[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [oss-security] Security fixes from Android 10 release which are relevant outside the Android ecosystem?

On Fri, Oct 25, 2019 at 11:23:09PM +0200, Moritz Mühlenhoff wrote:
> Android advisories used to contain commit references to AOSP change sets, but
> that's not the case for https://source.android.com/security/bulletin/android-10.
> Typically most of these issues are specific to Android, but there are a few which
> per the CVE description are possibly affecting software packaged/used by Linux
> distros as well, one example:

Normally the advisories should link back to actual details, but I guess
this doesn't always happen.

> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9325:
> "In libvpx, there is a possible out of bounds read due to a missing bounds check.
> This could lead to remote information disclosure with no additional execution
> privileges needed. "


> Similar for CVE-2019-9232,


> CVE-2019-9278,


> CVE-2019-9371,


> CVE-2019-9433,


> CVE-2019-9423 (also libexif and opencv)

This one I can't find an external reference for. I've asked for more
details internally.

> Is there anyone from Android/Google on the list, who can comment on this? Can these
> references be added again for the benefit of non-Android distros?

Thank you Moritz for pinging me off-list! :)

Kees Cook