From ${URL} : > TC_IOCTL_OPEN_TEST and TC_IOCTL_GET_SYSTEM_DRIVE_CONFIG: an attacker > can > > -- Deduce the presence of files they do not have access to > -- Deduce if said files are smaller than TC_MAX_VOLUME_SECTOR_SIZE > -- Deduce if said files start with the string "TrueCrypt" or one of four magic markers Use CVE-2014-2884. > integer overflow in the MainThreadProc function in > EncryptedIoQueue.c ... could result in information disclosure. > > integer overflow in the ProcessVolumeDeviceControlIrp function in > Ntdriver.c ... can result in Denial of Service (starve the kernel of > memory) Use CVE-2014-2885. @maintainer(s): since the package has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
I do not understand where I can fetch patches from... I cannot find these CVEs.
Truecrypt latest version is: http://www.truecrypt.org/docs/version-history 7.1a was released on February 7, 2012 So this vulnerability has not been fixed yet. Alon feel free to contact the upstream developers about a newer version.
I added truecrypt-7.2. But please notice that they stopped supporting the software... """ WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues This page exists only to help migrate existing data encrypted by TrueCrypt. The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform. """ I never understood people using this software anyway... I think we should remove it from tree.
@Alon Bar-Lev The "current" version 7.2 of TrueCrypt has drastically limited features. It is not possible any more, to create new containers. I would suggest to remove this version 7.2 or at least hardmask, because of the "bizarre" changes on the website. Microsoft BitLocker (!), as suggested on the original site is NO alternative for Truecrypt! It seems that the development of Truecrypt will continue with new team under https://truecrypt.ch/ QUOTE: Currently it is very unclear what really happened. Was it really just the end of a 10year effort, or was it driven by some government. While a simple defacement is more and more unlikely we still don’t know where this is going. However the first 36 hours showed clearly that TrueCrypt is a fragile product and must be based on more solid ground. We start with offering a download of the Truecrypt file as is, and we hope we can organize a solid base for the Future. There are no signs that there is any known security problem within TrueCrypt 7.1a and the audit will go on uninterrupted. Even though the trust into the developer team has diminished drastically, we believe that there needs to be an Open Source, Cross-plattform full-disk encryption option. Please keep version 7.1a in the tree.
Removed keywords from 7.2. Thanks!
Maybe the 7.1 version in the tree should be hardmasked if we plan to keep this package in the tree because that version won't ever be fixed for this security issues :/
removed
Package removed from tree per [1]. [1]: https://archives.gentoo.org/gentoo-dev/message/67240888bb49c83e26731062d29042e8