Date: Wed, 9 Nov 2011 15:03:38 -0800 From: Nick Kralevich <nnk@...gle.com> To: oss-security@...ts.openwall.com, kseifried@...hat.com Cc: dan.j.rosenberg@...il.com Subject: Re: Re: CVE request: Android: vold stack buffer overflow Hi Kurt / Dan, Nick Kralevich here from the Android security team. Google is a CNA (CVE Numbering Authority), and we've already assigned this vulnerability CVE-2011-3874. To avoid confusion, I would appreciate it if CVE-2011-3874 would be considered the authoritative CVE for this vulnerability, and CVE-2011-4123 should be marked as a duplicate. More information on the vold vulnerability, including a patch, can be found at http://code.google.com/p/android/issues/detail?id=21681 For the record, Google maintains several security contact mailing lists. In general, you can reach Google security by e-mailing security@...gle.com or visiting http://www.google.com/about/corporate/company/security.html For Android specific security issues, the preferred e-mail address is security@...roid.com, or you can visit http://developer.android.com/resources/faq/security.html#issue For Chrome specific security issues, the preferred e-mail address is security@...omium.org, or you can visit http://dev.chromium.org/Home/chromium-security/reporting-security-bugs In general, e-mailing security@...gle.com will eventually get to Chrome or Android, although it's faster to contact the product specific security alias first. Because Google is a CNA, we maintain our own pool of CVEs from Mitre. Any of the addresses above can issue CVEs for Google related vulnerabilities. Thanks! -- Nick Kralevich Android Security Team > On 11/08/2011 06:08 AM, Dan Rosenberg wrote: > > On Tue, Nov 8, 2011 at 8:03 AM, Dan Rosenberg <dan.j.rosenberg@...il.com> wrote: > >> A local user with group "log" on Android may send a malformed message > >> to vold ("volume daemon"), causing a stack buffer overflow. This has > >> been demonstrated to be exploitable to escalate privileges to root on > >> all Froyo (2.2.x) and Gingerbread (2.4.x) devices via freeing an > >> arbitrary heap object and triggering a use-after-free condition . > >> It appears the bug was silently patched in Honeycomb (3.x), but note > >> that since Honeycomb is not open source, it does not fall within the > >> scope of this list. Bug discovered and exploited by the Revolutionary > >> team . > >> > > Oops, a few minor corrections. > > > > Typo: Gingerbread is 2.3.x. Also, the vulnerability actually lives in > > the libsysutils library, and was demonstrated to be exploitable via > > vold, which makes use of the affected library function. Sorry for the > > noise. > > > >> -Dan > >> > >>  https://github.com/revolutionary/zergRush/blob/master/zergRush.c > >>  http://revolutionary.io/ > >> > Please use CVE-2011-4123 for this issue. > > -- > > -Kurt Seifried / Red Hat Security Response Team >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ