Navigation

    UBports Robot Logo

    UBports Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Search

    PNG vulnerability

    Support
    4
    8
    303
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      RaphAstronome last edited by RaphAstronome

      Hi,

      On Android a important security hole was be found making PNG dangerous to read (https://thehackernews.com/2019/02/hack-android-with-image.html).
      The vulnerable lib seems to be skia (function SkPngCodec).

      This lib is present on ubPorts according presence of this files are present :
      /var/lib/lxc/android/rootfs/system/lib/libskia.so
      /android/system/lib/libskia.so

      Is it possible to secure it ?
      Is disabling "Enable MMS message" option in Message app avoid risk of beeing hacked with MMS ?

      Thanks for promoting (really) free OS.

      1 Reply Last reply Reply Quote 0
      • dobey
        dobey last edited by

        Unless Google releases an update for older Android (4.4, 5.1), it's not likely that file will be updated in UBports. However, I don't think it is used either (though something in the android container may link to it and require its presence).

        MMS handling in UT does not use that library.

        1 Reply Last reply Reply Quote 0
        • R
          RaphAstronome last edited by RaphAstronome

          @dobey said in PNG vulnerability:

          Unless Google releases an update for older Android (4.4, 5.1)

          Ok, this will never happens 😞 .

          I tried to rename it but not possible because readonly FS :

          phablet@ubuntu-phablet:/$ sudo -s
          [sudo] password for phablet: 
          root@ubuntu-phablet:/# cd
          root@ubuntu-phablet:~# mv /android/system/lib/libskia.so /android/system/lib/libskia.so.avoid
          mv: cannot move '/android/system/lib/libskia.so' to '/android/system/lib/libskia.so.avoid': Read-only file system
          root@ubuntu-phablet:~# mv /var/lib/lxc/android/rootfs/system/lib/libskia.so /var/lib/lxc/android/rootfs/system/lib/libskia.so.avoid
          mv: cannot move '/var/lib/lxc/android/rootfs/system/lib/libskia.so' to '/var/lib/lxc/android/rootfs/system/lib/libskia.so.avoid': Read-only file system
          

          A way to remove it ?

          Thanks,

          dobey jezek 2 Replies Last reply Reply Quote 0
          • dobey
            dobey @RaphAstronome last edited by

            @RaphAstronome said in PNG vulnerability:

            A way to remove it ?

            The image would need to be re-built without the file, and I don't know if that's doable. However, as I said, I'm pretty certain it's not used.

            Also, it's not clear that the vulnerability affects the version of Android which currently supported devices is built upon. So far, everything I can find about this specific vulnerability, is saying Android 7.0-9 only. It would help to have accurate information, rather than vague statements.

            1 Reply Last reply Reply Quote 0
            • jezek
              jezek @RaphAstronome last edited by jezek

              EDIT: As I was informed by @dobey:

              No, that has nothing to do with the Android container part.

              So, anything, below this is a bad advice and is not working.
              END OF EDIT

              @RaphAstronome said in PNG vulnerability:

              I tried to rename it but not possible because readonly FS :

              to unlock read this:
              https://ubports.com/de_DE/blog/ubports-blog-1/post/terminal-chapter-3-124

              tldr;

              $ sudo mount -o remount,rw /
              
              dobey 1 Reply Last reply Reply Quote 0
              • Flohack
                Flohack last edited by

                No image data is passed through that part of the container, so you are not at risk using UT. Idk why this dependency is in, but probably it could be removed from the lxc container.
                BR

                1 Reply Last reply Reply Quote 1
                • dobey
                  dobey @jezek last edited by

                  @jezek No, that has nothing to do with the Android container part.

                  1 Reply Last reply Reply Quote 0
                  • jezek
                    jezek last edited by

                    @dobey ah, I see... thanks for clearing up.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post