Ubuntu
android package

StageFright is still present in the container

Bug #1480272 reported by John McAleely
268
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Canonical System Image
Confirmed
Undecided
Unassigned
Canonical System Image backlog
android (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

While we do not use the whole libstagefright suite in Ubuntu Phones, all the binaries exist inside the lxc container.

This is an oversight in cleaning up the android builds. please make sure these binaries get removed for saving space and not shipping unused android cruft.

With the recent announcement of:

https://www.kb.cert.org/vuls/id/924951

this can cause confusion for users as it is not clear to them these binaries are not used

See original description
John McAleely (john.mcaleely)
description: updated
John McAleely (john.mcaleely)
Changed in canonical-devices-system-image:
assignee: nobody → John McAleely (john.mcaleely)
Revision history for this message
John McAleely (john.mcaleely) wrote :

@ubuntu-security--team - I think this bug should probably be public, given the status of the code and vulnerability. should you make that change, or should I?

Pat McGowan (pat-mcgowan)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in lxc-android-config (Ubuntu):
status: New → Confirmed
John McAleely (john.mcaleely)
information type: Private Security → Public Security
Revision history for this message
Jim Hodapp (jhodapp) wrote :

Looking at the following page [1] you can see that the patched code is in MPEG4Extractor. For Ubuntu, we don't use this file for anything. We currently only use the opposite code, MPEG4Writer, for when we're recording a video using the camera-app. For playback, GStreamer does indeed do all of the container format parsing for every file type and then passes the extracted video stream chunk by chunk to the MediaCodec class over hybris [2].

[1] https://github.com/WhisperSystems/TextSecure/issues/3817
[2] https://code-review.phablet.ubuntu.com/gitweb?p=ubuntu/libhybris.git;a=blob;f=compat/media/media_codec_layer.cpp;h=9d18f3ed93785a83f09e16d0cf2a68af091fa503;hb=refs/heads/master

John McAleely (john.mcaleely)
Changed in android (Ubuntu):
status: New → Confirmed
no longer affects: lxc-android-config (Ubuntu)
description: updated
Revision history for this message
John McAleely (john.mcaleely) wrote :

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/Stagefright

Revision history for this message
Pat McGowan (pat-mcgowan) wrote :

is this still a valid work item?

Changed in canonical-devices-system-image:
milestone: none → backlog
status: New → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Yes, a whole slew of new stagefright issues came in and the security and phablet teams are having to work through them. Any way we can minimize what is in the android container, the better.

John McAleely (john.mcaleely)
Changed in canonical-devices-system-image:
assignee: John McAleely (john.mcaleely) → nobody
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.