PNG vulnerability

Reply to PNG vulnerability on Mon, 11 Feb 2019 16:23:58 GMT

jezek — Mon, 11 Feb 2019 16:23:58 GMT

@dobey ah, I see... thanks for clearing up.

Reply to PNG vulnerability on Mon, 11 Feb 2019 14:44:54 GMT

dobey — Mon, 11 Feb 2019 14:44:54 GMT

@jezek No, that has nothing to do with the Android container part.

Reply to PNG vulnerability on Sat, 09 Feb 2019 22:18:17 GMT

flohack — Sat, 09 Feb 2019 22:18:17 GMT

No image data is passed through that part of the container, so you are not at risk using UT. Idk why this dependency is in, but probably it could be removed from the lxc container.
BR

Reply to PNG vulnerability on Mon, 11 Feb 2019 16:30:38 GMT

jezek — Mon, 11 Feb 2019 16:30:38 GMT

EDIT: As I was informed by @dobey:

No, that has nothing to do with the Android container part.

So, anything, below this is a bad advice and is not working.
END OF EDIT

@RaphAstronome said in PNG vulnerability:

I tried to rename it but not possible because readonly FS :

to unlock read this:
https://ubports.com/de_DE/blog/ubports-blog-1/post/terminal-chapter-3-124

tldr;

$ sudo mount -o remount,rw /

Reply to PNG vulnerability on Fri, 08 Feb 2019 21:27:22 GMT

dobey — Fri, 08 Feb 2019 21:27:22 GMT

@RaphAstronome said in PNG vulnerability:

A way to remove it ?

The image would need to be re-built without the file, and I don't know if that's doable. However, as I said, I'm pretty certain it's not used.

Also, it's not clear that the vulnerability affects the version of Android which currently supported devices is built upon. So far, everything I can find about this specific vulnerability, is saying Android 7.0-9 only. It would help to have accurate information, rather than vague statements.

Reply to PNG vulnerability on Fri, 08 Feb 2019 19:17:33 GMT

RaphAstronome — Fri, 08 Feb 2019 19:17:33 GMT

@dobey said in PNG vulnerability:

Unless Google releases an update for older Android (4.4, 5.1)

Ok, this will never happens .

I tried to rename it but not possible because readonly FS :

phablet@ubuntu-phablet:/$ sudo -s
[sudo] password for phablet: 
root@ubuntu-phablet:/# cd
root@ubuntu-phablet:~# mv /android/system/lib/libskia.so /android/system/lib/libskia.so.avoid
mv: cannot move '/android/system/lib/libskia.so' to '/android/system/lib/libskia.so.avoid': Read-only file system
root@ubuntu-phablet:~# mv /var/lib/lxc/android/rootfs/system/lib/libskia.so /var/lib/lxc/android/rootfs/system/lib/libskia.so.avoid
mv: cannot move '/var/lib/lxc/android/rootfs/system/lib/libskia.so' to '/var/lib/lxc/android/rootfs/system/lib/libskia.so.avoid': Read-only file system

A way to remove it ?

Thanks,

Reply to PNG vulnerability on Fri, 08 Feb 2019 18:47:57 GMT

dobey — Fri, 08 Feb 2019 18:47:57 GMT

Unless Google releases an update for older Android (4.4, 5.1), it's not likely that file will be updated in UBports. However, I don't think it is used either (though something in the android container may link to it and require its presence).

MMS handling in UT does not use that library.