Replicant: Issueshttps://redmine.replicant.us/https://redmine.replicant.us/favicon.ico?15984615062015-08-21T18:18:27ZReplicant
Redmine Replicant - Issue #1311 (Rejected): Android KeyStore Stack Buffer Overflow - CVE-2014-3100https://redmine.replicant.us/issues/13112015-08-21T18:18:27ZMy Self
<p>Replicant seems not to be affected to the vulnerability, listed here: <a class="external" href="http://redmine.replicant.us/boards/39/topics/8283?r=10425#message-10425">http://redmine.replicant.us/boards/39/topics/8283?r=10425#message-10425</a><br />More details: <a class="external" href="https://securityintelligence.com/android-keystore-stack-buffer-overflow-to-keep-things-simple-buffers-are-always-larger-than-needed/">https://securityintelligence.com/android-keystore-stack-buffer-overflow-to-keep-things-simple-buffers-are-always-larger-than-needed/</a><br />But why not adding the the "test for keystore crashing"-patch anyway?</p>
<p><strong>Solution/Patches</strong><br />AOSP patch: <a class="external" href="https://android.googlesource.com/platform/cts/+/cb35803">https://android.googlesource.com/platform/cts/+/cb35803</a></p> Replicant - Issue #1299 (Closed): (Yet another) MediaServer vulnerability - CVE-2015-3842https://redmine.replicant.us/issues/12992015-08-18T23:38:32ZMy Self
<p>Android versions 2.3 to 5.1.1 should be affected, so Replicant is it, too.<br />More details: <a class="external" href="http://blog.trendmicro.com/trendlabs-security-intelligence/mediaserver-takes-another-hit-with-latest-android-vulnerability/">http://blog.trendmicro.com/trendlabs-security-intelligence/mediaserver-takes-another-hit-with-latest-android-vulnerability/</a></p>
<p><strong>Solution/Patches</strong><br />AOSP patch: <a class="external" href="https://android.googlesource.com/platform/frameworks/av/+/aeea52da00d210587fb3ed895de3d5f2e0264c88">https://android.googlesource.com/platform/frameworks/av/+/aeea52da00d210587fb3ed895de3d5f2e0264c88</a></p> Replicant - Issue #1287 (Closed): Stagefright vulnerabilityhttps://redmine.replicant.us/issues/12872015-07-28T00:10:08ZMy Self
<p>Within this ticket I'll check if Replicant is vulnerable to the Stagefright (<a class="external" href="http://source.android.com/devices/media.html">http://source.android.com/devices/media.html</a>) weaknesses.<br />More details: <a class="external" href="http://www.forbes.com/sites/thomasbrewster/2015/07/27/android-text-attacks/">http://www.forbes.com/sites/thomasbrewster/2015/07/27/android-text-attacks/</a><br />(And there already exists a Replicant forum thread about: <a class="external" href="http://redmine.replicant.us/boards/39/topics/10329">http://redmine.replicant.us/boards/39/topics/10329</a>)</p>
As far as I understand that vulnerability:
<ul>
<li>the weaknesses is more or less exclusively present within the hardware accelerated audio-/video-decoding, so Replicant don't have to be affected (without using that proprietary accelerations), but I have to check that in detail.</li>
<li>If Replicant is affected, it doesn't seems to be enough to:
<ul>
<li>avoid Hangouts or disable: Settings -> SMS -> Auto Retrieve MMS -> [uncheck]</li>
<li>disable auto-MMS-reception of the standard SMS app or alternative SMS apps</li>
<li>remove MMS APN: Settings -> More... -> Mobile networks -> Access Point Names -> {choose your MMS provider APN} -> three-dot-menu -> Delete APN</li>
</ul></li>
</ul>
<p>because you would be still vulnerable (e. g. over manipulated email-pictures, or any other app, which uses the Stagefright media framework.</p>
<p><strong>Solution/Patches</strong><br />CM diffs (I'll preventive try to bring to Replicant ASAP):<br /><a class="external" href="http://review.cyanogenmod.org/#/c/103267/">http://review.cyanogenmod.org/#/c/103267/</a><br /><a class="external" href="http://review.cyanogenmod.org/#/c/103268/">http://review.cyanogenmod.org/#/c/103268/</a><br /><a class="external" href="http://review.cyanogenmod.org/#/c/103269/">http://review.cyanogenmod.org/#/c/103269/</a><br /><a class="external" href="http://review.cyanogenmod.org/#/c/103270/">http://review.cyanogenmod.org/#/c/103270/</a><br /><a class="external" href="http://review.cyanogenmod.org/#/c/103266/">http://review.cyanogenmod.org/#/c/103266/</a></p> Replicant - Issue #1263 (Closed): Security revaluation pack [until Android 4.4.3 r1]https://redmine.replicant.us/issues/12632015-04-02T21:54:04ZMy Self
<p>I've crawled the unofficial changelog script [<a class="external" href="http://aosp.changelog.to">http://aosp.changelog.to</a>] by using these search criterias:<br /><strong>"CVE"; "secur"ity; "vul"nerability</strong> to make a list of the following security patches, which where missing in Replicant 4.2 (for now):</p>
<ul>
<li>JDQ39 (4.2.2_r1) to JWR64 (4.3_r0) [<a class="external" href="http://aosp.changelog.to/aosp-JDQ39-JWR64.html">http://aosp.changelog.to/aosp-JDQ39-JWR64.html</a>]
<ul>
<li><a class="external" href="https://android.googlesource.com/platform/frameworks/base/+/68b13ba">https://android.googlesource.com/platform/frameworks/base/+/68b13ba</a></li>
<li><a class="external" href="https://android.googlesource.com/platform/packages/apps/Phone/+/fff2f9b">https://android.googlesource.com/platform/packages/apps/Phone/+/fff2f9b</a><br /> Secure broadcasts, which prevents 3rd party spoofing.<br /> Bug: 7622253<br /> Patch-file <a class="issue tracker-9 status-27 priority-33 priority-high2 closed" title="Feature: Update wiki with information from Android build process for build in use at SFLC (Closed)" href="https://redmine.replicant.us/issues/1">#1</a>: Bugfix-7622253.patch<br /> Patch-file <a class="issue tracker-9 status-27 priority-21 priority-default closed" title="Feature: ril: Implement USSD (Closed)" href="https://redmine.replicant.us/issues/2">#2</a>: Bugfix-7622253-Phone.patch</li>
<li> <a class="external" href="https://android.googlesource.com/platform/frameworks/base/+/a2bdffe">https://android.googlesource.com/platform/frameworks/base/+/a2bdffe</a><br /> Prevent SecurityException from crashing Recents<br /> Bug: 6787477<br /> Patch-file: Bugfix-6787477.patch</li>
<li> <a class="external" href="https://android.googlesource.com/platform/libcore/+/67ff477">https://android.googlesource.com/platform/libcore/+/67ff477</a><br /> Fix Security2Test counting<br /> The test was counting the wrong thing. The alias code path is only triggered by X509 and X.509. This worked when there was only 2 providers that pointed at the opposites. When there were three the problem showed up since it wasn't incrementing the right one.<br /> Patch-file: Fix-Security2Test-counting.patch</li>
<li> <a class="external" href="https://android.googlesource.com/platform/cts/+/1b08aab">https://android.googlesource.com/platform/cts/+/1b08aab</a><br /> Add character devices to the insecure devices test.<br /> Patch-file: Add-char-dvc2insec-dvc-test.patch</li>
<li> <a class="external" href="https://android.googlesource.com/platform/cts/+/96bc825">https://android.googlesource.com/platform/cts/+/96bc825</a><br /> BannedFilesTest: Detect devices vulnerable to the cmdclient privilege escalation bug.<br /> Patch-file: Fix-cmdclient-BannedFilesTest.patch</li>
<li> <a class="external" href="https://android.googlesource.com/platform/packages/apps/Email/+/54c88ff">https://android.googlesource.com/platform/packages/apps/Email/+/54c88ff</a><br /> Show an error on security exception for attachments.<br /> This uses an existing notification for bad forwarding. The text is a bit odd ("Attachment not forwarded") but avoids adding new text right now, and at least conveys the error.<br /> Bug: 8417004<br /> Patch-file: Bugfix-8417004.patch</li>
<li> <a class="external" href="https://android.googlesource.com/platform/packages/apps/Email/+/5ab92ca">https://android.googlesource.com/platform/packages/apps/Email/+/5ab92ca</a><br /> Ensure security policy notifications are shown<br /> Bug: 8510828<br /> Patch-file: Bugfix-8510828.patch</li>
</ul></li>
</ul>
<ul>
<li>JDQ39 (4.2.2_r1) to JSS15J (4.3_r2.1) [<a class="external" href="http://aosp.changelog.to/aosp-JDQ39-JSS15J.html">http://aosp.changelog.to/aosp-JDQ39-JSS15J.html</a>]
<ul>
<li> <a class="external" href="https://android.googlesource.com/platform/cts/+/deadf91">https://android.googlesource.com/platform/cts/+/deadf91</a><br /> Add test for CVE-2013-2094<br /> Detect CVE-2013-2094, the perf_event_open exploit. A patch for this issue can be found at <a class="external" href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8176cced706b5e5d15887584150764894e94e02f">http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8176cced706b5e5d15887584150764894e94e02f</a><br /> Bug: 8962304<br /> Patch-files: CVE-2013-2094.patch<br /> Additionally please [git] add this files to the following path:
<ul>
<li> tests/tests/security/jni/android_security_cts_NativeCodeTest.cpp</li>
<li> tests/tests/security/src/android/security/cts/NativeCodeTest.java<br /> These two files also includes the following two more Patches:
<ul>
<li> <a class="external" href="https://android.googlesource.com/platform/cts/+/aa93584">https://android.googlesource.com/platform/cts/+/aa93584</a><br /> CVE-2013-4254: detect perf_event validate_event bug<br /> Credit: <a class="external" href="https://github.com/deater/perf_event_tests/blob/master/exploits/arm_perf_exploit.c">https://github.com/deater/perf_event_tests/blob/master/exploits/arm_perf_exploit.c</a><br /> More info: <a class="external" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4254">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4254</a><br /> Bug: 11260636<br /> This patch is from the Android diff of: JSS15J (4.3_r2.1) to KRT16M (4.4_r1) - <a class="external" href="http://aosp.changelog.to/aosp-JSS15J-KRT16M.html">http://aosp.changelog.to/aosp-JSS15J-KRT16M.html</a></li>
<li> <a class="external" href="https://android.googlesource.com/platform/cts/+/ba28fe6">https://android.googlesource.com/platform/cts/+/ba28fe6</a><br /> Add test for CVE-2014-1710. <br /> Detect devices vulnerable to CVE-2014-1710<br /> Bug: 13539903<br /> This patch is from the Android diff of: KOT49H (4.4.2_r1) to KTU84L (4.4.3_r1) - <a class="external" href="http://aosp.changelog.to/aosp-KOT49H-KTU84L.html">http://aosp.changelog.to/aosp-KOT49H-KTU84L.html</a><br /> Patch-package: CVE-2013-2094.zip (containing the files above)</li>
</ul></li>
</ul></li>
</ul></li>
</ul>
<ul>
<li>JSS15J (4.3_r2.1) to KRT16M (4.4_r1) [<a class="external" href="http://aosp.changelog.to/aosp-JSS15J-KRT16M.html">http://aosp.changelog.to/aosp-JSS15J-KRT16M.html</a>]
<ul>
<li> <a class="external" href="https://android.googlesource.com/platform/cts/+/ed54695">https://android.googlesource.com/platform/cts/+/ed54695</a><br /> AppSecurity: Add traffic stats test, and fix file access test<br /> Bug: 10349057<br /> Patch-file: Bugfix-10349057.patch
<ul>
<li>Fix the private file access test which would fail because the path was wrong.</li>
<li>Add a test that ensures the private file is actually "not accessible" because it can't be as opposed to it not being there: the new test accesses a public file created at the same time as the private file.</li>
<li>Add tests around traffic stats
<ul>
<li>add internet permission to app that creates data.</li>
<li>generate private traffic stats (tagged sockets).</li>
<li>read back traffic stats to make sure that only public stats are visible.</li>
</ul></li>
</ul></li>
</ul></li>
</ul>
<ul>
<li>KOT49H (4.4.2_r1) to KTU84L (4.4.3_r1) [<a class="external" href="http://aosp.changelog.to/aosp-KOT49H-KTU84L.html">http://aosp.changelog.to/aosp-KOT49H-KTU84L.html</a>]
<ul>
<li><a class="external" href="https://android.googlesource.com/platform/cts/+/0e2d6d9">https://android.googlesource.com/platform/cts/+/0e2d6d9</a><br /> CtsVerifier test for lock screen vulnerability fix.<br /> Lock screen credential reset w/o previous credentials.<br /> The test asks the user to first set a lock screen password and then launch an intent to change it, using an EXTRA that was not being properly validated before the vulnerability was fixed.<br /> Bug: 9858403<br />Patch-package: Bugfix-9858403.zip (containing the files above)<br /> Patch-files: Bugfix-9858403.patch<br /> Additionally please [git] add this files to the following path:
<ul>
<li> apps/CtsVerifier/res/layout/pass_fail_lockconfirm.xml</li>
<li> apps/CtsVerifier/src/com/android/cts/verifier/security/LockConfirmBypassTest.java</li>
</ul></li>
</ul></li>
</ul>
<p>The only (big) part I've leaved open yet is OpenSSL, which I will provide the next time...</p> Replicant - Issue #1257 (Closed): Installer Hijacking vulnerabilityhttps://redmine.replicant.us/issues/12572015-03-30T16:05:58ZMy Self
<p>I've checked, that Replicant is vulnerable to the Installer Hijacking vulnerability.<br />More informations: <a class="external" href="http://researchcenter.paloaltonetworks.com/2015/03/android-installer-hijacking-vulnerability-could-expose-android-users-to-malware/">http://researchcenter.paloaltonetworks.com/2015/03/android-installer-hijacking-vulnerability-could-expose-android-users-to-malware/</a></p>
<p><strong>Solution/Patch</strong><br />Android diff: <a class="external" href="https://android.googlesource.com/platform/packages/apps/PackageInstaller/+/2b3202c3ff18469b294629bf1416118f12492173">https://android.googlesource.com/platform/packages/apps/PackageInstaller/+/2b3202c3ff18469b294629bf1416118f12492173</a></p> Replicant - Issue #1251 (Closed): GraphicBuffer overflow vulnerability - CVE-2015-1474https://redmine.replicant.us/issues/12512015-03-30T15:47:22ZMy Self
<p>I've checked, that Replicant is vulnerable to the GraphicBuffer overflow (bug: 18076253), registered as CVE-2015-1474.<br />More informations: <a class="external" href="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1474">https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1474</a></p>
<p><strong>Solution/Patch</strong><br />Android diff: <a class="external" href="https://android.googlesource.com/platform/frameworks/native/+/38803268570f90e97452cd9a30ac831661829091">https://android.googlesource.com/platform/frameworks/native/+/38803268570f90e97452cd9a30ac831661829091</a></p> Replicant - Issue #1245 (Closed): Fix issue #8470131: Process thrash kills batteryhttps://redmine.replicant.us/issues/12452015-03-30T14:13:51ZMy Self
<p>I've researched a bit because of the battery consumption thread: <a class="external" href="http://redmine.replicant.us/boards/9/topics/7953">http://redmine.replicant.us/boards/9/topics/7953</a> and found inside the changelog from upper Android versions (<a class="external" href="http://aosp.changelog.to/aosp-JDQ39-JWR64.html">http://aosp.changelog.to/aosp-JDQ39-JWR64.html</a>) the following patch: <a class="external" href="https://android.googlesource.com/platform/frameworks/base/+/a40cfeb">https://android.googlesource.com/platform/frameworks/base/+/a40cfeb</a> with the following description:<br /><em>Protect app widget broadcasts from abuse.<br />In this case the app was sending an APPWIDGET_UPDATE broadcast without specifying a target, which <br />(a) should not be allowed (you should not be able to send updates to other apps), and <br />(b) resulted in every single potential app widget in the system being launched... which was about 75 of them.</em></p>
<p>The source code has the following summarized comments:<br /><em>"[...] we don't want apps to send this, but historically it has not been protected and apps may be using it<br />to poke their own app widget. So, instead of making it protected, just limit it to the caller."</em></p>
<p>With other words, this patch will limit the (APPWIDGET_UPDATE-)broadcasts (sent by the apps) to their own packages:<br /><pre>
if (callerApp == null) {
String msg = "Permission Denial: not allowed to send broadcast "
</pre><br />[this goes to the (a) from the headline-description]<br />and prevent every single potential app widget in the system from being launched, (triggered by this broadcasts) which drains the battery unnecessarily.<br />[which goes to the (b) from the headline-description].</p> Replicant - Issue #1143 (Closed): broadAnyWhere vulnerability - CVE-2014-8609https://redmine.replicant.us/issues/11432014-12-28T21:22:43ZMy Self
<p>I've checked, that Replicant is vulnerable to the broadAnyWhere (bug: 17356824), registered as CVE-2014-8609.<br />More informations: <a class="external" href="http://seclists.org/fulldisclosure/2014/Nov/81">http://seclists.org/fulldisclosure/2014/Nov/81</a><br />POC (Proof of Concept): <a class="external" href="https://www.youtube.com/watch?v=H05-6BoB4ng">https://www.youtube.com/watch?v=H05-6BoB4ng</a></p>
<p><strong>Solution</strong><br />AOSP diff: <a class="external" href="https://android.googlesource.com/platform/packages/apps/Settings/+/37b58a4">https://android.googlesource.com/platform/packages/apps/Settings/+/37b58a4</a><br />CM commit: <a class="external" href="https://github.com/CyanogenMod/android_packages_apps_Settings/commit/0d7a9ae528029b5f767136c238b6beff3f400ea0">https://github.com/CyanogenMod/android_packages_apps_Settings/commit/0d7a9ae528029b5f767136c238b6beff3f400ea0</a></p> Replicant - Issue #1113 (Closed): Privilege Escalation vulnerability - CVE-2014-7911https://redmine.replicant.us/issues/11132014-12-08T18:16:59ZMy Self
<p><strong>Description</strong><br />I've checked, that Replicant is vulnerable to the Privilege Escalation (using ObjectInputStream), registered as CVE-2014-7911<br />more informations: <a class="external" href="http://seclists.org/fulldisclosure/2014/Nov/51">http://seclists.org/fulldisclosure/2014/Nov/51</a></p>
<p><strong>Solution</strong><br />AOSP (5.0) patch: <a class="external" href="https://android.googlesource.com/platform/libcore/+/738c833d38d41f8f76eb7e77ab39add82b1ae1e2">https://android.googlesource.com/platform/libcore/+/738c833d38d41f8f76eb7e77ab39add82b1ae1e2</a><br />CM commit: <a class="external" href="https://github.com/CyanogenMod/android_libcore/commit/2d0fbea07c1a3c4368ddb07609d1a86993ed6de9">https://github.com/CyanogenMod/android_libcore/commit/2d0fbea07c1a3c4368ddb07609d1a86993ed6de9</a></p>