I think FOSS people (and security folks especially) tend to be extremely cavalier about the whole testing and release process that most commercial programs go through. The prevailing opinion seems to be that you can just update to the latest version of the library and away you go. And, for most FOSS software, this is usually not a problem.
But for commercial products this is just not realistic. On a product as complex as a mobile phone, it was almost certainly undergoing release testing by the time the vulnerability was known and simply upgrading an internal library is not feasible at that point in time.
Now, I certainly agree that Google probably didn't handle this especially well, and their response probably made things works. A better response would have been: "whoops - okay, the current release is already in the process of going out. Please hold off disclosure until we can get an update out with the fix in it." But well, everyone makes mistakes - hopefully they'll learn from this.
Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds