From 80e838ea51808ac17cca03b2d71ccb6f149a6057 Mon Sep 17 00:00:00 2001 From: Giulio Date: Mon, 9 Nov 2020 12:03:26 +0100 Subject: [PATCH] Added official PAX response --- Readme.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/Readme.md b/Readme.md index 14d737c..5a129d6 100644 --- a/Readme.md +++ b/Readme.md @@ -376,6 +376,28 @@ By finding a vulnerability in a Merchant App, in `libosal.so` or in one in the k ## Reporting I tried contacting several times PAX Global via email and never got a reply related to anything: neither about the security vulneabilities, neither on inquiries about the source code for the GPL licensed software (Linux/U-Boot). +### Update +Following this public disclosure PAX got in touch with me. It turned out my previous emails on June 2020 were marked as spam and never read. +Here's their official answer for the following two question: + + * Don't you have a patch distribution method and a remediation plan for vulnerabilities in your devices? + +``` + We apply relevant security patches to all software components we use. + + For vulnerabilities •Arbitrary read/write - CVE-2020-28044, •ELF signature bypass - CVE-2020-28045 and •Root privesc - CVE-2020-28046, we have fixed them these days and the firmware is under releasing. + + For vulnerabilities "Dirty COW", our kernel had "Dirty COW" patch included once CVE-2016-5195 had been published. +``` + + * Do you plan to release the source code, patches and build scripts for the modifications to the GPL licensed code? + +``` + We certainly do comply with GPL version requirements, and had provided source code at requests before several years ago. Since we do not have automated or semi-automated procedure for that, we may need up to several weeks to review and isolate our proprietary code, and adjust the build scripts for the redaction. + +``` + + ## Fun fact I had issues understanding the `shadow` password format: ```