maemo.org > Community > Reporting security issues in maemo

Reporting security issues in maemo

If you discover or become aware of a security issue in maemo software (consisting of the maemo platform software and the upstream projects whose software is used within the maemo platform software), please report it by email to security@maemo.org.

Please encrypt your message with GnuPG using key 0x83AAAB3B. The report will be analysed and appropriate actions initiated.

If you discover a security issue in an upstream project whose code is used in maemo, as your first priority, report the problem to the upstream project or their security team and only after that send a copy to maemo security as per above.

Please note that security@maemo.org does not handle security issues related to web sites (including the maemo.org website), 3rd party software running on the maemo platform, or issues specific to Nokia products, only maemo software security related cases. In any security issues related to these, please contact the appropriate party.

The following information would be helpful:

  • If the security issue has been publicised somewhere, a pointer to that (web address, CVE identifier, etc.)
  • Information of the affected package (and version number)
  • Configuration and environment where the issue was discovered (proof-of-concept code if available)
  • If you will be able to provide more information and details that would be helpful in validating the issue, your contact information

Any security-related bugs in maemo bugzilla should be tagged with keyword "security".

Security issues fixed in IT OS releases

This page contains information about security issues that have been fixed in maemo releases. Currently, this page only contains a list of CVE entries that have been fixed in the most recent maemo release.

CVE-2007-5268 and CVE-2007-5269

The libpng library used in maemo before 2007-11-23 is affected by security issues CVE-2007-5268 and CVE-2007-5269, which might allow remote attackers to cause a denial of service (crash) via a crafted PNG image.

For Nokia Internet Tablets, software with a fix for this issue is available as follows:

Reflash your device with a new IT OS 2008 software version, announced at http://maemo.org/news/announcements/view/first_official_os2008_update.html.

CVE-2007-5967

All versions of the Mozilla based browser MicroB for maemo released before 2007-12-11 are affected by a security issue CVE-2007-5967, which might allow web sites to install root certificates on devices without user approval.

For Nokia Internet Tablets, software with a fix for this issue is available as follows:

1) For devices with IT OS 2008:
Create a backup (Settings – Backup/Restore – New Backup)
Reflash your device with a new IT OS 2008 software version, announced at http://maemo.org/news/announcements/view/first_official_os2008_update.html.
Restore the backup (Settings – Backup/Restore – Choose the desired backup from the list – Restore)

Delete the files ~/.mozilla/microb/cert8.db and ~/.mozilla/microb/key3.db from your device.(open Utilities - X terminal and type rm ~/.mozilla/microb/cert8.db ~/.mozilla/microb/key3.db) Note that these files may also be included in an older backup, so delete either the older backups or the files from such older backups. Create a new backup.

2) For devices running other IT OS versions where a beta release of the browser is installed:
Update the browser using Application manager (Settings – Application Manager – Check for Updates – Refresh – Choose the update for the browser – Update).
Delete the files ~/.mozilla/microb/cert8.db and ~/.mozilla/microb/key3.db from your device (install X terminal using Application manager, open it from Extras and type rm ~/.mozilla/microb/cert8.db ~/.mozilla/microb/key3.db)
Note that these files may also be included in an older backup, so delete either the older backups or the files from such older backups.
Create a new backup.

sponsored by Nokia Corporation