FS#46504 - [truecrypt] Warn users about CVE-2015-7358 and CVE-2015-7359

Attached to Project: Arch Linux
Opened by mpan (mpan) - Thursday, 01 October 2015, 01:50 GMT
Last edited by Levente Polyak (anthraxx) - Thursday, 19 May 2016, 15:30 GMT
Task Type Feature Request
Category Packages: Extra
Status Closed
Assigned To Rémy Oudompheng (remyoudompheng)
Levente Polyak (anthraxx)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
Two critical security issues has been detected in TrueCrypt 7.1 *on Windows*: CVE-2015-7358 and CVE-2015-7359.
In `post_upgrade` add a warning for the users that still use TrueCrypt, about the issue.

Rationale:
Both CVEs apply to Windows only, but most people who use TrueCrypt are using it because they need to share encrypted volumes between Windows and other systems — hence it's worth notifying them about the issue.

Confirmation:
https://veracrypt.codeplex.com/SourceControl/changeset/cf4794372e5dea753b6310f1ca6912c6bfa86d45
https://veracrypt.codeplex.com/wikipage?title=Release%20Notes&version=25
http://www.theregister.co.uk/2015/09/29/google_flaks_find_admin_elevation_holes_that_gave_truecrypt_audit_the_slip/
This task depends upon

Closed by  Levente Polyak (anthraxx)
Thursday, 19 May 2016, 15:30 GMT
Reason for closing:  Won't implement
Additional comments about closing:  the mentioned CVEs are related to Windows, we don't warn about issues with other operating systems
Comment by Daniel Micay (thestinger) - Thursday, 01 October 2015, 02:09 GMT
It would make more sense to just drop it in favour of veracrypt since it's unmaintained and (AFAIK) veracrypt is compatible with the TrueCrypt disk format.

The Windows security issues are just local privilege escalation... and there are so many of those on Windows. Unlike many of them, these don't seem like viable sandbox bypasses so most users aren't going to care since their machines are single-user.
Comment by Daniel Micay (thestinger) - Thursday, 01 October 2015, 02:14 GMT
We don't warn about unmaintained, vulnerable software in Arch Linux itself... we just drop it. Seems a bit much to expect that we'd start inferring or detecting the presence of vulnerable software *in other operating systems* to warn about it.
Comment by mpan (mpan) - Thursday, 01 October 2015, 04:07 GMT
Well, currently TrueCrypt is maintained in official Arch repos, even the software being unmaintained and deprecated since 2014, and has been superseded by VeraCrypt, which is available only in AUR. It would be good if VeraCrypt would make it into official repos instead of TrueCrypt, but as long as TC is available in repos AND users are often using it to share encrypted partitions between ArchLinux and Windows, I believe the idea of warning them about the issue is justified. Even if the bug is on Windows, it's usage on that system is an important use case of this Arch package.

However, you have a strong argument and actually this is why I gave this issue only the low severity.

Loading...