| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
(CVE-2025-23021, reported by SivertPL @__tfr)
Added security checks to prevent mounting VeraCrypt volumes on system directories (like /usr/bin) or directories in the user's PATH, which could theoretically allow execution of malicious binaries instead of legitimate system binaries.
Key changes:
- Block mounting on protected system directories (/usr, /bin, /lib, etc.)
This restriction cannot be overridden
- Block mounting on directories present in user's PATH environment variable
This can be overridden with --allow-insecure-mount flag
- Add visual warnings (red border, "[INSECURE MODE]") when mounting on PATH directories is allowed
- Handle symlinks properly when checking paths
- Add new error messages for blocked mount points
To override PATH-based restrictions only (system directories remain protected):
veracrypt --allow-insecure-mount [options] volume mountpoint
Security Impact: Low to Medium
The attack requires either:
- User explicitly choosing a system directory as mount point instead of using VeraCrypt's default mount points
- Or attacker having both filesystem access to modify favorites configuration AND knowledge of the volume password
Default mount points are not affected by this vulnerability.
Security: CVE-2025-23021
|
|
Update Windows drivers.
|
|
If vulnerability detected, a warning message is displayed during mount or backup/restore header, and changing the password is disallowed since it will not change the master key.
|
|
|
|
|
|
|
|
* Add basic strcture needed for EMV implementation
* Add demo EMV functionality with C code pasted in a very dirty and unsafe way. NOT FINAL
* Refactor IccExtractor Structure
* Fix Makefile
* fix include file
* move global variables from h to c
* revert to memcpy
* fix icc data recovery functions
* Add EMV functionalities on windows
* Make EMVToken structures like SecurityToken
* Define constants instead of hard coded values
* Token structures created with inheritance
* refactor TokenKeyfile to use inherit. + polymor.
* add Token.h + Token.cpp in modules in VS2010
* Add a comment at each use of SecurityToken class or objects
* SecurityTokenKeyfilesDialog preparation
* Implemennt GetAvailableTokens in Token class on windows
* merge
* up (patching for Windows)
* foreach Token.cpp corrected
* Display EMV keyfiles on first window in graphic interface
* Add token to Windows UI
* EMVToken selection on OKButton on Linux
* Keyfile.cpp optimization
* Move getKeyfileData in the token class
* EMV::Token GetAvailableKeyfiles() base
* Move getKeyfileData in the token class on unix
* Remove test comments
* Warnings resolved
* RemoveeSecurityTokenLibraryNotInitialized exception if at least one emv token is detected
* Adding new files
* Remove old files and add the new version to the windows project
* Change make_shared to shared_ptr constructor
* IccExtractor integration working on linux
* Throwing card not EMV execption
* catch error when not EMV type in EMVToken::GetAvailableKeyfiles
* Change types to compile on windows
* list all keyfiles, security keyfiles and emv keyfiles in command line
* Change type to be coherent and remove old todo comments
* Remove todo comments
* Change indentation and resolve a bug from previous commit
* Use polymorphism for GetKeyfileData and add export option for EMVTokens on Linux
* Linux : Allow to export EMV Tokens in command lines, Windows : Disable the delete button when EMV Keyfiles are selected
* Remove SlotId from TokenInfo as it is already in Token
* Correct errors on Linux
* Disable delete option if one EMV Token is selected on Linux
* Fix bug enabling delete button if nothing is selected
* emv data used as reference then burnt
* use of normal files in linux corrected
* help updated
* help updated for export functionnality
* option EMV added to graphic interface but not yet working
* Bug fix : Allow to use multiple EMV on windows
* EMV Option added to UserPreferences
* EMV Option working for Linux
* EMV option added to Windows (not working yet)
* [NOT TESTED] EMV option for Windows
* Working EMV option on Windows
* EMV Option for data extraction working for volume creation
* EMV Option for data extraction working for Mount
* EMV Option for data extraction working for mounting favorites volumes
* EMV Option for extraction working for Changing volume password, Set Derivation Key Algorithm and Add or remove keyfile from volume
* Windows : re-checking EMV Option when getting data
* Removing error catches in the IccDataExtractor classe (It only throws error now). Changing GetPan signature to resemble the other functions signatures more
* Changing EMV errors
- Only throwing ICCExtractionException from outside of the ICC module.
- Catching all TLVExceptions and PCSCExceptions to throw the right ICCExtractionException
- Deleting APDU exceptions.
* First version of the documentation
* Adding function pointers for winscard library (but it crashes VeraCrypt)
* Debugging function pointers
* The import of the library on windows work as expected now
* Reverting EMVToken.cpp changes used to test to library import
* Searching for the System32 path instead of hard codding it
* Fixing the bug were VeraCrypt crashes if there is no readers when "add Token files" is clicked
* Winscard library not initialized in object constructor anymore to delay it after EMVOption check
* Remove winscard lib from windows dependencies
* Properly displaying errors
* Adding a dot in Language.xml
* Catching TLVException
* Removing unused code
* Remove unusefull comments
* Trying to fix 0x1f error
* Update IccDataExtractor.cpp
* Delete History.xml
* Fix get data without get pan
* Cleanup code
* changes for linux compilation but linking not working
* error handling for linux
* erasing emv data
* Burn PAN
* Burn PAN from memory
* Uncomment selfcheck before merging master
* burn corrected
* EMV errors handling for Linux
* EMV working for Linux CLI
* Doc : Winscard Linux package and VeraCrypt versions
---------
Co-authored-by: doriandu45 <d45.poubelle@gmail.com>
Co-authored-by: red4game <redemgaiming@gmail.com>
Co-authored-by: Brice.Namy <brice.namy@insa-rennes.fr>
Co-authored-by: vocthor <pieceo108@gmail.com>
Co-authored-by: vocthor <67202139+vocthor@users.noreply.github.com>
Co-authored-by: Andrei COCAN <andrei.cocan@insa-rennes.fr>
Co-authored-by: AndreiCocan <95496161+AndreiCocan@users.noreply.github.com>
Co-authored-by: francoisLEROUX <francois3443@gmail.com>
|
|
implementation which is kept for compatibility with older compilers. We also introduce compatibility code for old compilers that don't define std::unique_ptr
|
|
dummy password
The new switch is --use-dummy-sudo-password
|
|
|
|
|
|
|
|
and TrueCrypt 3.0.
|
|
|
|
|
|
many GTK issues linked to multi-threaded origine of events by implementing an automatic mechanism for handling such requests in the main thread.
|
|
the correct hash algorithm of volumes during various operations (mount, change password...), both using the GUI and the command line.
|
|
over-write operation.
|
|
Resources::GetTrueCryptIcon to Resources::GetVeraCryptIcon.
|
|
|
