'Re: [oss-security] Security fixes from Android 10 release which are relevant outside the Android eco'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Security fixes from Android 10 release which are relevant outside the Android eco
From:       Stiepan <stie () protonmail ! ch>
Date:       2019-10-26 22:44:16
Message-ID: NdwFuQOPjKC52xswSya1RvTkfft8C51AgZmmfCHmCTam-k3vqW8IlM0Gqm-Q2jCXB_uH4YWL4MAOjSiGOCaaHVR4jmlNu7r1so9j4Yi40bU= () protonmail ! ch
[Download RAW message or body]

[Attachment #2 (multipart/mixed)]


As someone who used Android & did my studies on how to secure it and what was missing for that, \
I can say that Androids still dream of electric blowfishes - or rather threefish-512 ;) - and \
will do so for a while, especially now that the only part that was open seems is no more. By \
that virtue, it lost the biggest  advantage it had versus the better polished iOS. And doing \
that helps red-scarfed black-hats, who can hack into most of the open-source Android variants, \
which would not be the case if the latter had access to up to date, well-vetted security infos \
(unlike that late 2018 fix that made it even more vulnerable), and that extends to \
linux-distros by the by. Embargoes are bad. Sure, that made me buy an iPhone, which is good \
commercially for Apple and I salute their privacy makeup*, but being forced to do so as the \
                collateral victim of a trade war is less cool.
*as in definition 6 of the wordreference entry for that word, "A special examination for a \
student who has been absent ...".

------- Original Message -------
On Friday, October 25, 2019 11:23 PM, Moritz Mühlenhoff <jmm@inutil.org> wrote:

> Android advisories used to contain commit references to AOSP change sets, but
> that's not the case for https://source.android.com/security/bulletin/android-10.
> 

> Typically most of these issues are specific to Android, but there are a few which
> per the CVE description are possibly affecting software packaged/used by Linux
> distros as well, one example:
> 

> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9325:
> "In libvpx, there is a possible out of bounds read due to a missing bounds check.
> This could lead to remote information disclosure with no additional execution
> privileges needed. "
> 

> Similar for CVE-2019-9232, CVE-2019-9278, CVE-2019-9325, CVE-2019-9371, CVE-2019-9433,
> CVE-2019-9423 (also libexif and opencv)
> 

> Is there anyone from Android/Google on the list, who can comment on this? Can these
> references be added again for the benefit of non-Android distros?
> 

> Cheers,
> Moritz


["publickey - stie@protonmail.ch - 0xADF18750.asc" (application/pgp-keys)]
["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic