PNG vulnerability

RaphAstronome

Hi,

On Android a important security hole was be found making PNG dangerous to read (https://thehackernews.com/2019/02/hack-android-with-image.html).
The vulnerable lib seems to be skia (function SkPngCodec).

This lib is present on ubPorts according presence of this files are present :
/var/lib/lxc/android/rootfs/system/lib/libskia.so
/android/system/lib/libskia.so

Is it possible to secure it ?
Is disabling "Enable MMS message" option in Message app avoid risk of beeing hacked with MMS ?

Thanks for promoting (really) free OS.

dobey

Unless Google releases an update for older Android (4.4, 5.1), it's not likely that file will be updated in UBports. However, I don't think it is used either (though something in the android container may link to it and require its presence).

MMS handling in UT does not use that library.

RaphAstronome

@dobey said in PNG vulnerability:

Unless Google releases an update for older Android (4.4, 5.1)

Ok, this will never happens .

I tried to rename it but not possible because readonly FS :

phablet@ubuntu-phablet:/$ sudo -s
[sudo] password for phablet: 
root@ubuntu-phablet:/# cd
root@ubuntu-phablet:~# mv /android/system/lib/libskia.so /android/system/lib/libskia.so.avoid
mv: cannot move '/android/system/lib/libskia.so' to '/android/system/lib/libskia.so.avoid': Read-only file system
root@ubuntu-phablet:~# mv /var/lib/lxc/android/rootfs/system/lib/libskia.so /var/lib/lxc/android/rootfs/system/lib/libskia.so.avoid
mv: cannot move '/var/lib/lxc/android/rootfs/system/lib/libskia.so' to '/var/lib/lxc/android/rootfs/system/lib/libskia.so.avoid': Read-only file system

A way to remove it ?

Thanks,

dobey

@RaphAstronome said in PNG vulnerability:

A way to remove it ?

The image would need to be re-built without the file, and I don't know if that's doable. However, as I said, I'm pretty certain it's not used.

Also, it's not clear that the vulnerability affects the version of Android which currently supported devices is built upon. So far, everything I can find about this specific vulnerability, is saying Android 7.0-9 only. It would help to have accurate information, rather than vague statements.

jezek

EDIT: As I was informed by @dobey:

No, that has nothing to do with the Android container part.

So, anything, below this is a bad advice and is not working.
END OF EDIT

@RaphAstronome said in PNG vulnerability:

I tried to rename it but not possible because readonly FS :

to unlock read this:
https://ubports.com/de_DE/blog/ubports-blog-1/post/terminal-chapter-3-124

tldr;

$ sudo mount -o remount,rw /

flohack

No image data is passed through that part of the container, so you are not at risk using UT. Idk why this dependency is in, but probably it could be removed from the lxc container.
BR

dobey

@jezek No, that has nothing to do with the Android container part.

jezek

@dobey ah, I see... thanks for clearing up.