Alin Releases are tested on each supported device before being pushed out. It works fine in the emulator but we don't provide emulator releases and issues specific to the emulator won't block a release. Emulator is only used for development.

      GrapheneOS what does your test suite or cases look like? Do you do automation testing at all? Is it an excel file with scenarios like make a call, install an app etc?

        bizzy

        From the releases page (2023031300)

        full 2023-03-01 security patch level

        Info about the 2023-03-01 patch level lists CVE-2023-24033 as patched

        So, unless I'm missing something, if your phone is updated to this or the last release, this vulnerability is patched for you.

            • [deleted]

            • Post #12

            unwat
            I don't use sim card. :D

              unwat ah thank you. I looked for the cve on the Android security bulletin and didn't see it there. It was under the pixel bulletin.

                GrapheneOS Thanks for your answer. I am exploring the GrapheneOS universe, very new in the OS business. Actually I am having a hard time identifying relevant documentation and resources. One of the major questions I have:

                • How do I run a built in AVD/QEMU
                • If I am willing to start developing, are there any recommendation for IDE, or pre-made development environments/docs ?
                  PS: Please excuse my dumbness, but I run blindly around for some days

                  Hello,
                  A big thank you for the development of Graphene OS.
                  It's my daily system and I love it.

                  Currently we are talking about a security breach that affects different devices with an Exynos modem including the Pixel 6.

                  My question, which is just a matter of curiosity: do the security measures put in place in GrapheneOS reduce the impact of this vulnerability?

                  I am thinking for example of this: https://grapheneos.org/faq#baseband-isolation

                  Again, it's just curiosity, it's not a question of minimizing the security issue with Exynos...

                  After updating to the newest version there are some minor issues with animations. Like after the finger print accepted the finger the numbers are appearing to insert the Pin. It is appearing for second and dissapring.
                  Generally the animations are acting weird.

                  unwat PLEASE NOTE: that is the full 2023-03-01 android security patch level, but not the 2023-03-01 pixel security level. Turn off Wifi Calling and VoLTE for now.

                      cdg When it says that the full 2023-03-05 patch level is provided, that means both the Android and Pixel patch levels. You can see there's a special case for the Pixel 6, Pixel 6 Pro and Pixel 6a which we've marked as having the 2023-03-01 Pixel patch level instead of the 2023-03-05 Pixel patch level. This is because the AOSP and stock Pixel OS release for 6th generation Pixels is due to be released on March 20th so we'll need to do another security update release for them. 6th generation Pixels do already have many of the 2023-03-05 Pixel patches because we incorporated the new firmware and device support code from QPR2 Beta 3.2. However, we don't know for sure that all issues meant to be patched as part of the 2023-03-05 Pixel patch level are patched via our early release. We're being cautious and marking them as 2023-03-01 Pixel patch level instead of 2023-03-05 because we aren't sure, and we think there are likely more patches that will be provided on March 20th (Monday). There isn't a need to panic. There are always a lot of pending security patches since there are monthly / quarterly / yearly releases fixing lots of these issues and it generally takes 60 to 120 days for them to fix issues after they're reported. We can move much faster for GrapheneOS but updating Samsung cellular radio firmware is up to Samsung, not us.

                          GrapheneOS

                          given the severity+exploitable nature of CVE-2023-24033, I wanted to check I'm following this as the language isn't un-ambiguous, afaict, between android's patch level pages and Graphene's. I'm looking for a definitive answer on this unusually bad/disruptive cve for pixel 6, but also hopefully for info that would let me ascertain this myself next time without needing to ask :)

                          https://source.android.com/docs/security/bulletin/pixel/2023-03-01 <-- lists CVE-2023-24033 as patched with "2023-03-01 patch level"

                          First, Is that android page the most correct/authoritative source to see what was patched in a given patch level?

                          Second, note it just says "patch level" - how should a user tell if that refers to the "Android Patch Level" or "2023-03-01 Pixel patch", or other? (eg as listed in GOS changelog https://grapheneos.org/releases#2023031300)

                          Thank you.

                              hexagonal-lattice There's nothing ambiguous about our previous response. We explained that we don't have a list of which patches are included by the QPR2 Beta 3.2 cellular firmware. We explained that the patch level refers to both the Android and Pixel patch levels.

                              The official stable release for the Pixel 6 will be on March 20th which is only 2 days away.

                              Please ignore the mistake they made in the text for the March Pixel bulletin where they put 2023-03-01 instead of 2023-03-05. That isn't the way it works.

                              Not being happy with our answer isn't a reason to keep asking trying to get the answer you want. Please don't do that again.

                                  GrapheneOS Releases are tested on each supported device before being pushed out

                                  Where can we view the test suite please? In github somewhere?

                                    GrapheneOS

                                    I think the issue with ambiguity is that people are asking if the P6 is patched or not — yes or no — and keep receiving paragraph responses.

                                    My understanding is thus:
                                    The answer is "we don't know" because QPR2 Beta 3.2 does not list exact firmware patches and CVEs remediated. We'll know for certain when the P6 images release on March 20th.

                                    So, my opinion in the absence of explicit firmware patch information, is that those worried about CVE-2023-24033 on the P6 should consider their device not patched for the next couple of days.