This patch moves away from gnome-terminal -e options which is deprecated
and subject to possibly be removed in the future. The -- option is nearly
equivalent in behaviour. Also ensures that uninstallation script has correct
privileges, adds window title to xmessage and ensures correct files are
used during installation.
The method GetNodes implementation didn't parse multiple attributes correctly and it failed with Hungarian XML because of the presence of '>' character in an attribute value.
Issue reported in https://github.com/veracrypt/VeraCrypt/pull/1516
* refactor: use UNMOUNT instead of DISMOUNT in code
This change updates the term DISMOUNT in constants to UNMOUNT.
Other occurrences (e.g. variable names) are left alone for now.
* refactor(ui): use unmount instead of dismount
This change updates the GUI text and replaces dismount with unmount.
* docs: update term dismount -> unmount
* refactor(cmdline): add unmount
This change adds an argument 'unmount' for command line usage, while
trying to deprecate the old disnount argument.
The current dismount argument/flag will still work to not introduce
a breaking change.
* docs: mention that /dismount is deprecated
This change fixes the shorthand version of the argument /unmount
It also adds back the info for /dismount and that it is deprecated.
Added security checks to prevent mounting VeraCrypt volumes on system directories (like /usr/bin) or directories in the user's PATH, which could theoretically allow execution of malicious binaries instead of legitimate system binaries.
Key changes:
- Block mounting on protected system directories (/usr, /bin, /lib, etc.)
This restriction cannot be overridden
- Block mounting on directories present in user's PATH environment variable
This can be overridden with --allow-insecure-mount flag
- Add visual warnings (red border, "[INSECURE MODE]") when mounting on PATH directories is allowed
- Handle symlinks properly when checking paths
- Add new error messages for blocked mount points
To override PATH-based restrictions only (system directories remain protected):
veracrypt --allow-insecure-mount [options] volume mountpoint
Security Impact: Low to Medium
The attack requires either:
- User explicitly choosing a system directory as mount point instead of using VeraCrypt's default mount points
- Or attacker having both filesystem access to modify favorites configuration AND knowledge of the volume password
Default mount points are not affected by this vulnerability.
Security: CVE-2025-23021
This commit fixes a critical security vulnerability where VeraCrypt could be tricked into executing malicious binaries with elevated privileges. The vulnerability has two severe implications:
1. When sudo's secure_path option is disabled, attackers could execute malicious binaries with root privileges by placing them in user-writable PATH directories (e.g., making "sudo mount" execute a malicious mount binary)
2. By placing a malicious sudo binary in PATH, attackers could intercept and steal the user's password when VeraCrypt prompts for sudo authentication
The vulnerability allowed attackers to place malicious binaries in user-writable directories that appear in PATH before system directories, potentially leading to privilege escalation and credential theft.
Key changes:
- Implement FindSystemBinary() to locate executables in secure system paths
- Replace all relative binary paths with absolute paths for system commands
- Add security checks for executable permissions
- Update process execution to use absolute paths for:
* sudo
* mount
* fsck
* terminal emulators
* file managers
* system utilities (hdiutil, mdconfig, vnconfig, lofiadm)
The fix ensures all system binaries are called using their absolute paths from secure system directories, preventing both privilege escalation through PATH manipulation and password theft through sudo hijacking.
Security: CVE-2024-54187
This update simplifies the logic for detecting active sudo sessions by checking the exit code of the sudo -n -l command, which reliably returns 0 if a session is active.
Additionally, this approach is now applicable to recent macOS versions, as they no longer have the sudo bug that previously prevented us from using this method.
- Use xdg-open as the primary method for opening directories, ensuring compatibility with most Linux environments.
- Implemented fallback logic to try other known file managers (e.g., nautilus, dolphin, caja, thunar) if xdg-open is unavailable or fails.
Based on proposal by @bugtracker2019
Veracrypt currently appears in screenshots and screen captures,
which can unintentionally expose sensitive information, such as
the fact that Veracrypt is running or the location of your volumes.
Both Windows and macOS offer mechanisms to exclude specific windows
from being captured. While not foolproof, this is a useful preventative
measure. The method is a no-op for Linux/FreeBSD.
For more details on the wxWidgets API, see:
https://docs.wxwidgets.org/3.2/classwx_top_level_window.html#a337b9cec62b0cbd3b1b1545a83270f64
If vulnerability detected, a warning message is displayed during mount or backup/restore header, and changing the password is disallowed since it will not change the master key.
The class AdminPasswordRequestHandler was defined in several places in the same namespace and the linker was picking up one definition for constructor and the other one when calling virtual method.
Now we use different named for different implementations.
Update friend declaration in FuseService.h and refactor GetCharWidth to ComputeCharWidth in WaitDialog.h to avoif hiding GetCharWidth inherited from wxWindow
The build script build_veracrypt_macosx.h now accepts the argument -f to enable fuse-t support.
It is also possible to set the environment variable VC_OSX_FUSET to 1 for FUSE-T support.
A change was done in CoreUnix::GetMountedVolumes to add a waiting loop for control file to be accessible because when using FUSE-T there always a delay before control file can be serialized.
Replaced an incorrect 'end' statement with 'endif' in the
MacOSX-specific section of the Main.make file. This resolves the make
error caused by an unclosed conditional block.
* Add missing macOS requirement for 'make package'
We need packages for the last build step on macOS, update docs
to reflect the requirement.
* Add build instructions using homebrew
On macOS, we can use a package manager to easily install
dependencies. This simplifies onboarding and building Veracrypt.
* Add flag to use homebrew packages
When building, we can use prebuilt wxwidgets from homebrew to
simplify and speed up local building. We also put the package
behind a flag as it's optional during development.
* Skip signing for local builds
When building with homebrew, skip signing. This can be put behind
a flag to enable, if needed.
* Use system yasm on macOS if available
The binary in the repo is not universal (x86_64) and therefore
building fails on arm architecture if Rosetta is not installed.
Use local yasm if available.
* Build local arch only in development
When building via homebrew and locally, build only the local arch
which skips ASM for arm(Mx) for MacOS. This removes the need to
have rosetta installed for building.
* Fix compilation issue when COMPILE_ASM is undefined
Use a conditional check for COMPILE_ASM not being false instead of true.
This avoids passing the variable to other parts of the build script.
* Set SDK 12 as the minimum requirement and target
Align the requirement to SDK 12 in both the makefile and script,
and update the comment to remove confusion.
I chose to leave this on 12 to be on the side of err and support
as many building platforms as possible, when we can support.
The local script now also sets the target using the local sdk
version. This should improve the local development experience.
* Fix wrong architecture for macOS in x86 builds
We now build only the current arch for local development builds
in macOS. This change also fixes the x86 builds failing.
* Add instructions brew backed macOS local builds
Flags to build a local build using homebrew packages are not
default and require parameter -b to build. We also don't build
packages directly, which requires -p.
* Fix wxwidgets not linking in local x86 macOS development builds
* Clarify build location in the document
wxDir::GetAllFiles will throw an assert when opening the preferences dialog
if for some reason the user has not installed VeraCrypt properly and is
missing the intended folder. This patch adds a check to ensure the folder
first exists before querying its files.
* Move from deprecated wxScopedPtr to std::unique_ptr
wxScopedPtr was included previously through some header hierarchy which as of 3.3 is
no longer the case causing it to break. But instead of including a header for a deprecated
function explicitly, just move to std::unique_ptr as recommended by upstream.
* Convert to explicit conversions from wxString
As of 35c35c235e
wxWidgets defaults to STL classes, which has a side-effect that
some implicit conversions break. This patch converts those conversions
to explicit in anticipation of wxWidgets 3.3 release.
Currently the maximum hidden volume size for file containers is
limited by available free space on the device the file container
resides on, which we do not care about. This commit changes so
that only Normal volumes get their `maxVolumeSize` limited by
`AvailableDiskSpace`. Also the --size=max parameter is restricted
from hidden volume creation as there is no way to determine a good
size as we do not mount the outer volume through the CLI process
flow to determine available free space on the outer volume.
We don't need to reset PIM in PasswordException as it is immediately
fell back to if PIM is specified in text mode, but password is not.
This causes an exception that resets the PIM when it shouldn't.
Currently we check whether the system has DISPLAY environment variable
set, which is the case in a system that uses X11 natively or XWayland.
This variable is not set in a system with only Wayland, so we need to
also check whether WAYLAND_DISPLAY is set.
Fixes: #184
* macOS: Fix issue where PIM box has no width in Wizard
VolumePimTextCtrl has a problem with width on macOS which
we can fix by adjusting the proportions of the elements
inside the PimSizer, which seems like a better solution than
using a forced minimum size in pixels.
Adjacent, simplifies the validator logic for digits in PIM field.
Fixes#1219
* Implement Language selection into settings
Initial commit to create a new tab in PreferencesNotebook for
Language selection. By default, if nothing is chosen, it uses the
current behaviour of using the language from system environment
variables. If another language is chosen from the settings, it is
saved into the Configuration.xml and this is used instead.
* Fix SetStringSelection() assert issue on macOS
* Add header include to fix build
* Add current language pack, authors and way to use literal strings
* Translations also for FreeBSD
* Minimal GTK3 WX build on FreeBSD requires wxGraphicsContext
* Get Preferences properly instead of workaround function
* Use WrapSizer instead of BoxSizer for author line
This forces long author lists to be put on a new line, reducing
the need to increase window width.
* Update Finnish translation
* Borrow translation from IDM_LANGUAGE where it makes sense
* Remove colon and thus unneeded function
* Simplify Language tab layout
* Reintroduce macOS specific fixes to Forms.cpp
* cleanup
* EMVCard.cpp: ArrayToHexWideString: prohibit conversion of a string constant
../Common/EMVCard.cpp: In function 'std::wstring VeraCrypt::ArrayToHexWideString(con
st unsigned char*, size_t)':
../Common/EMVCard.cpp:28:43: warning: ISO C++ forbids converting a string constant
to 'wchar_t*' [-Wwrite-strings]
28 | static wchar_t* hexChar = L"0123456789ABCDEF";
| ^~~~~~~~~~~~~~~~~~~
Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
* EMVCard.cpp: ArrayToHexWideString: fix of the comparison of different types
../Common/EMVCard.cpp: In function 'std::wstring VeraCrypt::ArrayToHexWideString(con
st unsigned char*, size_t)':
../Common/EMVCard.cpp:32:43: warning: comparison of integer expressions of different
signedness: 'int' and 'size_t' {aka 'long unsigned int'} [-Wsign-compare]
32 | for (int i = 0; i < cbData; i++)
| ~~^~~~~~~~
Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
* SecurityTokenKeyfilesDialog.cpp: removed initialization of an unused variable
Forms/SecurityTokenKeyfilesDialog.cpp:58:24: warning: unused variable 'i' [-Wunused-
variable]
58 | size_t i = 0;
| ^
Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
* Core/Unix: throwing an exception instead of ignoring the error
Fixes: 5a6b445f ("fix warnings and UB (#1164)")
Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
---------
Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
Co-authored-by: Vasiliy Kovalev <kovalev@altlinux.org>
