Sohamlad7
commented
5 years ago wait for the next build.. thanks for reporting tho
Closed abgandar closed 5 years ago
Sohamlad7
commented
5 years ago wait for the next build.. thanks for reporting tho
JarlPenguin
commented
5 years ago This was patched in the 08-0x ASB for Android...
abgandar
commented
5 years ago Thanks for the quick reply, @Sohamlad7. The reason I reported it, and as @JarlPenguin points out, this patch was released in February this year, before the patch level claimed by the build. Also, the related CVEs (-1986, -1987) that were fixed in the same patch level seem to be fine. So I was wondering if somehow this particular patch "got lost".
Note that I tried to find a manual way to test for this patch (in case SnoopSnitch is wrong). But since it is classified as a security critical patch, and there are still plenty of unpatched headsets out there, it seems working proof of concepts have not yet been made public.
mvaisakh
commented
5 years ago This has been fixed with the commit: https://github.com/Sohamlad7/android_vendor_motorola_cedric/commit/331461d1634e5258b788d87191abede5f971238f
Thanks for reporting!
I'm not sure if this is an issue directly related to this repository, or upstream.
I installed the SnoopSnitch app which among other things tests for installed patches for known vulnerabilities. According to this app, the latest ROM lineage-16.0-20190709-UNOFFICIAL-cedric.zip installed following your instructions does not contain the patch for CVE-2019-1988, which was released before the claimed patch date and leaves the ROM vulnerable to potential exploits via an error in JPG file handling.