Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 9 Nov 2011 15:03:38 -0800
From: Nick Kralevich <>
Subject: Re: Re: CVE request: Android: vold stack buffer overflow

Hi Kurt / Dan,

Nick Kralevich here from the Android security team.

Google is a CNA (CVE Numbering Authority), and we've already assigned
this vulnerability CVE-2011-3874. To avoid confusion, I would
appreciate it if CVE-2011-3874 would be considered the authoritative
CVE for this vulnerability, and CVE-2011-4123 should be marked as a
duplicate. More information on the vold vulnerability, including a
patch, can be found at

For the record, Google maintains several security contact mailing
lists.  In general, you can reach Google security by e-mailing or visiting

For Android specific security issues, the preferred e-mail address is, or you can visit

For Chrome specific security issues, the preferred e-mail address is, or you can visit

In general, e-mailing will eventually get to
Chrome or Android, although it's faster to contact the product
specific security alias first.

Because Google is a CNA, we maintain our own pool of CVEs from Mitre.
Any of the addresses above can issue CVEs for Google related

-- Nick Kralevich
   Android Security Team

> On 11/08/2011 06:08 AM, Dan Rosenberg wrote:
> > On Tue, Nov 8, 2011 at 8:03 AM, Dan Rosenberg <> wrote:
> >> A local user with group "log" on Android may send a malformed message
> >> to vold ("volume daemon"), causing a stack buffer overflow.  This has
> >> been demonstrated to be exploitable to escalate privileges to root on
> >> all Froyo (2.2.x) and Gingerbread (2.4.x)  devices via freeing an
> >> arbitrary heap object and triggering a use-after-free condition [1].
> >> It appears the bug was silently patched in Honeycomb (3.x), but note
> >> that since Honeycomb is not open source, it does not fall within the
> >> scope of this list.  Bug discovered and exploited by the Revolutionary
> >> team [2].
> >>
> > Oops, a few minor corrections.
> >
> > Typo: Gingerbread is 2.3.x.  Also, the vulnerability actually lives in
> > the libsysutils library, and was demonstrated to be exploitable via
> > vold, which makes use of the affected library function.  Sorry for the
> > noise.
> >
> >> -Dan
> >>
> >> [1]
> >> [2]
> >>
> Please use CVE-2011-4123 for this issue.
> --
> -Kurt Seifried / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ