IDRIX, Truecrypt Veracrypt, Truecrypt Prior to 1.23-Hotfix-1 (Veracrypt), all versions (Truecrypt) is affected by: Buffer Overflow. The impact is: Minor information disclosure of kernel stack. The component is: Veracrypt NT Driver (veracrypt.sys). The attack vector is: Locally executed code, IOCTL request to driver. The fixed version is: 1.23-Hotfix-1.
CVE: (none) => CVE-2019-1010208
Hi, thanks for reporting this. Assigned to the package maintainer, I added the committers in CC. (Please set the status to 'assigned' if you are working on it)
CC: (none) => geiger.david68210, jani.valimaa, ouaurelienAssignee: bugsquad => mageia
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010208
Assignee: mageia => geiger.david68210Status comment: (none) => Patch available from upstreamCC: (none) => mageiaSummary: veracrypt security vulnerability CVE-2019-1010208 => veracrypt new security issue CVE-2019-1010208
Done for mga7!
Advisory: ======================== Updated veracrypt package fixes security vulnerability: IDRIX, Truecrypt Veracrypt, Truecrypt Prior to 1.23-Hotfix-1 (Veracrypt), all versions (Truecrypt) is affected by: Buffer Overflow. The impact is: Minor information disclosure of kernel stack. The component is: Veracrypt NT Driver (veracrypt.sys). The attack vector is: Locally executed code, IOCTL request to driver (CVE-2019-1010208). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010208 ======================== Updated packages in core/updates_testing: ======================== veracrypt-1.23-1.2.mga7 from veracrypt-1.23-1.2.mga7.src.rpm
Status comment: Patch available from upstream => (none)Assignee: geiger.david68210 => qa-bugs
$ uname -a Linux linux.local 5.10.12-desktop-1.mga7 #1 SMP Sat Jan 30 14:29:33 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux The following 2 packages are going to be installed: - sudo-1.9.5p2-1.mga7.x86_64 - veracrypt-1.23-1.2.mga7.x86_64 I had to set up my ID with sudo for this to work. There is a good page in Mageia for that. Set up a 100 MB volume and was able to open and add items. Working as designed.
CC: (none) => brtians1Whiteboard: (none) => MGA7-64-OK
Yes, but after reread this: > The component is: Veracrypt NT Driver (veracrypt.sys). The attack vector is: > Locally executed code, IOCTL request... (...) Is this a windows-only sec bug? The github page refers to a Windows bug too. So meanwhile, advisory commited. Validating update.
CC: (none) => sysadmin-bugsKeywords: (none) => advisory, validated_update
yeah, why should we push a linux update for a windows bug ??
Keywords: validated_update => (none)
https://github.com/veracrypt/VeraCrypt/commit/f30f9339c9a0b9bbcc6f5ad38804af39db1f479e
Whiteboard: MGA7-64-OK => (none)Keywords: advisory => feedback
I wondered that as well, but it tested out fine and keeps us current. You never know they may have slipped in another change that benefits the security of the Linux version as well. If not too much effort, I would recommend sending the update to the 4 users who use it.
(In reply to Brian Rockwell from comment #9) > I wondered that as well, but it tested out fine and keeps us current. > > You never know they may have slipped in another change that benefits the > security of the Linux version as well. > > If not too much effort, I would recommend sending the update to the 4 users > who use it. Flushing this out.
Whiteboard: (none) => MGA7-64-OKKeywords: feedback => advisory, validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0088.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED