|
|
@@ -376,6 +376,28 @@ By finding a vulnerability in a Merchant App, in `libosal.so` or in one in the k
|
|
|
## Reporting
|
|
|
I tried contacting several times PAX Global via email and never got a reply related to anything: neither about the security vulneabilities, neither on inquiries about the source code for the GPL licensed software (Linux/U-Boot).
|
|
|
|
|
|
+### Update
|
|
|
+Following this public disclosure PAX got in touch with me. It turned out my previous emails on June 2020 were marked as spam and never read.
|
|
|
+Here's their official answer for the following two question:
|
|
|
+
|
|
|
+ * Don't you have a patch distribution method and a remediation plan for vulnerabilities in your devices?
|
|
|
+
|
|
|
+```
|
|
|
+ We apply relevant security patches to all software components we use.
|
|
|
+
|
|
|
+ For vulnerabilities •Arbitrary read/write - CVE-2020-28044, •ELF signature bypass - CVE-2020-28045 and •Root privesc - CVE-2020-28046, we have fixed them these days and the firmware is under releasing.
|
|
|
+
|
|
|
+ For vulnerabilities "Dirty COW", our kernel had "Dirty COW" patch included once CVE-2016-5195 had been published.
|
|
|
+```
|
|
|
+
|
|
|
+ * Do you plan to release the source code, patches and build scripts for the modifications to the GPL licensed code?
|
|
|
+
|
|
|
+```
|
|
|
+ We certainly do comply with GPL version requirements, and had provided source code at requests before several years ago. Since we do not have automated or semi-automated procedure for that, we may need up to several weeks to review and isolate our proprietary code, and adjust the build scripts for the redaction.
|
|
|
+
|
|
|
+```
|
|
|
+
|
|
|
+
|
|
|
## Fun fact
|
|
|
I had issues understanding the `shadow` password format:
|
|
|
```
|
