PNG vulnerability
-
Hi,
On Android a important security hole was be found making PNG dangerous to read (https://thehackernews.com/2019/02/hack-android-with-image.html).
The vulnerable lib seems to be skia (function SkPngCodec).This lib is present on ubPorts according presence of this files are present :
/var/lib/lxc/android/rootfs/system/lib/libskia.so
/android/system/lib/libskia.soIs it possible to secure it ?
Is disabling "Enable MMS message" option in Message app avoid risk of beeing hacked with MMS ?Thanks for promoting (really) free OS.
-
Unless Google releases an update for older Android (4.4, 5.1), it's not likely that file will be updated in UBports. However, I don't think it is used either (though something in the android container may link to it and require its presence).
MMS handling in UT does not use that library.
-
@dobey said in PNG vulnerability:
Unless Google releases an update for older Android (4.4, 5.1)
Ok, this will never happens
.I tried to rename it but not possible because readonly FS :
phablet@ubuntu-phablet:/$ sudo -s [sudo] password for phablet: root@ubuntu-phablet:/# cd root@ubuntu-phablet:~# mv /android/system/lib/libskia.so /android/system/lib/libskia.so.avoid mv: cannot move '/android/system/lib/libskia.so' to '/android/system/lib/libskia.so.avoid': Read-only file system root@ubuntu-phablet:~# mv /var/lib/lxc/android/rootfs/system/lib/libskia.so /var/lib/lxc/android/rootfs/system/lib/libskia.so.avoid mv: cannot move '/var/lib/lxc/android/rootfs/system/lib/libskia.so' to '/var/lib/lxc/android/rootfs/system/lib/libskia.so.avoid': Read-only file systemA way to remove it ?
Thanks,
-
@RaphAstronome said in PNG vulnerability:
A way to remove it ?
The image would need to be re-built without the file, and I don't know if that's doable. However, as I said, I'm pretty certain it's not used.
Also, it's not clear that the vulnerability affects the version of Android which currently supported devices is built upon. So far, everything I can find about this specific vulnerability, is saying Android 7.0-9 only. It would help to have accurate information, rather than vague statements.
-
EDIT: As I was informed by @dobey:
No, that has nothing to do with the Android container part.
So, anything, below this is a bad advice and is not working.
END OF EDIT@RaphAstronome said in PNG vulnerability:
I tried to rename it but not possible because readonly FS :
to unlock read this:
https://ubports.com/de_DE/blog/ubports-blog-1/post/terminal-chapter-3-124tldr;
$ sudo mount -o remount,rw /jEzEk
-
No image data is passed through that part of the container, so you are not at risk using UT. Idk why this dependency is in, but probably it could be removed from the lxc container.
BR -
@jezek No, that has nothing to do with the Android container part.
-
@dobey ah, I see... thanks for clearing up.
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better π
Register Login