If it’s not patchable at driver level, check and correct the number of frames above, on OS API level (sniffing for ALAC channels in media streams).
Or at least just scrap ALAC support: Nobody uses ALAC. Make it optional in the Android settings with default “no ALAC support”.
Leaving this unattended is simply not acceptable (having your device compromised just by surfing to the wrong website.) Maybe it would be better to not provide patches anymore, so users (like me) don’t get a false sense of security. At least display a big warning message after patching: “Your device is still prone to malicous media streams that can result in remote code execution”.
Please note this is a user forum. People at FairPhone may occasionally read along, but if you want your (adapted) message to reach them, you should contact FairPhone Support.
Thats recognized and understood by FP and true for all devices using Qualcomm SOCs as well…So overall in first place a QC issue not a Fairphone issue and a fight David against Goliath…so we need a general change and Fairphone alone is most likely not big enough to do this
I would also like to learn something in this subject area. Maybe someone of you knows the answer to a few questions of mine. That would make me happy.
the security updates from Qualcomm must be made for each chipset separately? Or even for each smartphone model?
does Fairphone provide all Qualcomm security updates to custom ROM developers?
This is not directly what this topic is about, but it is just as important:
Are the security updates for the Linux kernel generic? Can the developer of a custom ROM download the latest kernel updates from somewhere at any time (even after several years)? Or does he have to get them from Fairphone? Does Fairphone always provide all security updates for the Linux kernel?
Maybe a possible approach would be for Fairphone to team up with Graphene??? Graphene has announced that it wants to offer its “own” smartphones and is looking for a hardware manufacturer.
re kernel:
a device maintainer can pull in Linux patchsets from kernel.org, aosp-common kernel, or the Qualcomm common kernels.
If you do it on a regular basis it doesn’t take long to work through.
Preference would be latter branches as they’ll have more Android/Qualcomm specific fixes.
aosp-common is usually very close behind kernel.org, but CAF kernels are often a dozen+ sublevels behind.
For end of life kernels that are no longer supported by above (anything <=4.4) you can use a tool like my CVE patcher.
re: other updates to aftermarket systems
These are technically a huge gray area and Qualcomm could sue us all out of existence overnight if they wanted to.
This is for each chipset separately, and that is where problems begin with older ones that Qualcomm doesn’t support anymore. The last update for the FP2 for instance was in 2019. These files can be extracted from the Fairphone OS updates by ROM developers.
The Qualcomm components are compatible with a specific Linux kernel version, 3.4 in the case of the FP2. Fairphone has updated to the last point release of it (3.4.113).
How many years does a kernel version usually get security updates? What is the reason that at some point there are no more updates? With Qualcomm it is clear to me. This is a profit-oriented company that has no interest in “wasting” resources “unnecessarily”. They want to sell new chipsets.
Which kernel does the FP4 have and how long will it probably get updates? The CVE patcher would then have to be applied by the developer of the custom ROM, or can a completely inexperienced layman do that? The CVE patcher takes care of the kernel, but the Qualcomm updates are still missing, right?
3.0 had support for 2 years
3.4 had 4+ years
3.10 had 5+ years
3.18 had 6 years if you include the Google/Linaro support
4.4 had 6 years and still has support by CIP until 2026 potentially 2036.
The CVE patcher takes care of the kernel, but the Qualcomm updates are still missing, right?
Thanks again to both of you for the explanations. The links were also very helpful for me. So now I know the basic background. This is surely also interesting for one or the other silent reader.
Qcomm gets away with it because our (legal) system does not them accountable for their malpractices. In a sustainable world, this would not be acceptable.
The support staff came with a follow up with some details. Previous reply here.
I consulted directly with the Software team and I have some new information to share about CVE-2021-30351.
Fairphone 2
The FP2 has never supported ALAC so it is not affected by this vulnerability.
Fairphone 3/3+
FP3 is affected and even though Qualcomm no longer provide support for that chipset, we have workarounds we can employ in such cases. ALAC will be disabled on the FP3 in an upcoming patch.
Removing a feature is not an ideal solution but considering the severity of the issue and the popularity (or lack thereof) of ALAC, we believe the tradeoff is worth it. If you or anyone you know will be impacted by the lack of ALAC support, let us know what that impact is and if you can work around it. We’re always happy to hear feedback from our community!
Fairphone 4
FP4 in fact received the necessary fix as part of the December '21 security update
Market leader + planned obsolescence. The art of not giving a fsck by letting perfectly capable hardware expire. Why? Because they already sold their assets (SoCs). It also devalues the second hand market (compare resale value of iPhone vs Android device). Would be something if my dishwasher would not receive software updates anymore after 2 years. Oh well, at least it isn’t IoT (yet…)
I understand the practice, but I see nothing bad in that, it’s just their business model which may not be appealing to some.
There will be instances where I may want to update, and instances where I want to repair, I like to feel in control.
But I’m not in control of what others do nor the items I buy only how I treat other people and the choice of what to buy.
It’s just that purchasing has become an embarrassing ritual and most people want more as they feel more in control.
That Qualcomm or whoever exploits that is par for the game of consumerism, so not really a bad thing but maybe occasionally it’s sad.
