Summary: | app-crypt/truecrypt: two privilege escalation | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | alonbl, crypto+disabled, gentoo.2019, luke, treecleaner, webmaster |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2015/09/22/7 | ||
Whiteboard: | ~1 [glsa?] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 562480 |
Description
Agostino Sarubbo
2015-10-01 08:17:58 UTC
Since it is abandoned upstream, I'd suggest to mask the package. (In reply to Agostino Sarubbo from comment #1) > Since it is abandoned upstream, I'd suggest to mask the package. I agree, we need to remove it from tree. Do you want me to mask it? Only the Windows Versions are affected. So does not concern us Gentoo users ;-) No need to remove it now. Btw. It would be nice if some Dev could maintain Veracrypt and bring it into the main tree. Working Ebuilds are attached here: https://bugs.gentoo.org/show_bug.cgi?id=522186 Thus, the user could migrate. (In reply to Frank Krömmelbein from comment #3) > Only the Windows Versions are affected. > So does not concern us Gentoo users ;-) > No need to remove it now. > > Btw. > It would be nice if some Dev could maintain Veracrypt and bring it into the > main tree. Working Ebuilds are attached here: > https://bugs.gentoo.org/show_bug.cgi?id=522186 > Thus, the user could migrate. too much patches, even truecrypt never actually maintained either, each version of kernel breaks it, very difficult to maintain. nobody of crypto actually use it, and there are much better secure and simple alternatives for linux. (In reply to Alon Bar-Lev from comment #4) > (In reply to Frank Krömmelbein from comment #3) > > Only the Windows Versions are affected. > > So does not concern us Gentoo users ;-) > > No need to remove it now. > > > > Btw. > > It would be nice if some Dev could maintain Veracrypt and bring it into the > > main tree. Working Ebuilds are attached here: > > https://bugs.gentoo.org/show_bug.cgi?id=522186 > > Thus, the user could migrate. > > too much patches, even truecrypt never actually maintained either, each > version of kernel breaks it, very difficult to maintain. nobody of crypto > actually use it, and there are much better secure and simple alternatives > for linux. I'm in favor of masking it for removal, myself. Non-maintained crypto / security related software doesn't belong anywhere except maybe an museum/attic overlay. (In reply to Kristian Fiskerstrand from comment #5) > I'm in favor of masking it for removal, myself. Non-maintained crypto / > security related software doesn't belong anywhere except maybe an > museum/attic overlay. OK with CCing treecleaners then? :| Can you postpone removal until there is a suitable alternative in the main tree, such as VeraCrypt? An ebuild seems to be in the works: https://bugs.gentoo.org/show_bug.cgi?id=522186 (In reply to Pastafarianist from comment #7) > Can you postpone removal until there is a suitable alternative in the main > tree, such as VeraCrypt? An ebuild seems to be in the works: > https://bugs.gentoo.org/show_bug.cgi?id=522186 We won't add this package, there was enough issues with truecrypt, and this package is no different. You may maintain it at an overlay. (In reply to Alon Bar-Lev from comment #8) > (In reply to Pastafarianist from comment #7) > > Can you postpone removal until there is a suitable alternative in the main > > tree, such as VeraCrypt? An ebuild seems to be in the works: > > https://bugs.gentoo.org/show_bug.cgi?id=522186 > > We won't add this package, there was enough issues with truecrypt, and this > package is no different. You may maintain it at an overlay. Forgot to mention, in case you are not aware app-crypt/tc-play[1] package should be a good solution for most. [1] https://packages.gentoo.org/packages/app-crypt/tc-play I am myself using dm-crypt, however this is not portable to other platforms. Therefore I was using truecrypt whenever I needed to exchange data with Mac or Windows. Is there a suitable alternative to truecrypt that also works on mac/windows? (In reply to Till Korten from comment #10) > I am myself using dm-crypt, however this is not portable to other platforms. > Therefore I was using truecrypt whenever I needed to exchange data with Mac > or Windows. Is there a suitable alternative to truecrypt that also works on > mac/windows? as far as I understand tc-play is based on dm-crypt while managing the native truecrypt partition. you can use truecrypt in windows while tc-play in linux. removed Package removed per previous comments. GLSA needed? Package removed from tree per [1]. [1]: https://archives.gentoo.org/gentoo-dev/message/67240888bb49c83e26731062d29042e8 |