Date: Thu, 24 Sep 2015 16:42:10 -0400 (EDT) From: cve-assign@...re.org To: veracrypt@...ix.fr Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request - TrueCrypt 7.1a and VeraCrypt 1.14 Local Elevation of Privilege -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > I would like to request two CVE identifiers for the two security issues > described below affecting TrueCrypt 7.1a (latest version) and its fork > VeraCrypt 1.14 (latest version) running on all versions of Windows. > > These issues were reported by James Forshaw (Google). > Issue 1: Local Elevation of Privilege on Windows by abusing > drive letter handling. Use CVE-2015-7358. > Issue 2: Local Elevation of Privilege on Windows caused by incorrect > Impersonation Token Handling. Use CVE-2015-7359. > For your information, I have sent a similar CVE request to mitre.org. That request was about 40 minutes earlier. Sending the same CVE request to multiple addresses is typically not what MITRE wants, although you're certainly welcome to change your mind and decide that you had actually preferred that a CVE request be publicly archived from the beginning. (It's rare for a vendor to use oss-security for CVE requests related to "critical" vulnerabilities that don't yet have a fixed release. The issue descriptions here, in combination with vendor confirmation, probably make the vulnerabilities sufficiently public that they are within the scope of the oss-security list charter. We think the implication is that readers should look at https://code.google.com/p/google-security-research/issues/list?can=1 at a future time, if interested in other details.) - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWBF+VAAoJEL54rhJi8gl5SUsP/2oSElay/xGb8kSzpdhQWDwh 6of8eo/Ii4Wj0/0B8h1nzgHweUL528Kkf7cevrW0R9xPIwSEw2xidZdsFJCNX5hE FesWoKBu98UXHwBOV0Vz0FjeiQvdiclw2UKNFsOcAi9CPrXkHqIUQAmafaVNVl17 ZtmRHZlGGPtra05DU7Ttd/0W52ODzcQuI+BDp3pitEjvu6Hsyaw6/5umANi9+tBG tOvd4yWefIF+QEG28X7zGRLS1J6SeJIBhZ7eUboKdxWBmh927SlXszZ5RcCgynKf 8+8is2WeGs9BoxH96yKXqYTDptDXN7SlnrCdK0+D/GZOaN7cKfz7DjwXK5GditJr wPTCA39Y61BAzfRxOLkM8L2C/4s4XeGTHDz90MvCgNF4fAvztJa7lJfawry8V+1p 8sEgCA04Bh2c7xQ5sbgWF/4n+zF+Po/llYy+dZBHwzJCVTevmfRTUBuhe1juYsJQ abhRpRL+rfh0SncrNECFCDJNOUh8DMGzLkdEKnpUK44xb07vQ9UqNCoWfjR2v0f+ fmsOxlFdrgQ6Bq1oz5gOJZKcT7wcCNpltq1TUw1PU/SC+CW2yTCg40mniq4fJy2t fd3dtk/CrICDWl+TtBXfh0u6lM6bvH7HiJepSYdWyXyONHgUfmCIwNK6tURtBCTZ 4inClRaCYGeljBY90rUm =FyM2 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ