#GrapheneOS version 2025060100 released. This release patches out an Android / Linux ...

Why Nostr? What is Njump?

npub1hx…sg75y

2025-06-01 14:34:53

#GrapheneOS version 2025060100 released.

This release patches out an Android / Linux kernel vulnerability that isn't fixed upstream whose effectiveness was already very limited in GrapheneOS since 2022.

Due to an upstream Linux kernel vulnerability, Android's attempt at restricting access to Android/data and Android/obb for the file management permission didn't work (https://nvd.nist.gov/vuln/detail/CVE-2024-50089). A fix was implemented in the Linux kernel, then reverted due to breaking compatibility.

Fix:

https://github.com/torvalds/linux/commit/5c26d2f1d3f5e4be3e196526bead29ecb139cf91

Revert:

https://github.com/torvalds/linux/commit/231825b2e1ff6ba799c5eaf396d3ab2354e37c6b

CVE assigned to this (CVE-2024-50089) was then rejected, since the Linux kernel project took over managing Linux kernel CVEs and only allows CVEs for their backported patches, not as a vulnerability tracking system. Upstream Android seems unwilling to temporarily apply a kernel patch. Some other AOSP-based projects are adopting an approach to this we don't believe is correct.

Changes since the 2025052800 release:

- Media Provider: expand our existing protection against CVE-2024-50089 which is still not addressed upstream (we added generic hardening in 2022 as a prerequisite for Storage Scopes which along with fixing information leaks still unfixed upstream blocked exploiting CVE-2024-50089 for the common cases of not granting permissions, granting media permissions or using our Storage Scopes feature but we didn't fully cover "All files access" or the legacy API level equivalent when not using Storage Scopes)

- System Updater: prevent disabling overall notifications due to lack of a use case and many users doing it by accident, but continue allowing disabling the individual notification channels other than the reboot notification

- kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.92

- Messaging: update to version 8

https://grapheneos.org/releases#2025060100

Author Public Key

npub1hxx76n82ags8jrduk0p3gqrfyqyaxnrlnynu9p5rt2vmwjq6ts3q4sg75y

Seen on

wss://relay.primal.net wss://nostr.mom wss://wot.utxo.one wss://relay.damus.io

Show more details

Published at

2025-06-01 14:34:53

Kind type

1 Short Text Note

Event JSON

{ "id": "a6ba37bc3523f8e9ce0b0d90353454a1fde11832aa426726598735cd34a5b09c", "pubkey": "b98ded4ceaea20790dbcb3c31400692009d34c7f9927c286835a99b7481a5c22", "created_at": 1748788493, "kind": 1, "tags": [ [ "t", "GrapheneOS" ], [ "t", "grapheneos" ], [ "r", "https://nvd.nist.gov/vuln/detail/CVE-2024-50089)." ], [ "r", "https://github.com/torvalds/linux/commit/5c26d2f1d3f5e4be3e196526bead29ecb139cf91" ], [ "r", "https://github.com/torvalds/linux/commit/231825b2e1ff6ba799c5eaf396d3ab2354e37c6b" ], [ "r", "https://grapheneos.org/releases#2025060100" ] ], "content": "#GrapheneOS version 2025060100 released.\n\nThis release patches out an Android / Linux kernel vulnerability that isn't fixed upstream whose effectiveness was already very limited in GrapheneOS since 2022.\n\nDue to an upstream Linux kernel vulnerability, Android's attempt at restricting access to Android/data and Android/obb for the file management permission didn't work (https://nvd.nist.gov/vuln/detail/CVE-2024-50089). A fix was implemented in the Linux kernel, then reverted due to breaking compatibility.\n\nFix:\n\nhttps://github.com/torvalds/linux/commit/5c26d2f1d3f5e4be3e196526bead29ecb139cf91\n\nRevert:\n\nhttps://github.com/torvalds/linux/commit/231825b2e1ff6ba799c5eaf396d3ab2354e37c6b\n\nCVE assigned to this (CVE-2024-50089) was then rejected, since the Linux kernel project took over managing Linux kernel CVEs and only allows CVEs for their backported patches, not as a vulnerability tracking system. Upstream Android seems unwilling to temporarily apply a kernel patch. Some other AOSP-based projects are adopting an approach to this we don't believe is correct.\n\nChanges since the 2025052800 release:\n\n- Media Provider: expand our existing protection against CVE-2024-50089 which is still not addressed upstream (we added generic hardening in 2022 as a prerequisite for Storage Scopes which along with fixing information leaks still unfixed upstream blocked exploiting CVE-2024-50089 for the common cases of not granting permissions, granting media permissions or using our Storage Scopes feature but we didn't fully cover \"All files access\" or the legacy API level equivalent when not using Storage Scopes)\n\n- System Updater: prevent disabling overall notifications due to lack of a use case and many users doing it by accident, but continue allowing disabling the individual notification channels other than the reboot notification\n\n- kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.92\n\n- Messaging: update to version 8\n\nhttps://grapheneos.org/releases#2025060100\n\n\n", "sig": "04cd75138c3c6ca79114b84392cb7372feb7c7b689e7409627f248b8ad79fcd5fb2511f99bfa161c351e80b5ee5ed36691d1a2206b158c5a16d370a9373f4146" }