Security News > 2021 > August > After reportedly dragging its feet, BlackBerry admits, yes, QNX in cars, equipment suffers from BadAlloc bug

BlackBerry this week issued a critical security advisory for past versions of its QNX Real Time Operating System, used in more than 175m cars, medical equipment, and industrial systems.

BlackBerry QNX Software Development Platform version 6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier, and QNX OS for Safety 1.0.1 are affected by an integer overflow vulnerability in the calloc() function of the C runtime library.

The Register asked BlackBerry to explain the four-month disclosure delay and we've not heard back.

"BlackBerry is aware of this matter and can confirm that it does not impact current or recent versions of the QNX RTOS, but rather versions dating from 2012 and earlier," the company said in a statement, adding that all potentially affected customers have been notified.

The client could trick the server into allocating too-small a space for the incoming information, allowing the client to subsequently overwrite the server program's data and hijack its operation.

BlackBerry said it has made patches available and is working with government and industry groups, noting that none of its customers have reported any impact from the code flaws.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/08/19/blackberry_qnxrtos_badalloc/