Bug 500480 (CVE-2014-1909)

Summary:	<dev-util/android-tools-0_p20130218 : stack-based buffer overflow flaw in Android Debug Bridge (ADB) client (CVE-2014-1909)
Product:	Gentoo Security	Reporter:	Agostino Sarubbo <ago>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	trivial	CC:	sudormrfhalt, zmedico
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://bugzilla.redhat.com/show_bug.cgi?id=1062095
Whiteboard:	~2 [noglsa]
Package list:		Runtime testing required:	---

Description Agostino Sarubbo gentoo-dev

2014-02-06 08:41:21 UTC

From ${URL} :

Joshua J. Drake of droidsec.org discovered a stack-based buffer overflow flaw in the ADB client code:

http://www.droidsec.org/advisories/2014/02/04/two-security-issues-found-in-the-android-sdk-tools.html

Connecting to a malicious ADB server could result in arbitrary code execution. A patch is available from 
the above link.


@maintainer(s): since the package has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.

Comment 1 Jeroen Roovers (RETIRED) gentoo-dev

2014-09-30 19:07:37 UTC

*** Bug 524104 has been marked as a duplicate of this bug. ***

Comment 2 Zac Medico gentoo-dev

2014-09-30 21:40:47 UTC

I've added android-tools-0_p20130218 to the tree, and it applies the stack overflow patch for this bug:

https://github.com/android/platform_system_core/commit/e89e09dd2b9b42184973e3ade291186a2737bced.patch

Comment 3 Zac Medico gentoo-dev

2014-09-30 21:43:17 UTC

And I've removed the vulnerable android-tools-0_p20130123 ebuild from the tree.

Comment 4 Sergey Popov gentoo-dev

2014-10-01 10:15:28 UTC

Thanks for your work. Cleanup was done, package was never stabilized.

Closing as noglsa