We have moved to a new Sailfish OS Forum. Please start new discussions there.
44

Do we get absolutely essential fix for Stagefright-vulnerabilities (some are remote-attackable)?

asked 2015-07-27 23:14:16 +0200

this post is marked as community wiki

This post is a wiki. Anyone with karma >75 is welcome to improve it.

updated 2017-04-28 18:23:12 +0200

lpr gravatar image

as Stagefright is the "Android-Flashplayer". This does NOT only affect users of aliendalvik as libstagefright is present in /system/lib (<- BULLSHIT!) . So all Jolla-device users are hit by those vulnerabilities [unfixed status Apr'2017]: [CVE-2015-6602] [CVE-2016-0803] [CVE-2016-0810] [CVE-2016-0815] [CVE-2016-1621] [CVE-2016-0826] [CVE-2016-0827] [CVE-2016-0829] [CVE-2016-0837] [CVE-2016-0838] [CVE-2016-0841] [CVE-2016-2416] [CVE-2016-2417] [CVE-2016-2428] [CVE-2016-2429] [CVE-2016-2448] [CVE-2016-2449] [CVE-2016-2450] [CVE-2016-2451] [CVE-2016-2452] [CVE-2016-2459] [CVE-2016-2460] recent vulnerabilities...
new ones added June2016: critical: [CVE-2016-2463] [CVE-2016-2464] high: CVE-2016-2476 CVE-2016-2477 CVE-2016-2478 CVE-2016-2479 CVE-2016-2480 CVE-2016-2481 CVE-2016-2482 CVE-2016-2483 CVE-2016-2484 CVE-2016-2485 CVE-2016-2486 CVE-2016-2487 CVE-2016-2495 moderate: [CVE-2016-2499]
new ones Jul2016: critical: CVE-2016-2506 CVE-2016-2507 CVE-2016-2508 high: CVE-2016-3745 CVE-2016-3746 CVE-2016-3747 CVE-2016-3753 CVE-2016-3754 CVE-2016-3756 moderate: CVE-2016-3764 CVE-2016-3766
new ones Aug2016: critical: CVE-2016-3819 remote, CVE-2016-3821 remote high: CVE-2016-3823, CVE-2016-3824, CVE-2016-3826, CVE-2016-3830 moderate: CVE-2016-3835
critical: CVE-2016-3861 CVE-2016-3862
high: CVE-2016-3863 CVE-2016-3870 -72 CVE-2016-3879-81
Oct'16: high CVE-2016-3909, CVE-2016-3910, CVE-2016-3913, CVE-2016-3920
Apr'17: critical CVE-2017-0541 high: CVE-2017-0547 moderate: CVE-2017-0558
so don't use android-browser and be afraid of hummingbad-infection

EDIT 20151022: Vulnerability is fixed in System-Update 2.0.0 excerpt from changelog:

Backport stagefright vulnerability fix.

EDIT 20160320: Android component is still not completely fixed. lpr in a comment below:

no, google is still fixing it up. The vulnerability was more complex and not done with a simple fix... still on the agenda
interesting link: upcoming driveby infection of Android (the very described cve in the article is fixed in Jolla...)

Original Post:

from the linked article:

Only Android phones below version 2.2 are not affected, he added.

The weaknesses reside in Stagefright, a media playback tool in Android.
They are all “remote code execution” bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data. All attackers would need to send out exploits would be mobile phone numbers, Drake noted.
From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright’s permissions.

Link to todays Forbes article

# ls /system/bin

lists stagefright ,so it is present on jollas (even without aliendalvik)

# ls /opt/alien/system/lib

lists libstagefright ,so it is present on jollas with aliendalvik additionally (so on these devices you'll find 2 versions of it, both vulnerable)

edit retag flag offensive close delete

Comments

1

One data point: if you install Stagefright Detector by Zimperium from the Google Store to your Jolla device running Saimaa 2.0.0.10, the test claims that it is vulnerable to CVE-2015-6602 (but none else of the tests). Anyone care to comment on what this means in practical terms?

ExTechOp ( 2016-03-21 13:37:06 +0200 )edit
1

@ExTechOp that means detector app is outdated (Version from Nov2015) see Dec Jan Feb Mar Apr May Jun Jul and Aug

lpr ( 2016-03-24 15:25:54 +0200 )edit

@ExTechOp there is a more recent version from may2016 available of Stagefright Detector. Maybe you could share the vulnerabilities it finds...

lpr ( 2016-08-02 14:53:47 +0200 )edit

thx lpr for all the edits! I changed this thread to wiki to not fish for the karma ;)

mosen ( 2016-09-12 21:36:31 +0200 )edit
1

@coderus bullshit is exactly the word to use as an argument...
at least my jolla has libstagefright present in /system/lib as part of droid-system-sbj and droidmedia and gstreamer1.0-droid DO use the android-codecs h264dec & enc and others... so what's the point?

lpr ( 2017-04-28 17:40:41 +0200 )edit

2 Answers

Sort by » oldest newest most voted
49

answered 2015-07-27 23:59:28 +0200

tigeli gravatar image

updated 2015-07-28 00:08:48 +0200

Initial analysis is that SFOS is not directly affected by this vulnerability as the MMS'es are not received and handled by the aliendalvik.

Eventually we will patch the vulnerability in the aliendalvik when there's a patch available.

edit flag offensive delete publish link more

Comments

15

WOW, an official answer, 29 minutes after questioning, i am dancing right here right now :D

mosen ( 2015-07-28 00:07:01 +0200 )edit
1

@tigeli@mosen as I understand the reports about this vulnerability, it is not only mms but every manipulated video file viewed with an android app that can cause severe trouble...

lpr ( 2015-08-06 12:43:45 +0200 )edit
2

@lpr Sure.. and we are preparing a fix already for the aliendalvik.

tigeli ( 2015-08-06 14:28:45 +0200 )edit

As @lpr said: Not only MMS is affected but e.g. a malicious mp4 video file embedded in any website could trigger the bug. So using an Android browser could harm aliendalvik. But this doesn't mean that the whole phone is compromised, only the android/aliendalvik part of it. So better stay away from anything that uses android's stagefright for now.

Yo ( 2015-08-06 16:01:25 +0200 )edit
1

@Yo not only Android browsers are affected but all Android apps using Sagefright API. As you don't know (unless you have an Android-terminal Emulator running and displaying (aliendalvik)system-output) if an app makes use of it, it's unsafe to use any Android app until update has arrived

lpr ( 2015-08-06 16:16:39 +0200 )edit
4

answered 2015-07-27 23:43:43 +0200

iKeivs gravatar image

updated 2017-04-28 18:05:06 +0200

coderus gravatar image

I don't think so, if the device gots virtual STD through MMS, and the messaging are processed with SFOS apps for messaging. and by default Android apps are not allowed to make any changes in SFOS, except, if the rooted Alien Dalvik is installed from OpenRepos.

edit flag offensive delete publish link more

Comments

@coderus please leave this answer deleted because it has nothing to do with MMS despite viewing MMS on android will use libstagefright, too

lpr ( 2017-04-28 18:04:00 +0200 )edit

post your mention in comment

coderus ( 2017-04-28 18:04:59 +0200 )edit

@coderus why? it's simply wrong and misleading in this case

lpr ( 2017-04-28 18:06:50 +0200 )edit

tell this in comments

coderus ( 2017-04-28 18:13:33 +0200 )edit
Login/Signup to Answer

Question tools

Follow
4 followers

Stats

Asked: 2015-07-27 23:14:16 +0200

Seen: 5,023 times

Last updated: Apr 28 '17