[Android-tools-devel] Bug#688280: reassign 688280 to adb
Salvatore Bonaccorso
carnil at debian.org
Tue Dec 27 19:01:41 UTC 2016
Hi Fathi!
On Tue, Dec 27, 2016 at 07:33:45PM +0200, Fathi Boudra wrote:
> Hi,
>
> On Tue, Dec 27, 2016 at 3:03 PM, Salvatore Bonaccorso <carnil at debian.org> wrote:
> > Hi Moritz,
> >
> > On Tue, Dec 27, 2016 at 12:48:34PM +0100, Moritz Mühlenhoff wrote:
> >> On Wed, Dec 21, 2016 at 08:49:00PM +0200, Fathi Boudra wrote:
> >> > Hi,
> >> >
> >> > On Wed, Dec 21, 2016 at 4:59 PM, Salvatore Bonaccorso <carnil at debian.org> wrote:
> >> > > Hi
> >> > >
> >> > > On Wed, Dec 21, 2016 at 03:49:26PM +0200, Fathi Boudra wrote:
> >> > >> reassign 688280 adb
> >> > >> thanks
> >> > >
> >> > > Is this reassign correct? Paul Wise in
> >> > > https://bugs.debian.org/688280#14 already did clone the bug to
> >> > > reassign it for the android-platform-system-core source package.
> >> > >
> >> > > So there should still be
> >> > >
> >> > > #688280 for src:android-tools
> >> > > #823792 for src:android-platform-system-core
> >> >
> >> > You're right. Jessie src:android-tools is still affected.
> >>
> >> Which version fixed this for src:android-tools in unstable?
> >
> > Not yet for unstable for src:android-tools. I recently updated the
> > security-tracker information as:
> >
> > - android-tools <unfixed> (bug #688280) <-- still unfixed
> > - android-platform-system-core 1:7.0.0+r1-1 (bug #823792)
> >
> > src:android-tools as per current version in unstable still has:
> >
> > system/core/adb/adb.c: fd = unix_open("/tmp/adb.log", O_WRONLY | O_CREAT | O_APPEND, 0640);
>
> adb binary in unstable isn't built anymore from src:android-tools,
> only from src:android-platform-system-core.
>
> android-platform-system-core is using 7.x source code and doesn't
> contain fd = unix_open("/tmp/adb.log" anymore:
> https://android.googlesource.com/platform/system/core/+/android-7.0.0_r1/adb/adb.cpp
>
> https://android.googlesource.com/platform/system/core/+/android-5.1.1_r38/adb/adb.c#990
>
> I haven't seen any patch from Google (or anybody else) to fix the 5.x serie.
> Is randomizing the path with mktemp is good enough or should I get rid
> of the log file completely?
> Note: even if the source code code contains the problem, it isn't used
> because we don't build adb at all in android-tools.
Thanks a lot for your comments. So it looks that even if we would be
affected source-wise, since android-tools/5.1.1.r38-1 the
binary-package android-tools-adb which contained /usr/bin/adb is not
built anymore.
I have added a corresponding note to
https://security-tracker.debian.org/tracker/CVE-2012-5564
so that it now reads:
CVE-2012-5564 (android-tools 4.1.1 in Android Debug Bridge (ADB) allows local users ...)
- android-tools <unfixed> (unimportant; bug #688280)
NOTE: Since android-tools/5.1.1.r38-1 the android-tools-adb binary package
NOTE: is not built anymore which used to contain /usr/bin/adb.
NOTE: Package still affected source-wise.
I wouldn't invest much energy though in fixing the issue. The reason
is that due to the kernel hardening
(https://www.debian.org/releases/jessie/amd64/release-notes/ch-whats-new.en.html#security)
nullifies the symlink attacks, thus /tmp related bugs are marked in
meanwhile as severity "unimportant" in the security-tracker (as you
can see in the entry above).
It is really good that you and your team though have fixed the copy in
android-platform-system-core (bug #823792) via new upstream versions
which fixed that source-wise.
Hope this clarifies the back-and-forth on this issue.
Regards,
Salvatore
More information about the Android-tools-devel
mailing list