| Summary: | veracrypt new security issue CVE-2019-1010208 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Zombie Ryushu <zombie_ryushu> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | brtians1, geiger.david68210, jani.valimaa, mageia, ouaurelien, sysadmin-bugs |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://nvd.nist.gov/vuln/detail/CVE-2019-1010208 | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | veracrypt-1.23-1.mga7.src | CVE: | CVE-2019-1010208 |
| Status comment: | |||
|
Description
Zombie Ryushu
2021-01-13 11:19:22 CET
Zombie Ryushu
2021-01-13 11:19:38 CET
CVE:
(none) =>
CVE-2019-1010208 Hi, thanks for reporting this. Assigned to the package maintainer, I added the committers in CC. (Please set the status to 'assigned' if you are working on it) CC:
(none) =>
geiger.david68210, jani.valimaa, ouaurelien https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010208 Assignee:
mageia =>
geiger.david68210 Done for mga7! Advisory: ======================== Updated veracrypt package fixes security vulnerability: IDRIX, Truecrypt Veracrypt, Truecrypt Prior to 1.23-Hotfix-1 (Veracrypt), all versions (Truecrypt) is affected by: Buffer Overflow. The impact is: Minor information disclosure of kernel stack. The component is: Veracrypt NT Driver (veracrypt.sys). The attack vector is: Locally executed code, IOCTL request to driver (CVE-2019-1010208). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010208 ======================== Updated packages in core/updates_testing: ======================== veracrypt-1.23-1.2.mga7 from veracrypt-1.23-1.2.mga7.src.rpm Status comment:
Patch available from upstream =>
(none) $ uname -a Linux linux.local 5.10.12-desktop-1.mga7 #1 SMP Sat Jan 30 14:29:33 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux The following 2 packages are going to be installed: - sudo-1.9.5p2-1.mga7.x86_64 - veracrypt-1.23-1.2.mga7.x86_64 I had to set up my ID with sudo for this to work. There is a good page in Mageia for that. Set up a 100 MB volume and was able to open and add items. Working as designed. CC:
(none) =>
brtians1 Yes, but after reread this:
> The component is: Veracrypt NT Driver (veracrypt.sys). The attack vector is:
> Locally executed code, IOCTL request... (...)
Is this a windows-only sec bug? The github page refers to a Windows bug too.
So meanwhile, advisory commited. Validating update.CC:
(none) =>
sysadmin-bugs yeah, why should we push a linux update for a windows bug ?? Keywords:
validated_update =>
(none)
Aurelien Oudelet
2021-02-04 09:44:27 CET
Whiteboard:
MGA7-64-OK =>
(none) I wondered that as well, but it tested out fine and keeps us current. You never know they may have slipped in another change that benefits the security of the Linux version as well. If not too much effort, I would recommend sending the update to the 4 users who use it. (In reply to Brian Rockwell from comment #9) > I wondered that as well, but it tested out fine and keeps us current. > > You never know they may have slipped in another change that benefits the > security of the Linux version as well. > > If not too much effort, I would recommend sending the update to the 4 users > who use it. Flushing this out. Whiteboard:
(none) =>
MGA7-64-OK An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0088.html Resolution:
(none) =>
FIXED |