Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 500480 (CVE-2014-1909) - <dev-util/android-tools-0_p20130218 : stack-based buffer overflow flaw in Android Debug Bridge (ADB) client (CVE-2014-1909)
Summary: <dev-util/android-tools-0_p20130218 : stack-based buffer overflow flaw in And...
Status: RESOLVED FIXED
Alias: CVE-2014-1909
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: ~2 [noglsa]
Keywords:
: 524104 (view as bug list)
Depends on:
Blocks:
 
Reported: 2014-02-06 08:41 UTC by Agostino Sarubbo
Modified: 2014-10-01 10:15 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-02-06 08:41:21 UTC
From ${URL} :

Joshua J. Drake of droidsec.org discovered a stack-based buffer overflow flaw in the ADB client code:

http://www.droidsec.org/advisories/2014/02/04/two-security-issues-found-in-the-android-sdk-tools.html

Connecting to a malicious ADB server could result in arbitrary code execution. A patch is available from 
the above link.


@maintainer(s): since the package has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2014-09-30 19:07:37 UTC
*** Bug 524104 has been marked as a duplicate of this bug. ***
Comment 2 Zac Medico gentoo-dev 2014-09-30 21:40:47 UTC
I've added android-tools-0_p20130218 to the tree, and it applies the stack overflow patch for this bug:

https://github.com/android/platform_system_core/commit/e89e09dd2b9b42184973e3ade291186a2737bced.patch
Comment 3 Zac Medico gentoo-dev 2014-09-30 21:43:17 UTC
And I've removed the vulnerable android-tools-0_p20130123 ebuild from the tree.
Comment 4 Sergey Popov gentoo-dev 2014-10-01 10:15:28 UTC
Thanks for your work. Cleanup was done, package was never stabilized.

Closing as noglsa