Ubuntu
lxc-android-config package

StageFright is still present in the container

Bug #1480271 reported by John McAleely
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lxc-android-config (Ubuntu)
Confirmed
Wishlist
Unassigned

Bug Description

With the recent announcement of:

https://www.kb.cert.org/vuls/id/924951

We should review the need for stagefright libraries in the LXC conitainer.

I understand stagefright is not in use for media file parsing on Ubuntu Phones, where gstreamer is used.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

FYI, https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/Stagefright: "While in general Ubuntu does not share the affected code with Android, Ubuntu Touch devices utilizing the Android Open Source Project (AOSP) do contain the affected stagefright libraries, but Ubuntu Touch does not expose the affected functionality of these libraries in a way that can be leveraged by an attacker". Please see the wiki page and corresponding links for more details.

That said, I am all for reducing what is in the container to only what is absolutely required. It was a painful process triaging stagefright and working with the static libs in the android package and packaging of the device tarball from the binaries from the android package in general was far from ideal.

Marc Deslauriers (mdeslaur)
information type: Private Security → Public Security
Changed in lxc-android-config (Ubuntu):
status: New → Confirmed
importance: Undecided → Wishlist
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.