lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 19 Oct 2014 10:03:30 +1000
From: Lord Tuskington <>
Subject: [FD] Cyanogenmod MITM: proven, despite cyanogenmod's public denail

After reading el reg's article regarding a cyanogenmod MITM flaw, I started
looking through the code to see if I could find it. It didn't take long.
This finding was not what users are led to believe by cyanogenmod's blog

I reported the issue to cyanogenmod, but got a rather unsatisfactory reply.
They didn't seem willing to modify the blog post to more accurately reflect
the problem. Below is my email exchange with cyanogenmod's security address:

 Lord Tuskington,

 Thank your for your response. Truth is we assumed as much, but the lack of
meaningful information in the Register's sensational article didn't leave
us much room to interpret it besides what it presented at face value.

 As you noted, this has already been addressed in our shipping code branch
(cm-11), prior to the article's publishing. This was the net result of the
messaging provided in the blog post, with CM 11 being 'safe' from this

 We normally do not patch non-shipping code (in this case 10.2 and prior),
though we may in this case.

 We do not expect to make a advisory on the 10.2 item at this time.

 Thank you,
Abhisek Devkota

  On Oct 17, 2014 8:50 PM, "Lord Tuskington" <> wrote:
  Hello from Greenland!

I think you may be confused about the issue discussed here:

If I understand correctly, the original reporter may have been referring to
a vulnerability fixed by this commit, which was merged 20 days ago:

The vulnerable code is still present in the cm-10.2 branch:
If you release an advisory, please credit "Lord Tuskington of TuskCorp" for
reporting this vulnerability responsibly.


Lord Tuskington
Chief Financial Pinniped

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists