PNG vulnerability



  • Hi,

    On Android a important security hole was be found making PNG dangerous to read (https://thehackernews.com/2019/02/hack-android-with-image.html).
    The vulnerable lib seems to be skia (function SkPngCodec).

    This lib is present on ubPorts according presence of this files are present :
    /var/lib/lxc/android/rootfs/system/lib/libskia.so
    /android/system/lib/libskia.so

    Is it possible to secure it ?
    Is disabling "Enable MMS message" option in Message app avoid risk of beeing hacked with MMS ?

    Thanks for promoting (really) free OS.



  • Unless Google releases an update for older Android (4.4, 5.1), it's not likely that file will be updated in UBports. However, I don't think it is used either (though something in the android container may link to it and require its presence).

    MMS handling in UT does not use that library.



  • @dobey said in PNG vulnerability:

    Unless Google releases an update for older Android (4.4, 5.1)

    Ok, this will never happens 😞 .

    I tried to rename it but not possible because readonly FS :

    phablet@ubuntu-phablet:/$ sudo -s
    [sudo] password for phablet: 
    root@ubuntu-phablet:/# cd
    root@ubuntu-phablet:~# mv /android/system/lib/libskia.so /android/system/lib/libskia.so.avoid
    mv: cannot move '/android/system/lib/libskia.so' to '/android/system/lib/libskia.so.avoid': Read-only file system
    root@ubuntu-phablet:~# mv /var/lib/lxc/android/rootfs/system/lib/libskia.so /var/lib/lxc/android/rootfs/system/lib/libskia.so.avoid
    mv: cannot move '/var/lib/lxc/android/rootfs/system/lib/libskia.so' to '/var/lib/lxc/android/rootfs/system/lib/libskia.so.avoid': Read-only file system
    

    A way to remove it ?

    Thanks,



  • @RaphAstronome said in PNG vulnerability:

    A way to remove it ?

    The image would need to be re-built without the file, and I don't know if that's doable. However, as I said, I'm pretty certain it's not used.

    Also, it's not clear that the vulnerability affects the version of Android which currently supported devices is built upon. So far, everything I can find about this specific vulnerability, is saying Android 7.0-9 only. It would help to have accurate information, rather than vague statements.



  • EDIT: As I was informed by @dobey:

    No, that has nothing to do with the Android container part.

    So, anything, below this is a bad advice and is not working.
    END OF EDIT

    @RaphAstronome said in PNG vulnerability:

    I tried to rename it but not possible because readonly FS :

    to unlock read this:
    https://ubports.com/de_DE/blog/ubports-blog-1/post/terminal-chapter-3-124

    tldr;

    $ sudo mount -o remount,rw /
    

  • Infrastructure

    No image data is passed through that part of the container, so you are not at risk using UT. Idk why this dependency is in, but probably it could be removed from the lxc container.
    BR



  • @jezek No, that has nothing to do with the Android container part.



  • @dobey ah, I see... thanks for clearing up.


Log in to reply