app-crypt/tc-play[1] package should be a good solution for most.

[1] https://packages.gentoo.org/packages/app-crypt/tc-play
Comment 10 Till Korten 2016-01-29 08:42:11 UTC
I am myself using dm-crypt, however this is not portable to other platforms. Therefore I was using truecrypt whenever I needed to exchange data with Mac or Windows. Is there a suitable alternative to truecrypt that also works on mac/windows?
Comment 11 Alon Bar-Lev (RETIRED) gentoo-dev 2016-01-29 09:21:05 UTC
(In reply to Till Korten from comment #10)
> I am myself using dm-crypt, however this is not portable to other platforms.
> Therefore I was using truecrypt whenever I needed to exchange data with Mac
> or Windows. Is there a suitable alternative to truecrypt that also works on
> mac/windows?

as far as I understand tc-play is based on dm-crypt while managing the native truecrypt partition. you can use truecrypt in windows while tc-play in linux.
Comment 12 Pacho Ramos gentoo-dev 2016-02-20 18:28:08 UTC
removed
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2016-02-21 03:54:34 UTC
Package removed per previous comments.  GLSA needed?
Comment 14 Aaron Bauman (RETIRED) gentoo-dev 2016-03-15 08:22:02 UTC
Package removed from tree per [1].

[1]: https://archives.gentoo.org/gentoo-dev/message/67240888bb49c83e26731062d29042e8