The following security vulnerability has been identified in the NativeDaemonConnector class.
Due to the state of a boolean variable within the NativeDaemonConnector class, messages passed to its log method will be logged in the system log. In some cases this can result in unwanted logging of potentially sensitive information such as the disk encryption password when MountService is instantiating NativeDaemonConnector to pass and log communication to vold. The messages from the system log can be accessed by an adversary, e.g., through the logcat functionality.
Security Risk: high
Vulnerability: CWE-534 (information exposure through debug log files)
All Android releases from CAF using the Linux kernel from the following heads:
We advise customers to apply the following patch: