Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 24 Sep 2015 16:42:10 -0400 (EDT)
From: cve-assign@...re.org
To: veracrypt@...ix.fr
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request - TrueCrypt 7.1a and VeraCrypt 1.14 Local Elevation of Privilege

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> I would like to request two CVE identifiers for the two security issues
> described below affecting TrueCrypt 7.1a (latest version) and its fork
> VeraCrypt 1.14 (latest version) running on all versions of Windows.
> 
> These issues were reported by James Forshaw (Google).

> Issue 1: Local Elevation of Privilege on Windows by abusing
>               drive letter handling.

Use CVE-2015-7358.


> Issue 2: Local Elevation of Privilege on Windows caused by incorrect
>               Impersonation Token Handling.

Use CVE-2015-7359.


> For your information, I have sent a similar CVE request to mitre.org.

That request was about 40 minutes earlier.

Sending the same CVE request to multiple addresses is typically not
what MITRE wants, although you're certainly welcome to change your
mind and decide that you had actually preferred that a CVE request be
publicly archived from the beginning. (It's rare for a vendor to use
oss-security for CVE requests related to "critical" vulnerabilities
that don't yet have a fixed release. The issue descriptions here, in
combination with vendor confirmation, probably make the
vulnerabilities sufficiently public that they are within the scope of
the oss-security list charter. We think the implication is that
readers should look at

  https://code.google.com/p/google-security-research/issues/list?can=1

at a future time, if interested in other details.)

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWBF+VAAoJEL54rhJi8gl5SUsP/2oSElay/xGb8kSzpdhQWDwh
6of8eo/Ii4Wj0/0B8h1nzgHweUL528Kkf7cevrW0R9xPIwSEw2xidZdsFJCNX5hE
FesWoKBu98UXHwBOV0Vz0FjeiQvdiclw2UKNFsOcAi9CPrXkHqIUQAmafaVNVl17
ZtmRHZlGGPtra05DU7Ttd/0W52ODzcQuI+BDp3pitEjvu6Hsyaw6/5umANi9+tBG
tOvd4yWefIF+QEG28X7zGRLS1J6SeJIBhZ7eUboKdxWBmh927SlXszZ5RcCgynKf
8+8is2WeGs9BoxH96yKXqYTDptDXN7SlnrCdK0+D/GZOaN7cKfz7DjwXK5GditJr
wPTCA39Y61BAzfRxOLkM8L2C/4s4XeGTHDz90MvCgNF4fAvztJa7lJfawry8V+1p
8sEgCA04Bh2c7xQ5sbgWF/4n+zF+Po/llYy+dZBHwzJCVTevmfRTUBuhe1juYsJQ
abhRpRL+rfh0SncrNECFCDJNOUh8DMGzLkdEKnpUK44xb07vQ9UqNCoWfjR2v0f+
fmsOxlFdrgQ6Bq1oz5gOJZKcT7wcCNpltq1TUw1PU/SC+CW2yTCg40mniq4fJy2t
fd3dtk/CrICDWl+TtBXfh0u6lM6bvH7HiJepSYdWyXyONHgUfmCIwNK6tURtBCTZ
4inClRaCYGeljBY90rUm
=FyM2
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.