Google's Android software development kit is using several outdated and vulnerable open-source image processing libraries, according to an alert from Core Security. The security software specialist says it found eight different vulnerabilities in the Android SDK, which is currently in beta.

In an advisory released Mar. 4, Core Security identified several exploitable heap overflows and integer overflows haunting Android, Google's Java-based middleware and application software stack for mobile phones running Linux. The firm warned, “Several vulnerabilities have been found in Android's core libraries for processing graphic content in some of the most-used image formats (PNG, GIF, and BMP). While some of these vulnerabilities stem from the use of outdated and vulnerable open-source image processing libraries, other were introduced by native Android code that uses them, or that implements new functionality.”

Although the Android project is currently in a development phase and has not yet made an official release, Core Security noted that several mobile chip vendors have released prototype phones built with early releases of Android.

On the Android Developers Blog, developer advocate Jason Chen confirmed “a security issue involving handling of image files” that has been fixed with the recently updated Android m5-rc15.

Further details about the discovery can be found in an eWEEK story, here.

 
This article was originally published on LinuxDevices.com and has been donated to the open source community by QuinStreet Inc. Please visit LinuxToday.com for up-to-date news and articles about Linux and open source.