On Thu, 6 Apr 2017 08:52:11 +0200 Dominig Ar Foll <[email protected]> wrote:
> Hello, > > I would like to know what response Tizen has to provide to the > affirmation from Israeli researcher Amihai Neiderman reported in the > specialised web site Motherboard. > > https://motherboard.vice.com/en_us/article/samsung-tizen-operating-system-bugs-vulnerabilities > > I believe that it would be important to have a clear visibility of > what needs to be improved in the Tizen code going forward. As an > indirect user of Tizen technologies (AGL reuse Smacks and Cynara), I > am less concerned by the correction of the existing devices, as I feel > that it's more a commercial issue even if poor old devices can damage > the image of the OS and so the technologies that it uses. > > But extracting a todo list from the finding reported would be very > valuable for all of us. The researcher has not provided a clear list of the 40 issues he claimed so far. We only have his slides which I quote him: "It contains some of the vulnerabilities I have found. it mostly talks about pitfalls, so don't expect to find here all of the actual vulnerabilities or that they are all exploitable.". So far we only received some details on the last one mentioned in his slides yesterday and below is the gerrit action fixing it so far. Note that it has nothing to do with strcpy and it's a result of some subtle behaviour of sscanf that still validly scanf's without error when asked to scan 2 hex digits (see review comments). This leads to skipping past the end of the input buffer etc. https://review.tizen.org/gerrit/122764 The first 49 slides of the 67 slide deck contain no actual details. All the issues other than the single one above are in the Tizen Appstore client code inside the code that fetches/downloads data from the Appstore and one mention of "Samsung cloud" app. Only the above gerrit issue was a Tizen platform issue. The rest were product specific code (Appstore and cloud app are not platform things). So I think whatever articles have been published are, so far, major hyperbole and don't differentiate between platform and product apps. Of course I don't think it's fair to assume such differentiation can be made by people not "in the know". I am not sure I can share the slides I have as they are not mine to share, but the above is my summary. The slides surely don't list 40 exploitable bugs. If they listed them I'd be far happier. Now I've covered that, let me say that having security issues in code that drives a platform OR products is not a good thing. I wish he'd actually filed bugs on http://bugs.tizen.org 8 months ago. Every platform and software has bugs. Every minor update of Android, iOS, Windows, and many more OS's fix dozens if not hundreds of CVE's and this is a fact of life. Some are buffer overflow types, and some are something else. The practical way to deal with these is to address them as soon as they are found, fix them and issue updates. In this case something broke down in communication. The details of why, I don't know Security vulnerabilities are a serious issue. Be they in inherited open source code, in code written for Tizen as a platform OR for specific products. I take these seriously. Perhaps we need to make it more obvious as to where to report such issues responsibly to ensure they get fixed in advance. Either way, just like all other operating systems and software projects, there will be issues and some may affect the security of users and systems, and such issues should be fixed ASAP. We already have started given what information we have, but we have very little. We're trying to get more. _______________________________________________ Dev mailing list [email protected] https://lists.tizen.org/listinfo/dev
