Dailydave mailing list archives
Non disclosure from security vendors: Truecrypt exemple
From: Julien TINNES <julien.tinnes () francetelecom com>
Date: Sun, 30 Apr 2006 14:10:57 +0200
Hello, I took a quick look at Truecrypt's 4.1 Linux source code in December, and quickly found out that the Linux version had a very simple critical flaw when installed as suid-root (which is not the default, but is an option during installation). It's running external commands such as 'mount' using execvp(), without any PATH sanitization (it would be bad enough even with PATH sanitization) and allows any user to gain root privileges. I wrote to them about this on December the 14th and had no answer. On January the 14th I wrote another email and I was answered that a new version should be released soon and that I should note that 'suid root was not the default'. I wrote back to them asking why they would'nt release a security advisory and a fix, explaining them it was important that users know about this problem. I was answered once again that the default configuration was secure. A few days ago I saw that a new version of Truecrypt Linux was released (April the 17th), and in the changelog we can see: "Improved security of set-euid mode of execution" in the middle of other improvements. It was not even in the Bug fixes section! I'm really asking myself why an open-source security vendor would deal with security like this. Especially for a cryptography-related product where opensource and disclosure of the information is really important to the user. I've not even looked into Truecrypt 4.2, probably won't and will just stop using it. I'm a bit surprised that someone puts time into writing an Opensource disk-ciphering software (which a lot of people were waiting for on the Windows platform) and ruins it by not disclosing critical information to their users. -- Julien
Current thread:
- Non disclosure from security vendors: Truecrypt exemple Julien TINNES (Apr 30)