Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 703340 - <app-crypt/veracrypt-1.24_p2: Multiple vulnerabilities
Summary: <app-crypt/veracrypt-1.24_p2: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-12-19 08:03 UTC by Frank Krömmelbein
Modified: 2020-05-04 01:18 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Frank Krömmelbein 2019-12-19 08:03:46 UTC
This version now contains some security-relevant hardenings:
https://www.veracrypt.fr/en/Release%20Notes.html


Reproducible: Always
Comment 1 Göktürk Yüksek gentoo-dev 2019-12-19 21:13:09 UTC
SECURITY	Add this on all security related issues.

^ This is not a bug for the security team. Any reason why this bug is keyworded with SECURITY?
Comment 2 Göktürk Yüksek gentoo-dev 2019-12-19 21:21:50 UTC
I guess we can assume these two to be of importance:

  Fix off by one buffer overflow in function Process::Execute (Reported and fixed by Hanno Böck)

  Make sure password gets deleted in case of internal error when mounting volume (Reported and fixed by Hanno Böck)

Re-keywording.
Comment 3 Larry the Git Cow gentoo-dev 2019-12-19 22:48:54 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=203783d176b8f801bd640c5c1eaa372b6ea29e3e

commit 203783d176b8f801bd640c5c1eaa372b6ea29e3e
Author:     Göktürk Yüksek <gokturk@gentoo.org>
AuthorDate: 2019-12-19 22:42:33 +0000
Commit:     Göktürk Yüksek <gokturk@gentoo.org>
CommitDate: 2019-12-19 22:48:27 +0000

    app-crypt/veracrypt: bump to 1.24-Update2
    
    Bug: https://bugs.gentoo.org/703340
    Closes: https://bugs.gentoo.org/698936
    Package-Manager: Portage-2.3.79, Repoman-2.3.18
    Signed-off-by: Göktürk Yüksek <gokturk@gentoo.org>

 app-crypt/veracrypt/Manifest                       |   1 +
 ...racrypt-1.24_p2-revert-wxwidgets-breakage.patch | 100 +++++++++++++++++
 app-crypt/veracrypt/veracrypt-1.24_p2.ebuild       | 120 +++++++++++++++++++++
 3 files changed, 221 insertions(+)
Comment 4 Frank Krömmelbein 2020-01-14 12:30:57 UTC
The new version runs smoothly here.
Can the stabilization now be started for app-crypt/veracrypt-1.24_p2 ?
Comment 5 Larry the Git Cow gentoo-dev 2020-03-30 12:20:26 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=df1ce05286d75dd247e17489b8dacb5a833bb45a

commit df1ce05286d75dd247e17489b8dacb5a833bb45a
Author:     Göktürk Yüksek <gokturk@gentoo.org>
AuthorDate: 2020-03-30 11:15:02 +0000
Commit:     Göktürk Yüksek <gokturk@gentoo.org>
CommitDate: 2020-03-30 12:20:06 +0000

    app-crypt/veracrypt: remove old
    
    Bug: https://bugs.gentoo.org/703340
    Package-Manager: Portage-2.3.69, Repoman-2.3.14
    Signed-off-by: Göktürk Yüksek <gokturk@gentoo.org>

 app-crypt/veracrypt/Manifest                 |   3 -
 app-crypt/veracrypt/veracrypt-1.23.ebuild    |  96 ----------------------
 app-crypt/veracrypt/veracrypt-1.24-r1.ebuild | 117 ---------------------------
 app-crypt/veracrypt/veracrypt-1.24-r2.ebuild | 117 ---------------------------
 app-crypt/veracrypt/veracrypt-1.24.ebuild    | 100 -----------------------
 app-crypt/veracrypt/veracrypt-1.24_p1.ebuild | 117 ---------------------------
 6 files changed, 550 deletions(-)
Comment 6 Göktürk Yüksek gentoo-dev 2020-03-30 12:21:27 UTC
Older vulnerable versions are removed and the secure version is in stable. It should be safe to close this bug now.
Comment 7 Sam James (sec padawan) 2020-03-30 12:23:43 UTC
(In reply to Göktürk Yüksek from comment #6)
> Older vulnerable versions are removed and the secure version is in stable.
> It should be safe to close this bug now.

Great, thank you! We'll move it to the glsa? step.