Now we properly honor the AllowDefrag configuration.
This regression introduced other issues because, in order to allow defragmentation, we must provide Windows with an actual physical disk number. As a result, we assign the number of the physical disk where the VeraCrypt volume resides. This, in turn, causes Windows to send IOCTLs directly to this disk instead of to VeraCrypt. If these IOCTLs return values and properties not supported by VeraCrypt, inconsistencies arise, leading to failures.
- matching the phases used in Chinese Traditional Windows
- resolved conflicts introduced in 498dff9013
- minor formatting correction
- translated new entries staring from line 1459
* refactor: use UNMOUNT instead of DISMOUNT in code
This change updates the term DISMOUNT in constants to UNMOUNT.
Other occurrences (e.g. variable names) are left alone for now.
* refactor(ui): use unmount instead of dismount
This change updates the GUI text and replaces dismount with unmount.
* docs: update term dismount -> unmount
* refactor(cmdline): add unmount
This change adds an argument 'unmount' for command line usage, while
trying to deprecate the old disnount argument.
The current dismount argument/flag will still work to not introduce
a breaking change.
* docs: mention that /dismount is deprecated
This change fixes the shorthand version of the argument /unmount
It also adds back the info for /dismount and that it is deprecated.
Added security checks to prevent mounting VeraCrypt volumes on system directories (like /usr/bin) or directories in the user's PATH, which could theoretically allow execution of malicious binaries instead of legitimate system binaries.
Key changes:
- Block mounting on protected system directories (/usr, /bin, /lib, etc.)
This restriction cannot be overridden
- Block mounting on directories present in user's PATH environment variable
This can be overridden with --allow-insecure-mount flag
- Add visual warnings (red border, "[INSECURE MODE]") when mounting on PATH directories is allowed
- Handle symlinks properly when checking paths
- Add new error messages for blocked mount points
To override PATH-based restrictions only (system directories remain protected):
veracrypt --allow-insecure-mount [options] volume mountpoint
Security Impact: Low to Medium
The attack requires either:
- User explicitly choosing a system directory as mount point instead of using VeraCrypt's default mount points
- Or attacker having both filesystem access to modify favorites configuration AND knowledge of the volume password
Default mount points are not affected by this vulnerability.
Security: CVE-2025-23021
This commit fixes a critical security vulnerability where VeraCrypt could be tricked into executing malicious binaries with elevated privileges. The vulnerability has two severe implications:
1. When sudo's secure_path option is disabled, attackers could execute malicious binaries with root privileges by placing them in user-writable PATH directories (e.g., making "sudo mount" execute a malicious mount binary)
2. By placing a malicious sudo binary in PATH, attackers could intercept and steal the user's password when VeraCrypt prompts for sudo authentication
The vulnerability allowed attackers to place malicious binaries in user-writable directories that appear in PATH before system directories, potentially leading to privilege escalation and credential theft.
Key changes:
- Implement FindSystemBinary() to locate executables in secure system paths
- Replace all relative binary paths with absolute paths for system commands
- Add security checks for executable permissions
- Update process execution to use absolute paths for:
* sudo
* mount
* fsck
* terminal emulators
* file managers
* system utilities (hdiutil, mdconfig, vnconfig, lofiadm)
The fix ensures all system binaries are called using their absolute paths from secure system directories, preventing both privilege escalation through PATH manipulation and password theft through sudo hijacking.
Security: CVE-2024-54187
Issue was caused by the fact that Microsoft signing certificate for driver file has changed.
We fix it by updating the SHA512 fingerprint of Microsoft code signing certificate.
In a Debian-style APT repository, the pool/ directory groups packages primarily by source package name and binary package name, version, architecture, etc. If two distinct .deb files have identical name and version (as seen in their control file) and same architecture, reprepro will report a conflict when adding one after the other.
So, we need to append distro-specific string to the existing version in order to avoid such conflict when creating VeraCrypt APT repository.
This commit increases randomness quality by using more dynamic/varied sources of entropy.
PDH-based disk and network statistics collection in now added to random pool
- Introduced `GetDiskStatistics` to gather disk read/write performance data using PDH API.
- Introduced `GetNetworkStatistics` to gather network send/receive performance data using PDH API.
- Integrated high-resolution timestamps and random intervals to improve entropy in collected data.
- Updated `SlowPoll` function to utilize PDH-based disk and network statistics.
- Removed obsolete NetAPI32-based network statistics collection.
