Closed
Bug 1211041
(CVE-2015-3877)
Opened 10 years ago
Closed 9 years ago
Critical Skia vulnerability fix being released by Android
Categories
(Core :: Graphics, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: dveditz, Unassigned)
Details
(Keywords: sec-other, Whiteboard: To be released Oct 5 by AOSP)
Attachments
(1 file)
From the Android Partner Security Bulletin. We just received this and updates will be made public on Monday Oct 5, but the original bulletin was issued Sept 10 to partners. The patch applies to our codebase, but I don't know if this is functionality that we expose.
** Remote Code Execution Vulnerability in Skia **
CVE-2015-3877
ANDROID-20723696
Severity: Critical
Affected Versions: 5.1 and Below
Date Reported: Jul 30, 2015
Description:
A vulnerability in the Skia component that may be leveraged when downsampling interlaced gif images, that could lead to memory corruption and potentially remote code execution in a privileged process. This issue is rated as a Critical severity due to the possibility of remote code execution through multiple attack methods such as email, web browsing, and MMS when processing media files.
|
Reporter | |
Updated•10 years ago
|
Whiteboard: To be released Oct 5 by AOSP
|
||
Comment 2•10 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #1)
> Lee: is this function used in Firefox?
As far as I can see, Skia uses this in its own image decoders, whereas we instead rely upon our own image lib, avoiding usage of Skia's.
So I don't believe we should be affected by the vulnerability, but the patch there looks safe to apply.
Flags: needinfo?(lsalzman)
|
||
Comment 3•10 years ago
|
||
Is there more action on our side, or will this patch magically get landed?
Since we're not using this code, we are fine.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
|
|
Reporter | |
Updated•8 years ago
|
Group: gfx-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•