Project

General

Profile

Security - 4.2 0002 - superuser vulnerabilities - CVE-2013-[6768/6769/6770]

Added by My Self almost 7 years ago

I've combed through the repository: https://gitorious.org/replicant and I can't find any commit about an update after the superuser update release 1.0.3.0 (in February 2014) from here: https://github.com/koush/Superuser
This update fixes several security related issues:
- https://plus.google.com/103583939320326217147/posts/YpJaDwsSPsX (with explicit patch pointers in it),
- and CVE-2013-6768, CVE-2013-6769, CVE-2013-6770, which are described here: http://forum.xda-developers.com/showthread.php?t=2525552

I can't check the superuser version within Replicant, because it's embedded within the 'com.android.settings', so I kindly wanted to ask that way, if these updates are merged to Replicant, or if they could be merged in future releases?

Thanks for any help.


Replies (5)

RE: Security - 4.2 0002 - superuser vulnerabilities CVE-2013-[6768/6769/6770] and BusyBox vulnerability CVE-2014-4607 - Added by Daniel Kulesz almost 7 years ago

In my opinion, the currently implemented approach of providing the superuser functionality could be enhanced. In the current state (4.2.0002 images), the superuser functionality is hardcoded into the settings and each time a new superuser vulnerability will be found, a new image has to be installed. Since the superuser application is also available through f-droid, I would suggest to only pre-install the (self-built) apk as it comes with f-droid and allow users to pull more recent versions automatically from there, leading to less need for rebuilding images due to security problems in there.

RE: Security - 4.2 0002 - superuser vulnerabilities CVE-2013-[6768/6769/6770] and BusyBox vulnerability CVE-2014-4607 - Added by My Self over 6 years ago

I would also welcome the superuser separation from the settings for the reasons mentioned above.

RE: Security - 4.2 0002 - superuser vulnerabilities - CVE-2013-[6768/6769/6770] - Added by Paul Kocialkowski over 6 years ago

I'm fine with using a prebuilt from F-Droid (that makes sense for the mentioned reasons) and I could separate Superuser from settings if someone was to submit a patch to do so.

RE: Security - 4.2 0002 - superuser vulnerabilities - CVE-2013-[6768/6769/6770] - Added by Daniel Kulesz over 6 years ago

@Paul: Can you provide us with a hint where all the apps (apks) get built? I couldn't find superuser among the prebuilds in the vendor_replicant repo. The necessary patch should probably do two things:

  • Update the get-prebuilts script (in vendor_replicant repo)
  • Remove the existing superuser apk and exclude it from the build process

For the first issue I tried to do a patch (attached).

Regarding the prebuilt apks it would be desirable to find a mechanism to fetch the latest apks from f-droid without manually adapting the script but I guess this would be easier if f-droid supplied some API for this.

RE: Security - 4.2 0002 - superuser vulnerabilities - CVE-2013-[6768/6769/6770] - Added by Paul Kocialkowski over 6 years ago

In the source tree, applications that are not prebuilt have their source code in packages/apps/
Superuser is currently part of the Settings application: packages/apps/Settings/src/com/android/settings/cyanogenmod/superuser

I will certainly try to fix the code in Settings rather than have yet another prebuilt application.

    (1-5/5)