Bug 1062095 (CVE-2014-1909)
| Summary: | CVE-2014-1909 android-tools: stack-based buffer overflow flaw in Android Debug Bridge (ADB) client | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Murray McAllister <mmcallis> | ||||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | unspecified | CC: | ivan.afonichev, jonathan, jrusnack | ||||||
| Target Milestone: | --- | Keywords: | Security | ||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2015-03-21 13:50:28 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | 1062096 | ||||||||
| Bug Blocks: | |||||||||
| Attachments: |
|
||||||||
|
Description
Murray McAllister
2014-02-06 06:28:31 UTC
Created android-tools tracking bugs for this issue: Affects: fedora-all [bug 1062096] http://www.droidsec.org/advisories/2014/02/04/two-security-issues-found-in-the-android-sdk-tools.html also notes a second issue with regards to a lack of hardening (in the "Issue #2 - Lack of hardening when compiling for a host" section). http://kojipkgs.fedoraproject.org//packages/android-tools/20130123git98d0789/2.fc20/data/logs/x86_64/build.log - I am not familiar with gcc options, but that log does not mention FORTIFY_SOURCE/-fstack-protector-strong --param=ssp-buffer-size=4 Can anyone confirm if we are affected by issue 2? CVE requets: http://seclists.org/oss-sec/2014/q1/261 The "Connecting to a malicious ADB server could result in arbitrary code execution" issue was assigned CVE-2014-1909: http://seclists.org/oss-sec/2014/q1/291 Issue #2 seems to be not android-tools specific but usual recomendations. In fedora android-tools we use $(RPM_OPT_FLAGS) as CFLAGS so it seems android-tools has not less secure gcc options then othe fedora packages. Created attachment 973294 [details] Harden android-tools Because android-tools runs as a service, it really needs to be hardened according to http://fedoraproject.org/wiki/Packaging:Guidelines#PIE. The attached patch (built on top of the patch I submitted for #1175475) will do the trick. (In reply to Jonathan Dieter from comment #6) > attached patch (built on top of the patch I submitted for #1175475) will do That's referencing https://bugzilla.redhat.com/show_bug.cgi?id=1175475; not sure why it didn't automatically create a link. Created attachment 973295 [details]
Harden android-tools
Same as previous with some simplification of the makefiles. We don't have to manually pass -fPIC as it automatically gets picked up by the _hardened_build macro.
macro seems to be enough The macro didn't seem to finish the job when I tested it. Use https://people.redhat.com/sgrubb/files/rpm-chksec to check your RPMs and you'll see what I mean. I think the problem is that the LDFLAGs don't get changed by the macro, just the CFLAGS. It seems we need to set LDFLAGS+= $(RPM_LD_FLAGS) in makefiles. Macros works well with it. That would be a far better fix. I was looking around for that macro, but didn't find it. android-tools-20141219git8393e50-2.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. This was fixed in android-tools-20141219git8393e50-2 |