CyanogenMod
  1. CyanogenMod
  2. CYAN-1602

Patch for Android bug security bug 8219321?

    Details

    • Type: Bug Bug
    • Status: Resolved Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Framework
    • Labels:
      None
    • Instructions:
      I have not read these instructions

      Description

      Now that some (potential) details about this have been posted on G+, patch it in CM based on the current information?

      Cf. http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/

        Activity

        Hide
        Steve Kondik added a comment -

        It's likely due to the signature issues involved with APKs where dexpreopt has been used. Will see if I can get more info.

        Show
        Steve Kondik added a comment - It's likely due to the signature issues involved with APKs where dexpreopt has been used. Will see if I can get more info.
        Hide
        Ricardo Cerqueira added a comment -

        It seems to be either dexpreopt, "upgrading" a system package with another sharing (or appearing to share) the platform key, or both combined. If that's the case, we're good. None of those 2 vectors work with CM (we don't preopt, and we don't allow installation of system packages outside of /system)

        Show
        Ricardo Cerqueira added a comment - It seems to be either dexpreopt, "upgrading" a system package with another sharing (or appearing to share) the platform key, or both combined. If that's the case, we're good. None of those 2 vectors work with CM (we don't preopt, and we don't allow installation of system packages outside of /system)
        Hide
        Nikolay Elenkov added a comment - - edited

        Not sure if I should post the G+ link here, but it's related to how Android handles APKs with duplicate entries. It's in one of koush's posts, so should be easy to find A very crude patch would look like this:

        diff --git a/luni/src/main/java/java/util/zip/ZipFile.java b/luni/src/main/java/
        index 6ecd489..7b19cc9 100644
        --- a/luni/src/main/java/java/util/zip/ZipFile.java
        +++ b/luni/src/main/java/java/util/zip/ZipFile.java
        @@ -363,7 +363,9 @@ public class ZipFile implements ZipConstants {
                 byte[] hdrBuf = new byte[CENHDR]; // Reuse the same buffer for each ent
                 for (int i = 0; i < numEntries; ++i) {
                     ZipEntry newEntry = new ZipEntry(hdrBuf, bin);
        -            mEntries.put(newEntry.getName(), newEntry);
        +            if (mEntries.put(newEntry.getName(), newEntry) != null) {
        +                throw new ZipException("Duplicate entries: file may have been tampered with");
        +            }
                 }
             }
        

        I don't think there are any legitimate uses for APKs with duplicate entries, but maybe worth investigating.

        Show
        Nikolay Elenkov added a comment - - edited Not sure if I should post the G+ link here, but it's related to how Android handles APKs with duplicate entries. It's in one of koush's posts, so should be easy to find A very crude patch would look like this: diff --git a/luni/src/main/java/java/util/zip/ZipFile.java b/luni/src/main/java/ index 6ecd489..7b19cc9 100644 --- a/luni/src/main/java/java/util/zip/ZipFile.java +++ b/luni/src/main/java/java/util/zip/ZipFile.java @@ -363,7 +363,9 @@ public class ZipFile implements ZipConstants { byte [] hdrBuf = new byte [CENHDR]; // Reuse the same buffer for each ent for ( int i = 0; i < numEntries; ++i) { ZipEntry newEntry = new ZipEntry(hdrBuf, bin); - mEntries.put(newEntry.getName(), newEntry); + if (mEntries.put(newEntry.getName(), newEntry) != null ) { + throw new ZipException( "Duplicate entries: file may have been tampered with" ); + } } } I don't think there are any legitimate uses for APKs with duplicate entries, but maybe worth investigating.
        Hide
        Steve Kondik added a comment -

        Patch from Google merged to cm-10.1

        http://review.cyanogenmod.org/#/c/45251/

        Show
        Steve Kondik added a comment - Patch from Google merged to cm-10.1 http://review.cyanogenmod.org/#/c/45251/

          People

          • Assignee:
            Steve Kondik
            Reporter:
            Nikolay Elenkov
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: