Bug 1062095 (CVE-2014-1909) - CVE-2014-1909 android-tools: stack-based buffer overflow flaw in Android Debug Bridge (ADB) client
Summary: CVE-2014-1909 android-tools: stack-based buffer overflow flaw in Android Debu...
Alias: CVE-2014-1909
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1062096
TreeView+ depends on / blocked
Reported: 2014-02-06 06:28 UTC by Murray McAllister
Modified: 2019-09-29 13:13 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-03-21 13:50:28 UTC

Attachments (Terms of Use)
Harden android-tools (1.58 KB, patch)
2014-12-26 19:48 UTC, Jonathan Dieter
no flags Details | Diff
Harden android-tools (1.44 KB, patch)
2014-12-26 19:57 UTC, Jonathan Dieter
no flags Details | Diff

Description Murray McAllister 2014-02-06 06:28:31 UTC
Joshua J. Drake of droidsec.org discovered a stack-based buffer overflow flaw in the ADB client code:


Connecting to a malicious ADB server could result in arbitrary code execution. A patch is available from the above link.

Comment 1 Murray McAllister 2014-02-06 06:31:22 UTC
Created android-tools tracking bugs for this issue:

Affects: fedora-all [bug 1062096]

Comment 2 Murray McAllister 2014-02-06 06:34:36 UTC
http://www.droidsec.org/advisories/2014/02/04/two-security-issues-found-in-the-android-sdk-tools.html also notes a second issue with regards to a lack of hardening (in the "Issue #2 - Lack of hardening when compiling for a host" section).

http://kojipkgs.fedoraproject.org//packages/android-tools/20130123git98d0789/2.fc20/data/logs/x86_64/build.log - I am not familiar with gcc options, but that log does not mention FORTIFY_SOURCE/-fstack-protector-strong --param=ssp-buffer-size=4

Can anyone confirm if we are affected by issue 2?

Comment 3 Murray McAllister 2014-02-06 06:34:51 UTC
CVE requets: http://seclists.org/oss-sec/2014/q1/261

Comment 4 Murray McAllister 2014-02-10 03:51:49 UTC
The "Connecting to a malicious ADB server could result in arbitrary code execution" issue was assigned CVE-2014-1909:


Comment 5 Ivan Afonichev 2014-09-18 20:24:44 UTC
Issue #2 seems to be not android-tools specific but usual recomendations.
In fedora android-tools we use $(RPM_OPT_FLAGS) as CFLAGS so it seems android-tools has not less secure gcc options then othe fedora packages.

Comment 6 Jonathan Dieter 2014-12-26 19:48:27 UTC
Created attachment 973294 [details]
Harden android-tools

Because android-tools runs as a service, it really needs to be hardened according to http://fedoraproject.org/wiki/Packaging:Guidelines#PIE.  The attached patch (built on top of the patch I submitted for #1175475) will do the trick.

Comment 7 Jonathan Dieter 2014-12-26 19:49:56 UTC
(In reply to Jonathan Dieter from comment #6)
> attached patch (built on top of the patch I submitted for #1175475) will do

That's referencing https://bugzilla.redhat.com/show_bug.cgi?id=1175475; not sure why it didn't automatically create a link.

Comment 8 Jonathan Dieter 2014-12-26 19:57:33 UTC
Created attachment 973295 [details]
Harden android-tools

Same as previous with some simplification of the makefiles.  We don't have to manually pass -fPIC as it automatically gets picked up by the _hardened_build macro.

Comment 10 Ivan Afonichev 2015-01-11 16:28:51 UTC
macro seems to be enough

Comment 11 Jonathan Dieter 2015-01-11 16:41:15 UTC
The macro didn't seem to finish the job when I tested it.  Use https://people.redhat.com/sgrubb/files/rpm-chksec to check your RPMs and you'll see what I mean.

I think the problem is that the LDFLAGs don't get changed by the macro, just the CFLAGS.

Comment 12 Ivan Afonichev 2015-01-11 17:45:35 UTC
It seems we need to set
in makefiles.
Macros works well with it.

Comment 13 Jonathan Dieter 2015-01-11 17:47:58 UTC
That would be a far better fix.  I was looking around for that macro, but didn't find it.

Comment 14 Fedora Update System 2015-02-15 03:20:33 UTC
android-tools-20141219git8393e50-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Jonathan Dieter 2015-03-21 13:50:28 UTC
This was fixed in android-tools-20141219git8393e50-2

Note You need to log in before you can comment on or make changes to this bug.