Summary: | <dev-util/android-tools-33.0.3: directory traversal during adb pull | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | zmedico |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.openwall.com/lists/oss-security/2022/10/25/5 | ||
Whiteboard: | B2 [glsa+] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 878321 | ||
Bug Blocks: |
Description
John Helmert III
2022-10-25 16:45:29 UTC
Please cleanup. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=890a0363035e2cac3c3db3ddf196d64b175fc709 commit 890a0363035e2cac3c3db3ddf196d64b175fc709 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2022-10-28 00:21:01 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2022-10-28 00:21:12 +0000 dev-util/android-tools: drop 31.0.3, 31.0.3_p2, 33.0.3 Bug: https://bugs.gentoo.org/878281 Signed-off-by: Zac Medico <zmedico@gentoo.org> dev-util/android-tools/Manifest | 4 -- dev-util/android-tools/android-tools-31.0.3.ebuild | 84 ---------------------- .../android-tools/android-tools-31.0.3_p2.ebuild | 84 ---------------------- dev-util/android-tools/android-tools-33.0.3.ebuild | 84 ---------------------- 4 files changed, 256 deletions(-) Thanks! Oops, also from URL: CVE-2022-3168: The reverse tunnel feature in Android Debug Bridge (adb) was vulnerable as it allowed malicious adb daemons to open connections to arbitrary host/ports and unix domain sockets on the host. Example session; both sides running on Google Cloud virtual machines for sake of demonstration. Attacker receives the access token of the service account the victim VM is running as. Making a '2' as arbitrary file writes can usually cause code execution via replacing things like ~/.bashrc, etc. GLSA request filed. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=c3fb2413d6edf1fff45b79b4539d0c1dc438c62e commit c3fb2413d6edf1fff45b79b4539d0c1dc438c62e Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-10-31 20:25:11 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-10-31 20:25:51 +0000 [ GLSA 202210-41 ] android-tools: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/878281 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202210-41.xml | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) GLSA released, all done! |