Re: Security fixes from Android 10 release which are relevant outside the Android ecosystem?

[Kees Cook <kees () ubuntu com>]

On Fri, Oct 25, 2019 at 11:23:09PM +0200, Moritz Mühlenhoff wrote:
> Android advisories used to contain commit references to AOSP change sets, but
> that's not the case for https://source.android.com/security/bulletin/android-10.
>
> Typically most of these issues are specific to Android, but there are a few which
> per the CVE description are possibly affecting software packaged/used by Linux
> distros as well, one example:

Normally the advisories should link back to actual details, but I guess
this doesn't always happen.

> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9325:
> "In libvpx, there is a possible out of bounds read due to a missing bounds check.
> This could lead to remote information disclosure with no additional execution
> privileges needed. "

https://chromium-review.googlesource.com/c/webm/libvpx/+/1149604

> Similar for CVE-2019-9232,

https://chromium-review.googlesource.com/c/webm/libvpx/+/1395793

> CVE-2019-9278,

https://android.googlesource.com/platform/external/libexif/+/a5e8e5812a11ec9686294de8a5d68aaf2ab72475%5E%21/#F0

> CVE-2019-9371,

https://chromium.googlesource.com/webm/libwebm/+/cb5a9477073cf7ae4a28356d6e3e5638aba78dc9%5E%21/#F0
https://chromium.googlesource.com/webm/libwebm/+/027a472efe49ff3a24be619442d2150658dbaaa0%5E%21/#F0

> CVE-2019-9433,

https://chromium-review.googlesource.com/c/webm/libvpx/+/1070753

> CVE-2019-9423 (also libexif and opencv)

This one I can't find an external reference for. I've asked for more
details internally.

> Is there anyone from Android/Google on the list, who can comment on this? Can these
> references be added again for the benefit of non-Android distros?

Thank you Moritz for pinging me off-list! :)

-- 
Kees Cook