Portál AbcLinuxu, 25. prosince 2025 10:52
Společnost Quarkslab zveřejnila výsledky bezpečnostního auditu (pdf) open source nástroje pro on-the-fly šifrování (OTFE) dat VeraCrypt. Audit byl sponzorován organizací OSTIF (Open Source Technology Improvement Fund) a byl proveden dvěma zaměstnanci Quarkslabu mezi 16. srpnem a 14. zářím (32 člověkodnů). Nalezené chyby (8 kritických) jsou opraveny v nejnovější verzi VeraCryptu 1.19 (poznámky k vydání).
Tiskni
Sdílej:
19.10.2016 10:43
Bystroushaak | skóre: 36
| blog: Bystroushaakův blog
| Praha
The fixes include:
- Removal of the GOST 28147-89 encryption option entirely. The implementation was unsafe. Functionality for decryption of volumes that used this cipher is still in place, but new volumes cannot be created using this cipher.
- Removal of XZip and XUnzip. These were replaced with modern and more secure zip libraries (libzip).
- Fixes implemented for the vulnerability described in section 5.1 (password length can be determined in classic bootloader).
- Fixes implemented for the vulnerability described in section 7.1 for the new bootloader. (keystrokes not erased after authentication)
- Fixes implemented for the vulnerability described in section 7.2 for the new bootloader. (sensitive data not correctly erased)
- Fixes implemented for the vulnerability described in section 7.3 for the new bootloader. (memory corruption)
- Fixes implemented for the vulnerability described in section 7.4 for the new bootloader. (null pointer, dead code, inconsistent data reads by ConfigRead, bad pointer in EFIGetHandles, null pointer dereference in the graphic library.)
- Updates to user documentation for other vulnerabilities that can be closed by user practices.
19.10.2016 23:42
xkucf03 | skóre: 49
| blog: xkucf03
keystrokes not erased after authenticationBTW: proto se v Javě pro hesla používá
char[] místo String – pole jde přemazat jakmile heslo už není potřeba držet v paměti..
ISSN 1214-1267, (c) 1999-2007 Stickfish s.r.o.