FS#46504 - [truecrypt] Warn users about CVE-2015-7358 and CVE-2015-7359
Attached to Project:
Arch Linux
Opened by mpan (mpan) - Thursday, 01 October 2015, 01:50 GMT
Last edited by Levente Polyak (anthraxx) - Thursday, 19 May 2016, 15:30 GMT
Opened by mpan (mpan) - Thursday, 01 October 2015, 01:50 GMT
Last edited by Levente Polyak (anthraxx) - Thursday, 19 May 2016, 15:30 GMT
|
Details
Description:
Two critical security issues has been detected in TrueCrypt 7.1 *on Windows*: CVE-2015-7358 and CVE-2015-7359. In `post_upgrade` add a warning for the users that still use TrueCrypt, about the issue. Rationale: Both CVEs apply to Windows only, but most people who use TrueCrypt are using it because they need to share encrypted volumes between Windows and other systems — hence it's worth notifying them about the issue. Confirmation: https://veracrypt.codeplex.com/SourceControl/changeset/cf4794372e5dea753b6310f1ca6912c6bfa86d45 https://veracrypt.codeplex.com/wikipage?title=Release%20Notes&version=25 http://www.theregister.co.uk/2015/09/29/google_flaks_find_admin_elevation_holes_that_gave_truecrypt_audit_the_slip/ |
This task depends upon
Closed by Levente Polyak (anthraxx)
Thursday, 19 May 2016, 15:30 GMT
Reason for closing: Won't implement
Additional comments about closing: the mentioned CVEs are related to Windows, we don't warn about issues with other operating systems
Thursday, 19 May 2016, 15:30 GMT
Reason for closing: Won't implement
Additional comments about closing: the mentioned CVEs are related to Windows, we don't warn about issues with other operating systems
The Windows security issues are just local privilege escalation... and there are so many of those on Windows. Unlike many of them, these don't seem like viable sandbox bypasses so most users aren't going to care since their machines are single-user.
However, you have a strong argument and actually this is why I gave this issue only the low severity.