Conversation

Notices

Embed this notice
GrapheneOS (grapheneos@grapheneos.social)'s status on Tuesday, 25-Jun-2024 02:45:39 JST GrapheneOS

CVE-2024-32896 which is marked as being actively exploited in the wild in the June 2024 Pixel Update Bulletin is the 2nd part of the fix for CVE-2024-29748 vulnerability we described here:
https://grapheneos.social/@GrapheneOS/112204428984003954
As we explained there, none of this is actually Pixel specific.
Bulletin:
https://source.android.com/docs/security/bulletin/pixel/2024-06-01
Attribution to us:
https://source.android.com/docs/security/overview/acknowledgements

In conversation about 8 months ago from grapheneos.social permalink
- zunda repeated this.
- Embed this notice
  GrapheneOS (grapheneos@grapheneos.social)'s status on Tuesday, 25-Jun-2024 02:46:03 JST GrapheneOS
  in reply to
  
  CVE-2024-32896 and CVE-2024-29748 refer to the same vulnerability of interrupting reboot for wipes via the device admin API, which applies to all devices.
  CVE-2024-32896 is a full fix in AOSP as part of Android 14 QPR3. It's not at all Pixel specific.
  
  In conversation about 8 months ago permalink
- Embed this notice
  GrapheneOS (grapheneos@grapheneos.social)'s status on Tuesday, 25-Jun-2024 02:46:17 JST GrapheneOS
  in reply to
  
  This is being widely incorrectly reported in tech news coverage. Pixel Update Bulletins are almost entirely patches for vulnerabilities which apply to other devices too. Android Security Bulletins are the list of what other OEMs are required to fix, not the full list of patches.
  
  In conversation about 8 months ago permalink
  
  zunda repeated this.
- Embed this notice
  GrapheneOS (grapheneos@grapheneos.social)'s status on Tuesday, 25-Jun-2024 02:46:17 JST GrapheneOS
  in reply to
  
  We explained this in our previous thread:
  https://grapheneos.social/@GrapheneOS/112204437363495338
  CVE-2024-29748 was a mitigation for the issue implemented in the Pixel bootloader. Full solution is implementing wipe-without-reboot, which is now a standard feature in Android 14 QPR3 released as part of AOSP.
  
  In conversation about 8 months ago permalink
  
  zunda repeated this.
- Embed this notice
  GrapheneOS (grapheneos@grapheneos.social)'s status on Tuesday, 25-Jun-2024 02:46:28 JST GrapheneOS
  in reply to
  
  Our 2024052100 release backported the upstream wipe-without-reboot feature being shipped in the June 2024 release of Android (Android 14 QPR3): https://grapheneos.org/releases#2024052100.
  We extended it to make it more robust via extra redundancy in our 2024060400 release: https://grapheneos.org/releases#2024060400.
  In conversation about 8 months ago permalink
  Attachments
  1. Domain not in remote thumbnail source whitelist: grapheneos.org
    
    GrapheneOS releases
    
    from @GrapheneOS
    
    Official releases of GrapheneOS, a security and privacy focused mobile OS with Android app compatibility.
  2. Domain not in remote thumbnail source whitelist: grapheneos.org
    
    GrapheneOS releases
    
    from @GrapheneOS
    
    Official releases of GrapheneOS, a security and privacy focused mobile OS with Android app compatibility.
  zunda repeated this.
- Embed this notice
  GrapheneOS (grapheneos@grapheneos.social)'s status on Tuesday, 25-Jun-2024 02:46:41 JST GrapheneOS
  in reply to
  
  There were 2 main issues:
  1) memory not wiped when booting firmware-based fastboot mode, allowing exploiting it to get previous OS memory
  2) AOSP device admin API depends on reboot-to-recovery to wipe before Android 14 QPR3
  Neither is issue is being fixed outside Pixels yet.
  
  In conversation about 8 months ago permalink

Public

Notices

Feeds