-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 7/1/2014 10:46 AM, Jason Pyeron wrote: > I have found locations where the code shoves wide characters into > byte wide char arrays, assumption of the char width at 1 or 2 > bytes, etc... > > If I am an engineer surveying a dam for replacement, and I see > springing leaks, do I not plug them? I see similar problems in a lot of places. I think the goal of the first release is simple rebranding, not security enhancement. The second release should be done ASAP after that, and we should address these sorts of issues. The security audit is here: https://opencryptoaudit.org/reports/iSec_Final_Open_Crypto_Audit_Project_TrueCrypt_Security_Assessment.pdf The relevant part for string manipulation is: - --------- B.4 Use of deprecated, insecure string APIs Description: The code in Ntdriver.c, as well as supporting files, makes heavy use of APIs considered insecure and which are now deprecated. This includes functions such as: wcscpy() wcscat() / wcsncat() sprintf() ... Recommendation: The Visual Studio CRT contains a new family of string handling functions (StringCch) that are much more secure. These secure functions have effectively become the replacement for the more insecure string handling functions. - --------- There are many such issues in the code. Let's plan on integrating these changes into the short-term fix release, and move forward in parallel with the rebranding release. Bill -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTss6yAAoJEL9an3rWhBk+F9MP/i3p4gwfgkPdEp8uEN4L1dA/ niBMTB9pmOj8FMXjVfcZv+9AY3nXKJXwIGM9RuIf7ZgrA9mHS9r+ejd2AxzttKGx I5pd7YSQM/L7U90cyoCCGkO82RjWjxXSTXogU3+Yi0FfeqdC61CSvNEoHkf7e8gQ cKtqFIWqom/KbwZyr9gNVVclGletmJRrsvy+WcXajYpPSyaE9mvzfkS/rrmA/jP7 7lg6KkOM+Nwb6rw8eWkORQbtZ+79mygUDmO4ktj0gtSK+yFHySRz48iDXrvKt8Zt pKH24jVZz7+wxZU2QMxIZoOe9IltWLkeA/mLLZhkXEdn1wFGAby3YKbfQ4utt658 QqkKEpSbdX5/3QugTsoV3ON7HEnk23+dGeJenYK3mpF7Gy/jUX/dwSC3eC4dUNcy xobkufAZN3YiQqDcMuoNSWXnJFWWmIi2hYlM7NA7JYAvNrKocLz2IU6ZxpK+YKYP xkvBwpiDgUZ2WsnzCgULfLdLaAtka3vbhnDfvzQoqRMNZWG8jQbnlIkkYweW/Ky9 21HXAVUmwR6B2eskL1IvPMGunw2tXYYRV94/j+wQ6JJDWdDyTK95HFMLs0bkDCE7 k7G2w1S29UuZDkf6UXkW119x+B6DvVy9b1HM4XOGRGq0+7lnyaHwLFqyjRgT4j4D PE5GUO1rodaDWiv35mMA =FI0o -----END PGP SIGNATURE-----