diff options
| author | Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> | 2025-05-03 12:38:39 +0200 |
|---|---|---|
| committer | Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> | 2025-06-15 01:30:32 +0200 |
| commit | 83d796eeb1c8db91b8a11f36eb00f91bce8173e0 (patch) | |
| tree | 1a01a7e04b5ea476588497c75c6de54db414d5a4 /posts/2012_09_replicant-2-3-0005-images-fixing-the-ussd-vulnerability.md | |
| parent | 48a8a5c2f392dea41bebcbf126cbb3a452e961b3 (diff) | |
| download | haunt-blog-83d796eeb1c8db91b8a11f36eb00f91bce8173e0.tar.gz haunt-blog-83d796eeb1c8db91b8a11f36eb00f91bce8173e0.tar.bz2 haunt-blog-83d796eeb1c8db91b8a11f36eb00f91bce8173e0.zip | |
Move blog posts to the posts/ directory.
We also have two other pages that are not generated from the blog posts
(reply.html and search.html).
It would be nice to be able to move them to markdown as well, but if we do
that it is necessary to differenciate between markdown files used to generate
blog posts, and the ones used to generate these pages.
In addition if the blog posts directory is named markdown, and that we have
other markdown files as well, it become confusing for contributors.
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
Diffstat (limited to 'posts/2012_09_replicant-2-3-0005-images-fixing-the-ussd-vulnerability.md')
| -rw-r--r-- | posts/2012_09_replicant-2-3-0005-images-fixing-the-ussd-vulnerability.md | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/posts/2012_09_replicant-2-3-0005-images-fixing-the-ussd-vulnerability.md b/posts/2012_09_replicant-2-3-0005-images-fixing-the-ussd-vulnerability.md new file mode 100644 index 0000000..088d584 --- /dev/null +++ b/posts/2012_09_replicant-2-3-0005-images-fixing-the-ussd-vulnerability.md @@ -0,0 +1,36 @@ +date: 2012-09-30T10:55:20+00:00 +title: Replicant 2.3 0005 images, fixing the USSD vulnerability +authors: Paul Kocialkowski +tags: Privacy/security, Replicant images release, Paul Kocialkowski +licenses: CC-BY-3.0 OR CC-BY-4.0 +--- +Earlier this week, we were noticed that an USSD vulnerability was discovered +in Android. After doing a bit of research, we came to understand the nature of +the vulnerability: intents can basically dial a number and start a call +without asking confirmation to the user. That could seem harmless at first +sight, but it turns out it also works with USSD codes, and some of them are +very powerful. This is mostly the case of vendor-specific USSD codes (that are +not included in Replicant), which could erase the phone's user data. + +What's also problematic about this is that web pages can trigger such intents +(through an iframe with the `tel:` prefix for instance). +Since this vulnerability was present in our Replicant images (although the +damage was reduced as we don't include vendor-specific USSD codes), we decided +to include the fix in our code base and release new images. That's nearly the +only new feature of these images (Galaxy S also got a nasty graphic bug +fixed). + +You can download the images from the [ReplicantImages][1] page and find +[installation instructions][2] as well as [build guides][3] on the [Replicant +wiki][4]. + + [1]: +<http://redmine.replicant.us/projects/replicant/wiki/ReplicantImages#Replicant-23-0005-images> + + [2]: <http://redmine.replicant.us/projects/replicant/wiki#Installing-Replicant> + + [3]: <http://redmine.replicant.us/projects/replicant/wiki#Building-Replicant> + + [4]: <http://redmine.replicant.us/projects/replicant/wiki/> + + |