Hi Fathi! On Tue, Dec 27, 2016 at 07:33:45PM +0200, Fathi Boudra wrote: > Hi, > > On Tue, Dec 27, 2016 at 3:03 PM, Salvatore Bonaccorso <car...@debian.org> > wrote: > > Hi Moritz, > > > > On Tue, Dec 27, 2016 at 12:48:34PM +0100, Moritz Mühlenhoff wrote: > >> On Wed, Dec 21, 2016 at 08:49:00PM +0200, Fathi Boudra wrote: > >> > Hi, > >> > > >> > On Wed, Dec 21, 2016 at 4:59 PM, Salvatore Bonaccorso > >> > <car...@debian.org> wrote: > >> > > Hi > >> > > > >> > > On Wed, Dec 21, 2016 at 03:49:26PM +0200, Fathi Boudra wrote: > >> > >> reassign 688280 adb > >> > >> thanks > >> > > > >> > > Is this reassign correct? Paul Wise in > >> > > https://bugs.debian.org/688280#14 already did clone the bug to > >> > > reassign it for the android-platform-system-core source package. > >> > > > >> > > So there should still be > >> > > > >> > > #688280 for src:android-tools > >> > > #823792 for src:android-platform-system-core > >> > > >> > You're right. Jessie src:android-tools is still affected. > >> > >> Which version fixed this for src:android-tools in unstable? > > > > Not yet for unstable for src:android-tools. I recently updated the > > security-tracker information as: > > > > - android-tools <unfixed> (bug #688280) <-- still unfixed > > - android-platform-system-core 1:7.0.0+r1-1 (bug #823792) > > > > src:android-tools as per current version in unstable still has: > > > > system/core/adb/adb.c: fd = unix_open("/tmp/adb.log", O_WRONLY | O_CREAT > > | O_APPEND, 0640); > > adb binary in unstable isn't built anymore from src:android-tools, > only from src:android-platform-system-core. > > android-platform-system-core is using 7.x source code and doesn't > contain fd = unix_open("/tmp/adb.log" anymore: > https://android.googlesource.com/platform/system/core/+/android-7.0.0_r1/adb/adb.cpp > > https://android.googlesource.com/platform/system/core/+/android-5.1.1_r38/adb/adb.c#990 > > I haven't seen any patch from Google (or anybody else) to fix the 5.x serie. > Is randomizing the path with mktemp is good enough or should I get rid > of the log file completely? > Note: even if the source code code contains the problem, it isn't used > because we don't build adb at all in android-tools.
Thanks a lot for your comments. So it looks that even if we would be affected source-wise, since android-tools/5.1.1.r38-1 the binary-package android-tools-adb which contained /usr/bin/adb is not built anymore. I have added a corresponding note to https://security-tracker.debian.org/tracker/CVE-2012-5564 so that it now reads: CVE-2012-5564 (android-tools 4.1.1 in Android Debug Bridge (ADB) allows local users ...) - android-tools <unfixed> (unimportant; bug #688280) NOTE: Since android-tools/5.1.1.r38-1 the android-tools-adb binary package NOTE: is not built anymore which used to contain /usr/bin/adb. NOTE: Package still affected source-wise. I wouldn't invest much energy though in fixing the issue. The reason is that due to the kernel hardening (https://www.debian.org/releases/jessie/amd64/release-notes/ch-whats-new.en.html#security) nullifies the symlink attacks, thus /tmp related bugs are marked in meanwhile as severity "unimportant" in the security-tracker (as you can see in the entry above). It is really good that you and your team though have fixed the copy in android-platform-system-core (bug #823792) via new upstream versions which fixed that source-wise. Hope this clarifies the back-and-forth on this issue. Regards, Salvatore
