Reporting security issues in Maemo

If you discover or become aware of a security issue in Maemo software (consisting of the Maemo platform software and the upstream projects whose software is used within the Maemo platform software), please report it by email to security@maemo.org.

You may encrypt your message with GnuPG using key 0x83AAAB3B. The report will be analysed and appropriate actions initiated.

If you discover a security issue in an upstream project whose code is used in Maemo, or a 3rd party open source software running on the Maemo platform, as your first priority, report the problem to the upstream project or their security team and only after that send a copy to Maemo security as per above. If you do not know where to report the issue, we suggest you report it to the Open Source CERT at http://www.ocert.org/ who can then help coordinating the issue. Please see below for helpful tips on what information would be useful. Any security-related bugs in Maemo bugzilla should be tagged with keyword "security".

Please note that security@maemo.org only handles issues relating to the Maemo platform. This email address does not handle security issues related to web sites (including the maemo.org website - please report those to the maemo.org webmaster), 3rd party software running on the Maemo platform, or issues specific to Nokia products. In any security issues related to these, please contact the appropriate party.

The following information would be helpful:

  • If the security issue has been publicised somewhere, a pointer to that (web address, CVE identifier, etc.)
  • Information of the affected package (and version number)
  • Configuration and environment where the issue was discovered (proof-of-concept code or a test case if available)
  • If you will be able to provide more information and details that would be helpful in validating the issue, your contact information

Security issues fixed in Maemo 5 PR1.3 (20.2010.36-2) release

This list contains information about security issues that have been fixed in the Maemo 5 PR1.3 (20.2010.36-2) release. This list only contains a list of CVE entries that have affected and have been fixed in this Maemo release.

CVE-2010-0205, CVE-2010-1205, CVE-2010-2249
libpng

CVE-2009-4880, CVE-2009-4881, CVE-2010-0830
glibc

CVE-2010-1297
Adobe Flash Player

CVE-2009-3555, CVE-2009-4355
OpenSSL

CVE-2009-3979, CVE-2009-3980, CVE-2009-3982, CVE-2009-3986, CVE-2009-3984, CVE-2009-3985, CVE-2010-0220
Web browser

CVE-2009-2416
libxml2

For Nokia devices running Maemo 5, software with this fix is available as follows:
Reflash your device using Maemo 5 PR1.3 (20.2010.36-2) release or newer, or perform an upgrade to Maemo 5 PR1.3 (20.2010.36-2) release or newer using the package manager.

Security issues fixed in Maemo 5 PR1.2 (10.2010.19-1) release

This list contains information about security issues that have been fixed in the Maemo 5 PR1.2 (10.2010.19-1) release. This list only contains a list of CVE entries that have affected and have been fixed in this Maemo release.

CVE 2008-1693
Issues with PDF embedded fonts in Poppler.

CVE-2009-2347

Issues in inter-color spaces conversion tools in libtiff.

CVE-2009-1563, CVE-2009-3069, CVE-2009-3071, CVE-2009-3073,
CVE-2009-3072, CVE-2009-3075, CVE-2009-3077, CVE-2009-3079,
CVE-2009-3370, CVE-2009-3371, CVE-2009-3373, CVE-2009-3374,
CVE-2009-3375, CVE-2009-3380, CVE-2009-3381, CVE-2009-3383,
CVE-2009-3979, CVE-2009-3980, CVE-2009-3982, CVE-2009-3984,
CVE-2009-3985, CVE-2009-3986, CVE-2010-0220

Various issues potentially affecting the browser.

For Nokia devices running Maemo 5, software with this fix is available as follows:
Reflash your device using Maemo 5 PR1.2 (10.2010.19-1) release or newer, or perform an upgrade to Maemo 5 PR1.2 (10.2010.19-1) release or newer using the package manager.

Security issues fixed in Maemo 5 PR1.1 (2.2009.51-1) release

This list contains information about security issues that have been fixed in the Maemo 5 PR1.1 (2.2009.51-1) release. This list only contains a list of CVE entries that have affected and been fixed in this Maemo release.

CVE-2009-2417

Curl did not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate.

For Nokia devices running Maemo 5, software with this fix is available as follows:
Reflash your device using Maemo 5 PR1.1 (2.2009.51-1) release or newer, or perform an upgrade to Maemo 5 PR1.1 (2.2009.51-1) release or newer using the package manager.

Security issues fixed in OS2008 version 4.2008.43-7 release

This list contains information about security issues that have been fixed in the OS2008 5.2008.43-7 release. This list only contains a list of CVE entries that have affected and been fixed in this maemo release.

CVE-2008-1447

The DNS protocol, as implemented in dnsmasq used in maemo, is affected by CVE-2008-1447 which may allow remote attackers to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to conduct cache poisoning against recursive resolvers.

For Nokia Internet Tablets, software with a fix for this issue is available as follows:
Reflash your device with OS2008 version 5.2008.43-7 or newer.

CVE-2008-2327

LibTIFF 3.8.2 and earlier as used in maemo, is affected by CVE-2008-2327 that may allow context-dependent attackers to execute arbitrary code via a crafted TIFF file.

For Nokia Internet Tablets, software with a fix for this issue is available as follows:
Reflash your device with OS2008 version 5.2008.43-7 or newer.

Security issues fixed in OS2008 version 4.2008.36-5 release

This list contains information about security issues that have been fixed in the OS2008 version 4.2008.36-5 release. This list only contains a list of CVE entries that have affected and been fixed in this maemo release.

CVE-2008-1105

Heap-based buffer overflow in in Samba 3.0.0 through 3.0.29 may allow remote attackers to execute arbitrary code via a crafted SMB response.

For Nokia Internet Tablets, software with a fix for this issue is available as follows:
Reflash your device with OS2008 version 4.2008.36-5 or newer.

CVE-2008-1372

bzip2 before 1.0.5 allows user-assisted remote attackers to cause a denial of service (crash) via a crafted file that triggers a buffer over-read.

For Nokia Internet Tablets, software with a fix for this issue is available as follows:
Reflash your device with OS2008 version 4.2008.36-5 or newer.

Security issues fixed in OS2008 Feature Upgrade (Diablo) release

This list contains information about security issues that have been fixed in the OS2008 Feature Upgrade (Diablo) release. This list only contains a list of CVE entries that have affected and been fixed in this maemo release.

CVE-2007-6284

The libxml2 library used in maemo before 2008-02-29 is affected by security issue CVE-2007-6284, which might allow context-dependent attackers to cause a denial of service (infinite loop) via XML containing invalid UTF-8 sequences.

For Nokia Internet Tablets, software with a fix for this issue is available as follows:

Reflash your device with a new OS 2008 Feature Upgrade software version, announced at http://maemo.org/news/announcements/view/os2008_feature_upgrade-reflash_your_tablet-for_the_last_time.html

CVE-2007-5501

The Linux kernel used in maemo before 2008-04-08 is affected by security issue CVE-2007-5501, which might allow remote attackers to cause a denial of service (crash) via crafted ACK responses that trigger a NULL pointer dereference.

For Nokia Internet Tablets, software with a fix for this issue is available as follows:

Reflash your device with a new OS 2008 Feature Upgrade software version, announced at http://maemo.org/news/announcements/view/os2008_feature_upgrade-reflash_your_tablet-for_the_last_time.html

CVE-2007-5266

The libpng library used in maemo before 2007-11-23 is affected by security issue CVE-2007-5266, which might allow remote attackers to cause a denial of service (crash) via a crafted PNG image.

For Nokia Internet Tablets, software with a fix for this issue has been available already in the previous IT OS 2008 release (see the list of fixed security issues for CVE-2007-5268 and CVE-2007-5269). Reflash your device with a new OS 2008 Feature Upgrade software version, announced at http://maemo.org/news/announcements/view/os2008_feature_upgrade-reflash_your_tablet-for_the_last_time.html , or the version specified for CVE-2007-5268 and CVE-2007-5269.

CVE-2007-2754

The freetype library used in maemo before 2007-12-20 is affected by security issue CVE-2007-2754, which might allow remote attackers to execute arbitrary code via a crafted TTF image.

For Nokia Internet Tablets, software with a fix for this issue is available as follows:

Reflash your device with a new OS 2008 Feature Upgrade software version, announced at http://maemo.org/news/announcements/view/os2008_feature_upgrade-reflash_your_tablet-for_the_last_time.html

Security issues fixed in IT OS2008 Update releases

This list contains information about security issues that have been fixed in the IT OS2008 maemo release. This list only contains a list of CVE entries that have affected and been fixed in this maemo release.

CVE-2007-5268 and CVE-2007-5269

The libpng library used in maemo before 2007-11-23 is affected by security issues CVE-2007-5268 and CVE-2007-5269, which might allow remote attackers to cause a denial of service (crash) via a crafted PNG image.

For Nokia Internet Tablets, software with a fix for this issue is available as follows:

Reflash your device with a new IT OS 2008 software version, announced at http://maemo.org/news/announcements/view/first_official_os2008_update.html .

CVE-2007-5967

All versions of the Mozilla based browser MicroB for maemo released before 2007-12-11 are affected by a security issue CVE-2007-5967, which might allow web sites to install root certificates on devices without user approval.

For Nokia Internet Tablets, software with a fix for this issue is available as follows:

1) For devices with IT OS 2008:
Create a backup (Settings – Backup/Restore – New Backup)
Reflash your device with a new IT OS 2008 software version, announced at http://maemo.org/news/announcements/view/first_official_os2008_update.html.
Restore the backup (Settings – Backup/Restore – Choose the desired backup from the list – Restore)

Delete the files ~/.mozilla/microb/cert8.db and ~/.mozilla/microb/key3.db from your device.(open Utilities - X terminal and type rm ~/.mozilla/microb/cert8.db ~/.mozilla/microb/key3.db) Note that these files may also be included in an older backup, so delete either the older backups or the files from such older backups. Create a new backup.

2) For devices running other IT OS versions where a beta release of the browser is installed:
Update the browser using Application manager (Settings – Application Manager – Check for Updates – Refresh – Choose the update for the browser – Update).
Delete the files ~/.mozilla/microb/cert8.db and ~/.mozilla/microb/key3.db from your device (install X terminal using Application manager, open it from Extras and type rm ~/.mozilla/microb/cert8.db ~/.mozilla/microb/key3.db)
Note that these files may also be included in an older backup, so delete either the older backups or the files from such older backups.
Create a new backup.