oss-sec mailing list archives
Re: Security fixes from Android 10 release which are relevant outside the Android ecosystem?
From: Kees Cook <kees () ubuntu com>
Date: Thu, 7 Nov 2019 10:28:04 -0800
On Fri, Oct 25, 2019 at 11:23:09PM +0200, Moritz Mühlenhoff wrote:
Android advisories used to contain commit references to AOSP change sets, but that's not the case for https://source.android.com/security/bulletin/android-10. Typically most of these issues are specific to Android, but there are a few which per the CVE description are possibly affecting software packaged/used by Linux distros as well, one example:
Normally the advisories should link back to actual details, but I guess this doesn't always happen.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9325: "In libvpx, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. "
https://chromium-review.googlesource.com/c/webm/libvpx/+/1149604
Similar for CVE-2019-9232,
https://chromium-review.googlesource.com/c/webm/libvpx/+/1395793
CVE-2019-9278,
https://android.googlesource.com/platform/external/libexif/+/a5e8e5812a11ec9686294de8a5d68aaf2ab72475%5E%21/#F0
CVE-2019-9371,
https://chromium.googlesource.com/webm/libwebm/+/cb5a9477073cf7ae4a28356d6e3e5638aba78dc9%5E%21/#F0 https://chromium.googlesource.com/webm/libwebm/+/027a472efe49ff3a24be619442d2150658dbaaa0%5E%21/#F0
CVE-2019-9433,
https://chromium-review.googlesource.com/c/webm/libvpx/+/1070753
CVE-2019-9423 (also libexif and opencv)
This one I can't find an external reference for. I've asked for more details internally.
Is there anyone from Android/Google on the list, who can comment on this? Can these references be added again for the benefit of non-Android distros?
Thank you Moritz for pinging me off-list! :) -- Kees Cook
Current thread:
- Re: Security fixes from Android 10 release which are relevant outside the Android ecosystem? Kees Cook (Nov 07)