Joshua J. Drake of droidsec.org discovered a stack-based buffer overflow flaw in the ADB client code: http://www.droidsec.org/advisories/2014/02/04/two-security-issues-found-in-the-android-sdk-tools.html Connecting to a malicious ADB server could result in arbitrary code execution. A patch is available from the above link.
Created android-tools tracking bugs for this issue: Affects: fedora-all [bug 1062096]
http://www.droidsec.org/advisories/2014/02/04/two-security-issues-found-in-the-android-sdk-tools.html also notes a second issue with regards to a lack of hardening (in the "Issue #2 - Lack of hardening when compiling for a host" section). http://kojipkgs.fedoraproject.org//packages/android-tools/20130123git98d0789/2.fc20/data/logs/x86_64/build.log - I am not familiar with gcc options, but that log does not mention FORTIFY_SOURCE/-fstack-protector-strong --param=ssp-buffer-size=4 Can anyone confirm if we are affected by issue 2?
CVE requets: http://seclists.org/oss-sec/2014/q1/261
The "Connecting to a malicious ADB server could result in arbitrary code execution" issue was assigned CVE-2014-1909: http://seclists.org/oss-sec/2014/q1/291
Issue #2 seems to be not android-tools specific but usual recomendations. In fedora android-tools we use $(RPM_OPT_FLAGS) as CFLAGS so it seems android-tools has not less secure gcc options then othe fedora packages.
Created attachment 973294 [details] Harden android-tools Because android-tools runs as a service, it really needs to be hardened according to http://fedoraproject.org/wiki/Packaging:Guidelines#PIE. The attached patch (built on top of the patch I submitted for #1175475) will do the trick.
(In reply to Jonathan Dieter from comment #6) > attached patch (built on top of the patch I submitted for #1175475) will do That's referencing https://bugzilla.redhat.com/show_bug.cgi?id=1175475; not sure why it didn't automatically create a link.
Created attachment 973295 [details] Harden android-tools Same as previous with some simplification of the makefiles. We don't have to manually pass -fPIC as it automatically gets picked up by the _hardened_build macro.
macro seems to be enough
The macro didn't seem to finish the job when I tested it. Use https://people.redhat.com/sgrubb/files/rpm-chksec to check your RPMs and you'll see what I mean. I think the problem is that the LDFLAGs don't get changed by the macro, just the CFLAGS.
It seems we need to set LDFLAGS+= $(RPM_LD_FLAGS) in makefiles. Macros works well with it.
That would be a far better fix. I was looking around for that macro, but didn't find it.
android-tools-20141219git8393e50-2.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
This was fixed in android-tools-20141219git8393e50-2