Looking through cyanogenmod's external/ repos, there are a number of serious unresolved vulnerabilities. Here's an RCE flaws in Xalan-J (CVE-2014-0107).
Cyanogenmod code:https://github.com/CyanogenMod/android_external_apache-xml/blob/cm-11.0/src/main/java/org/apache/xalan/transformer/TransformerImpl.java#L385
Upstream patch which has not been applied:
http://svn.apache.org/viewvc/
And parameter entity XXE in libxml2 (CVE-2014-0191).http://svn.apache.org/viewvc/
Upstream advisory:
http://www.openwall.com/lists/oss-security/2014/05/06/4
Cyanogenmod code:
https://github.com/CyanogenMod/android_external_libxml2/blob/cm-11.0/parser.c#L2542
Upstream patch which has not been applied:
https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df
There's a lot more. I'll leave the rest as an exercise for the reader. Seriously, these amateurs got a $1 billion buyout offer?
You realise that this isn't actually CyanogenMod's code? It's actually brought upstream from Google, who fetches it from elsewhere.
ReplyDeleteI get that you may have a bone to pick with CM (I'm sure many do), however please target the correct people for the issues you have found.
Hey, Lord Douche, I submitted the Apache vulnerability to AOSP as https://android-review.googlesource.com/#/c/111301/ which is far upstream of CyanogenMod so it affects all of Android. I couldn't submit the libxml2 patch though, since Google's tree is *3 years* out of date and lacking patches for multiple vulnerabilities. Maybe you could approach them responsibly about merging the latest code directly instead of making potshots at people that aren't even responsible for it on some blog nobody reads and then acting all butt-hurt when they don't give you "credit" for bugs that have already been found and patched?
ReplyDelete