[VIM] Non disclosure from security vendors: Truecrypt exemple (fwd)

security curmudgeon jericho at attrition.org
Mon May 1 23:40:08 EDT 2006


April 17, 2006
Improved security of set-euid mode of execution (Linux).

---------- Forwarded message ----------
From: Julien TINNES <julien.tinnes at francetelecom.com>
To: dailydave at lists.immunitysec.com
Date: Sun, 30 Apr 2006 14:10:57 +0200
Subject: [Dailydave] Non disclosure from security vendors: Truecrypt exemple


I took a quick look at Truecrypt's 4.1 Linux source code in December,
and quickly found out that the Linux version had a very simple critical
flaw when installed as suid-root (which is not the default, but is an
option during installation).

It's running external commands such as 'mount' using execvp(), without
any PATH sanitization (it would be bad enough even with PATH
sanitization) and allows any user to gain root privileges.

I wrote to them about this on December the 14th and had no answer. On
January the 14th I wrote another email and I was answered that a new
version should be released soon and that I should note that 'suid root
was not the default'.

I wrote back to them asking why they would'nt release a security
advisory and a fix, explaining them it was important that users know
about this problem.

I was answered once again that the default configuration was secure.

A few days ago I saw that a new version of Truecrypt Linux was released
(April the 17th), and in the changelog we can see: "Improved security of
set-euid mode of execution" in the middle of other improvements. It was
not even in the Bug fixes section!

I'm really asking myself why an open-source security vendor would deal
with security like this. Especially for a cryptography-related product
where opensource and disclosure of the information is really important
to the user.
I've not even looked into Truecrypt 4.2, probably won't and will just
stop using it.

I'm a bit surprised that someone puts time into writing an Opensource
disk-ciphering software (which a lot of people were waiting for on the
Windows platform) and ruins it by not disclosing critical information to
their users.


More information about the VIM mailing list