[Android-tools-devel] Bug#858177: not affected
Hans-Christoph Steiner
hans at eds.org
Tue Mar 21 20:12:28 UTC 2017
Almost all of the Android CVEs are for the Android OS, not the Android
SDK. The tricky part is that they are built from the same source tree.
Another thing to note is that some of the Android SDK libs used in the
SDK run at elevated privileges in Android OS, but not when part of the
SDK. So there is a whole class of exploits that are irrelevant to the
SDK. And we haven't packaged any part of the Android SDK that interacts
with the network, so anything saying "remote code execution on Android"
seems unlikely to be relevant.
So anyone who wants to look out for these should only look for CVEs that
affect the Android SDK, not Android, e.g.
https://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-13517/Google-Android-Sdk.html
CVE-2016-3861 - not affected
* no remote access
* nothing runs as a privileged process
* some affected files not included in any Debian package:
* libs/binder/Parcel.cpp
* media/libmediaplayerservice/MediaPlayerService.cpp
* looks worth fixing as a usability bug
CVE-2016-3885 - not affected
* debuggerd/debuggerd.cpp is not included in any Debian package
* the whole debuggerd is not packaged
CVE-2016-3921 - not affected
* libsysutils/src/FrameworkListener.cpp is not included in any Debian
package
* the whole libsysutils is not packaged
So my question to you is: how can we make it easier to ignore these? I
think its safe to ignore Android CVEs, since there have been some
separate Android SDK CVEs. I can't think of a security bug in Android
that has affected the SDK in any significant way.
More information about the Android-tools-devel
mailing list