FP4 Patch Level Analysis (SnoopSnitch): CVE-2021-39628-1 missing?

Hi, Have a FairPhone 4 with the (currently) latest stable /e/ os installed (2.5-t-20241108446629-official-FP4, Android version 13). A patch level analysis using SnoopSnitch (from F-Droid) seems to suggest that one patch (CVE-2021-39628-1, “Information Disclosure in Framework”) is missing. Is this a wrong alarm or is there something to it? Attached a screenshot from the results. Many thanks!

that asb patch covered a fix for StatusBar.java in the SystemUI - a package that moved around in aosp Android 12+, refactored into kotlin.

Error to expect the patch should be up to the patch analysis detection (of which inner workings I have no idea … dex classes fingerprinting?). Worth to file an issue and investigate, imo it’s a bug in SnoopSnitch

(on that particular cve/fix: a local info discloure vulnerability (as in needs physical presence) is not something of significance really)

I realize off topic. But to get SnopSnich running do you still need root, if so what did you use to get root?

Thanks for the quick response and the background info, will raise it with SnoopSnitch.

To me, it seems like there are a few things SnoopSnitch can check without root, among them the patch analysis I used and some basic network security information. For the SMS & SS7 attack and IMSI catcher detection, it needs root (which I do not have).

1 Like

there was one android bug filed where similar detection saw the patch unapplied - but seemed legit, as in: vendor (mediatek proprietary) package reintroduced the vulnerable systemui code issuetracker#265267954

I don’t think that’s what happened to you, as your device carries no mediatek hardware or packages.

1 Like