[ciphershed] Re: #if 0

• From: Bill Cox <waywardgeek@xxxxxxxxxxxxxx>
• To: ciphershed@xxxxxxxxxxxxx
• Date: Tue, 01 Jul 2014 11:07:30 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 7/1/2014 10:46 AM, Jason Pyeron wrote:
> I have found locations where the code shoves wide characters into
> byte wide char arrays, assumption of the char width at 1 or 2
> bytes, etc...
> 
> If I am an engineer surveying a dam for replacement, and I see
> springing leaks, do I not plug them?

I see similar problems in a lot of places.  I think the goal of the
first release is simple rebranding, not security enhancement.  The
second release should be done ASAP after that, and we should address
these sorts of issues.  The security audit is here:

https://opencryptoaudit.org/reports/iSec_Final_Open_Crypto_Audit_Project_TrueCrypt_Security_Assessment.pdf

The relevant part for string manipulation is:

- ---------
B.4 Use of deprecated, insecure string APIs
Description: The code in Ntdriver.c, as well as supporting files,
makes heavy use of APIs considered insecure and which are now
deprecated. This includes functions such as:

wcscpy()
wcscat() / wcsncat()
sprintf()
...

Recommendation: The Visual Studio CRT contains a new family of string
handling functions (StringCch) that are much more secure. These secure
functions have effectively become the replacement for the more
insecure string handling functions.
- ---------

There are many such issues in the code.  Let's plan on integrating
these changes into the short-term fix release, and move forward in
parallel with the rebranding release.

Bill
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTss6yAAoJEL9an3rWhBk+F9MP/i3p4gwfgkPdEp8uEN4L1dA/
niBMTB9pmOj8FMXjVfcZv+9AY3nXKJXwIGM9RuIf7ZgrA9mHS9r+ejd2AxzttKGx
I5pd7YSQM/L7U90cyoCCGkO82RjWjxXSTXogU3+Yi0FfeqdC61CSvNEoHkf7e8gQ
cKtqFIWqom/KbwZyr9gNVVclGletmJRrsvy+WcXajYpPSyaE9mvzfkS/rrmA/jP7
7lg6KkOM+Nwb6rw8eWkORQbtZ+79mygUDmO4ktj0gtSK+yFHySRz48iDXrvKt8Zt
pKH24jVZz7+wxZU2QMxIZoOe9IltWLkeA/mLLZhkXEdn1wFGAby3YKbfQ4utt658
QqkKEpSbdX5/3QugTsoV3ON7HEnk23+dGeJenYK3mpF7Gy/jUX/dwSC3eC4dUNcy
xobkufAZN3YiQqDcMuoNSWXnJFWWmIi2hYlM7NA7JYAvNrKocLz2IU6ZxpK+YKYP
xkvBwpiDgUZ2WsnzCgULfLdLaAtka3vbhnDfvzQoqRMNZWG8jQbnlIkkYweW/Ky9
21HXAVUmwR6B2eskL1IvPMGunw2tXYYRV94/j+wQ6JJDWdDyTK95HFMLs0bkDCE7
k7G2w1S29UuZDkf6UXkW119x+B6DvVy9b1HM4XOGRGq0+7lnyaHwLFqyjRgT4j4D
PE5GUO1rodaDWiv35mMA
=FI0o
-----END PGP SIGNATURE-----

• References:
  • [ciphershed] Re: #if 0
    • From: Bill Cox
  • [ciphershed] Re: #if 0
    • From: Jason Pyeron
  • [ciphershed] Re: #if 0
    • From: Bill Cox
  • [ciphershed] Re: #if 0
    • From: Jason Pyeron
  • [ciphershed] Re: #if 0
    • From: Jason Pyeron

Other related posts:

• » [ciphershed] #if 0- Jason Pyeron
• » [ciphershed] Re: #if 0- Bill Cox
• » [ciphershed] Re: #if 0- Jason Pyeron
• » [ciphershed] Re: #if 0- Bill Cox
• » [ciphershed] Re: #if 0- Jason Pyeron
• » [ciphershed] Re: #if 0- Jason Pyeron
• » [ciphershed] Re: #if 0- Bill Cox
• » [ciphershed] Re: #if 0 - Bill Cox

1. Home
2. ciphershed
3. Archive
4. 07-2014

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---