[Android-tools-devel] Bug#858177: not affected

Moritz Mühlenhoff jmm at inutil.org
Tue Mar 28 21:44:41 UTC 2017


On Tue, Mar 21, 2017 at 09:12:28PM +0100, Hans-Christoph Steiner wrote:
> 
> Almost all of the Android CVEs are for the Android OS, not the Android
> SDK.  The tricky part is that they are built from the same source tree.
> Another thing to note is that some of the Android SDK libs used in the
> SDK run at elevated privileges in Android OS, but not when part of the
> SDK.  So there is a whole class of exploits that are irrelevant to the
> SDK.  And we haven't packaged any part of the Android SDK that interacts
> with the network, so anything saying "remote code execution on Android"
> seems unlikely to be relevant.
> 
> So anyone who wants to look out for these should only look for CVEs that
> affect the Android SDK, not Android, e.g.
> https://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-13517/Google-Android-Sdk.html
> 
> CVE-2016-3861 - not affected
> * no remote access
> * nothing runs as a privileged process
> * some affected files not included in any Debian package:
>   * libs/binder/Parcel.cpp
>   * media/libmediaplayerservice/MediaPlayerService.cpp
> * looks worth fixing as a usability bug
> 
> CVE-2016-3885 - not affected
> * debuggerd/debuggerd.cpp is not included in any Debian package
> * the whole debuggerd is not packaged
> 
> CVE-2016-3921 - not affected
> * libsysutils/src/FrameworkListener.cpp is not included in any Debian
> package
> * the whole libsysutils is not packaged

Thanks. I'll update the security tracker on those.

> So my question to you is: how can we make it easier to ignore these?  I
> think its safe to ignore Android CVEs, since there have been some
> separate Android SDK CVEs.  I can't think of a security bug in Android
> that has affected the SDK in any significant way.

I'd say for the next Android security bulletin, we simply run this by
you and the other Debian Android maintainer and we then let you comment?

And somewhat related, is there are security contact for Android, which
is able to answer technical questions?

There's a number of CVE IDs in the Android bulletins, which might
potentially affect the standard Linux kernel and we'd like clarification:
https://security-tracker.debian.org/tracker/CVE-2017-0508
https://security-tracker.debian.org/tracker/CVE-2017-0507
https://security-tracker.debian.org/tracker/CVE-2017-0427
https://security-tracker.debian.org/tracker/CVE-2016-6753
https://security-tracker.debian.org/tracker/CVE-2016-3803
https://security-tracker.debian.org/tracker/CVE-2016-3802
https://security-tracker.debian.org/tracker/CVE-2016-3775

Cheers,
        Moritz



More information about the Android-tools-devel mailing list