Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 508084 (CVE-2014-2884) - app-crypt/truecrypt : Two vulnerabilities (CVE-2014-{2884,2885})
Summary: app-crypt/truecrypt : Two vulnerabilities (CVE-2014-{2884,2885})
Status: RESOLVED FIXED
Alias: CVE-2014-2884
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: ~2 [upstream]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-04-19 11:55 UTC by Agostino Sarubbo
Modified: 2016-03-15 08:21 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-04-19 11:55:30 UTC
From ${URL} :

> TC_IOCTL_OPEN_TEST and TC_IOCTL_GET_SYSTEM_DRIVE_CONFIG: an attacker
> can
> 
>   -- Deduce the presence of files they do not have access to
>   -- Deduce if said files are smaller than TC_MAX_VOLUME_SECTOR_SIZE
>   -- Deduce if said files start with the string "TrueCrypt" or one of four magic markers

Use CVE-2014-2884.


> integer overflow in the MainThreadProc function in
> EncryptedIoQueue.c ... could result in information disclosure.
> 
> integer overflow in the ProcessVolumeDeviceControlIrp function in
> Ntdriver.c ... can result in Denial of Service (starve the kernel of
> memory)

Use CVE-2014-2885.



@maintainer(s): since the package has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Alon Bar-Lev (RETIRED) gentoo-dev 2014-04-22 17:49:50 UTC
I do not understand where I can fetch patches from... I cannot find these CVEs.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2014-05-02 02:47:15 UTC
Truecrypt latest version is:

http://www.truecrypt.org/docs/version-history
7.1a was released on February 7, 2012

So this vulnerability has not been fixed yet. 

Alon  feel free to contact the upstream developers about a newer version.
Comment 3 Alon Bar-Lev (RETIRED) gentoo-dev 2014-07-06 19:44:31 UTC
I added truecrypt-7.2.

But please notice that they stopped supporting the software...

"""
WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

This page exists only to help migrate existing data encrypted by TrueCrypt.

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.
"""

I never understood people using this software anyway... I think we should remove it from tree.
Comment 4 Frank Krömmelbein 2014-07-06 20:26:44 UTC
@Alon Bar-Lev 

The "current" version 7.2 of TrueCrypt has drastically limited features.

It is not possible any more, to create new containers.

I would suggest to remove this version 7.2 or at least hardmask, because of the "bizarre" changes on the website. 

Microsoft BitLocker (!), as suggested on the original site is NO alternative for Truecrypt!

It seems that the development of Truecrypt will continue with new team under https://truecrypt.ch/

QUOTE:
Currently it is very unclear what really happened. Was it really just the end of a 10year effort, or was it driven by some government. While a simple defacement is more and more unlikely we still don’t know where this is going. However the first 36 hours showed clearly that TrueCrypt is a fragile product and must be based on more solid ground. We start with offering a download of the Truecrypt file as is, and we hope we can organize a solid base for the Future.
There are no signs that there is any known security problem within TrueCrypt 7.1a and the audit will go on uninterrupted. Even though the trust into the developer team has diminished drastically, we believe that there needs to be an Open Source, Cross-plattform full-disk encryption option.


Please keep version 7.1a in the tree.
Comment 5 Alon Bar-Lev (RETIRED) gentoo-dev 2014-07-06 20:31:09 UTC
Removed keywords from 7.2.

Thanks!
Comment 6 Pacho Ramos gentoo-dev 2015-10-13 15:06:27 UTC
Maybe the 7.1 version in the tree should be hardmasked if we plan to keep this package in the tree because that version won't ever be fixed for this security issues :/
Comment 7 Pacho Ramos gentoo-dev 2016-02-20 18:28:05 UTC
removed
Comment 8 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-15 08:21:15 UTC
Package removed from tree per [1].

[1]: https://archives.gentoo.org/gentoo-dev/message/67240888bb49c83e26731062d29042e8