mirror of
https://github.com/veracrypt/VeraCrypt.git
synced 2026-07-06 13:08:00 -05:00
Linux/FreeBSD: Prevent mounting volumes on system directories and PATH (CVE-2025-23021, reported by SivertPL @__tfr)
Added security checks to prevent mounting VeraCrypt volumes on system directories (like /usr/bin) or directories in the user's PATH, which could theoretically allow execution of malicious binaries instead of legitimate system binaries. Key changes: - Block mounting on protected system directories (/usr, /bin, /lib, etc.) This restriction cannot be overridden - Block mounting on directories present in user's PATH environment variable This can be overridden with --allow-insecure-mount flag - Add visual warnings (red border, "[INSECURE MODE]") when mounting on PATH directories is allowed - Handle symlinks properly when checking paths - Add new error messages for blocked mount points To override PATH-based restrictions only (system directories remain protected): veracrypt --allow-insecure-mount [options] volume mountpoint Security Impact: Low to Medium The attack requires either: - User explicitly choosing a system directory as mount point instead of using VeraCrypt's default mount points - Or attacker having both filesystem access to modify favorites configuration AND knowledge of the volume password Default mount points are not affected by this vulnerability. Security: CVE-2025-23021
This commit is contained in:
@@ -40,7 +40,16 @@ namespace VeraCrypt
|
||||
void OnReadOnlyCheckBoxClick (wxCommandEvent& event) { UpdateDialog(); }
|
||||
void UpdateDialog ();
|
||||
|
||||
#ifdef TC_UNIX
|
||||
// Used for displaying a red border around the dialog window when insecure mode is enabled
|
||||
void OnPaint(wxPaintEvent& event);
|
||||
void OnSize(wxSizeEvent& event);
|
||||
#endif
|
||||
|
||||
MountOptions &Options;
|
||||
#ifdef TC_UNIX
|
||||
bool m_showRedBorder;
|
||||
#endif
|
||||
wxString OptionsButtonLabel;
|
||||
VolumePasswordPanel *PasswordPanel;
|
||||
VolumePasswordPanel *ProtectionPasswordPanel;
|
||||
|
||||
Reference in New Issue
Block a user