this post was submitted on 08 May 2024
6 points (100.0% liked)

GrapheneOS [Unofficial]

1696 readers
2 users here now

Welcome to the GrapheneOS (Unofficial) community

This feed is currently only used for announcements and news.

Official support available on our forum and matrix chat rooms

GrapheneOS is a privacy and security focused mobile OS with Android app compatibility.

Links

More Site links

Social Media

This is a community based around the GrapheneOS projects including the hardened Android Open Source Project fork, Auditor, AttestationServer, the hardened malloc implementation and other projects.

founded 4 years ago
MODERATORS
KindnessInfinity@lemmy.ml
maade@lemmy.ml
akc3n@lemmy.ml
treequell@lemmy.world
6
GrapheneOS Organization Discusses Past Reported and Now Fixed Vulnerabilities In AOSP (grapheneos.social)
submitted 1 year ago by KindnessInfinity@lemmy.ml to c/grapheneos@lemmy.ml
0 comments fedilink hide all child comments
 

Google has listed the CVE-2024-23694 vulnerability we reported in the security acknowledgements for May 2024:

https://source.android.com/docs/security/overview/acknowledgements

This is the Bluetooth issue we found with memory tagging which they assigned a High severity:

https://grapheneos.social/@GrapheneOS/112066872276203917

We fixed this on March 9th.

This vulnerability isn't listed in the baseline Android Security Bulletin despite being an Android Open Source Project issue. It will likely be listed in the Pixel Update Bulletin which should be today with the monthly update of AOSP and the Pixel OS:

https://grapheneos.social/@GrapheneOS/112398434880567630

This vulnerability only impacts Android 14 QPR2 and later. It's possible they only list issues impacting the initial release of Android 14 in Android Security Bulletins and put the rest in Pixel bulletins. It's odd how Pixel bulletins are mostly issues impacting other devices.

Last month, Pixels fixed 2 vulnerabilities we reported which were both classified as High severity and were both exploited in the wild by forensic companies:

https://grapheneos.social/@GrapheneOS/112204428984003954

Both also impact non-Pixels but were only fixed for Pixels and listed in the Pixel bulletin.

We understand why they didn't list those firmware patches in the Android Security Bulletin (ASB) since other devices with the same issues need their own firmware patches for them.

The AOSP 14 QPR2 Bluetooth bug not being listed means ASB is less complete than we thought though.

As we expected, it's listed in the Pixel Update Bulletin despite being an Android Open Source Project vulnerability and patch:

https://source.android.com/docs/security/bulletin/pixel/2024-05-01

Android Security Bulletins only cover the subset of High/Critical severity patches backported to the baseline yearly releases.

no comments (yet)
sorted by: hot top controversial new old
there doesn't seem to be anything here