Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20150924204210.6DA5F6C0059@smtpvmsrv1.mitre.org>
Date: Thu, 24 Sep 2015 16:42:10 -0400 (EDT)
From: cve-assign@...re.org
To: veracrypt@...ix.fr
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request - TrueCrypt 7.1a and VeraCrypt 1.14 Local Elevation of Privilege

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> I would like to request two CVE identifiers for the two security issues
> described below affecting TrueCrypt 7.1a (latest version) and its fork
> VeraCrypt 1.14 (latest version) running on all versions of Windows.
> 
> These issues were reported by James Forshaw (Google).

> Issue 1: Local Elevation of Privilege on Windows by abusing
>               drive letter handling.

Use CVE-2015-7358.


> Issue 2: Local Elevation of Privilege on Windows caused by incorrect
>               Impersonation Token Handling.

Use CVE-2015-7359.


> For your information, I have sent a similar CVE request to mitre.org.

That request was about 40 minutes earlier.

Sending the same CVE request to multiple addresses is typically not
what MITRE wants, although you're certainly welcome to change your
mind and decide that you had actually preferred that a CVE request be
publicly archived from the beginning. (It's rare for a vendor to use
oss-security for CVE requests related to "critical" vulnerabilities
that don't yet have a fixed release. The issue descriptions here, in
combination with vendor confirmation, probably make the
vulnerabilities sufficiently public that they are within the scope of
the oss-security list charter. We think the implication is that
readers should look at

  https://code.google.com/p/google-security-research/issues/list?can=1

at a future time, if interested in other details.)

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWBF+VAAoJEL54rhJi8gl5SUsP/2oSElay/xGb8kSzpdhQWDwh
6of8eo/Ii4Wj0/0B8h1nzgHweUL528Kkf7cevrW0R9xPIwSEw2xidZdsFJCNX5hE
FesWoKBu98UXHwBOV0Vz0FjeiQvdiclw2UKNFsOcAi9CPrXkHqIUQAmafaVNVl17
ZtmRHZlGGPtra05DU7Ttd/0W52ODzcQuI+BDp3pitEjvu6Hsyaw6/5umANi9+tBG
tOvd4yWefIF+QEG28X7zGRLS1J6SeJIBhZ7eUboKdxWBmh927SlXszZ5RcCgynKf
8+8is2WeGs9BoxH96yKXqYTDptDXN7SlnrCdK0+D/GZOaN7cKfz7DjwXK5GditJr
wPTCA39Y61BAzfRxOLkM8L2C/4s4XeGTHDz90MvCgNF4fAvztJa7lJfawry8V+1p
8sEgCA04Bh2c7xQ5sbgWF/4n+zF+Po/llYy+dZBHwzJCVTevmfRTUBuhe1juYsJQ
abhRpRL+rfh0SncrNECFCDJNOUh8DMGzLkdEKnpUK44xb07vQ9UqNCoWfjR2v0f+
fmsOxlFdrgQ6Bq1oz5gOJZKcT7wcCNpltq1TUw1PU/SC+CW2yTCg40mniq4fJy2t
fd3dtk/CrICDWl+TtBXfh0u6lM6bvH7HiJepSYdWyXyONHgUfmCIwNK6tURtBCTZ
4inClRaCYGeljBY90rUm
=FyM2
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.