On Tue, Mar 21, 2017 at 09:12:28PM +0100, Hans-Christoph Steiner wrote: > > Almost all of the Android CVEs are for the Android OS, not the Android > SDK. The tricky part is that they are built from the same source tree. > Another thing to note is that some of the Android SDK libs used in the > SDK run at elevated privileges in Android OS, but not when part of the > SDK. So there is a whole class of exploits that are irrelevant to the > SDK. And we haven't packaged any part of the Android SDK that interacts > with the network, so anything saying "remote code execution on Android" > seems unlikely to be relevant. > > So anyone who wants to look out for these should only look for CVEs that > affect the Android SDK, not Android, e.g. > https://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-13517/Google-Android-Sdk.html > > CVE-2016-3861 - not affected > * no remote access > * nothing runs as a privileged process > * some affected files not included in any Debian package: > * libs/binder/Parcel.cpp > * media/libmediaplayerservice/MediaPlayerService.cpp > * looks worth fixing as a usability bug > > CVE-2016-3885 - not affected > * debuggerd/debuggerd.cpp is not included in any Debian package > * the whole debuggerd is not packaged > > CVE-2016-3921 - not affected > * libsysutils/src/FrameworkListener.cpp is not included in any Debian > package > * the whole libsysutils is not packaged
Thanks. I'll update the security tracker on those. > So my question to you is: how can we make it easier to ignore these? I > think its safe to ignore Android CVEs, since there have been some > separate Android SDK CVEs. I can't think of a security bug in Android > that has affected the SDK in any significant way. I'd say for the next Android security bulletin, we simply run this by you and the other Debian Android maintainer and we then let you comment? And somewhat related, is there are security contact for Android, which is able to answer technical questions? There's a number of CVE IDs in the Android bulletins, which might potentially affect the standard Linux kernel and we'd like clarification: https://security-tracker.debian.org/tracker/CVE-2017-0508 https://security-tracker.debian.org/tracker/CVE-2017-0507 https://security-tracker.debian.org/tracker/CVE-2017-0427 https://security-tracker.debian.org/tracker/CVE-2016-6753 https://security-tracker.debian.org/tracker/CVE-2016-3803 https://security-tracker.debian.org/tracker/CVE-2016-3802 https://security-tracker.debian.org/tracker/CVE-2016-3775 Cheers, Moritz