Android KeyStore Stack Buffer Overflow - CVE-2014-3100
Replicant seems not to be affected to the vulnerability, listed here: http://redmine.replicant.us/boards/39/topics/8283?r=10425#message-10425
More details: https://securityintelligence.com/android-keystore-stack-buffer-overflow-to-keep-things-simple-buffers-are-always-larger-than-needed/
But why not adding the the "test for keystore crashing"-patch anyway?
AOSP patch: https://android.googlesource.com/platform/cts/+/cb35803
Updated by My Self almost 6 years ago
- File CVE-2014-3100.zip added
I've applied the patch "Test-for-keystore-crashing-due-to-malformed-names.patch" to my local Replicant sources.Additionally I [git add]ed this files to the following path:
(because of this, I provide this patch as a .zip(ped) patchset "CVE-2014-3100.zip"), which is attached.
Replicant <= 4.2 should not be affected by this vulnerability, but I would recommend to apply this CTS-"test for keystore crashing"-patch, anyway.
After merging this patch I've recompiled/reflashed Replicant 4.2 for my device without any misbehavior, and tested the functionalities for several hours, now.
@everyone: please review the patches and apply it if you like.