Replicant: Issueshttps://redmine.replicant.us/https://redmine.replicant.us/favicon.ico?15984615062015-11-18T21:36:26ZReplicant
Redmine Replicant - Issue #1449 (Closed): Patchset for CVE-2015-3843, CVE-2014-2851, CVE-2013-6271, CVE-2...https://redmine.replicant.us/issues/14492015-11-18T21:36:26ZMy Self
<p>I searched around a bit and found some more Replicant vulnerabilities. With this issue I want to provide the patches for them.</p>
<p>I've merged them already to my local Replicant 4.2 repo and successfully compiled/reflashed/tested them on my i9100 (with smdk4412 kernel).</p>
<blockquote>
<p>CVE-2015-3843</p>
</blockquote>
<p>more informations: <a class="external" href="http://achaykin.blogspot.de/2015/08/spoofing-and-intercepting-sim-commands.html">http://achaykin.blogspot.de/2015/08/spoofing-and-intercepting-sim-commands.html</a><br />patch: <a class="external" href="https://android.googlesource.com/platform/packages/apps/Stk/+/bab5e5e6c1d45dade413e620d6e37d5d3d0e99e4">https://android.googlesource.com/platform/packages/apps/Stk/+/bab5e5e6c1d45dade413e620d6e37d5d3d0e99e4</a><br />file in patchset: <code>0001-Fix-tab-space-inconsistencies-in-stk_msg_dialog.xml.patch</code><br />to be merged in: packages/apps/Stk/</p>
<blockquote>
<p>tcp_cubic</p>
</blockquote>
<p>more informations: <a class="external" href="http://bitsup.blogspot.ca/2015/09/thanks-google-tcp-team-for-open-source.html">http://bitsup.blogspot.ca/2015/09/thanks-google-tcp-team-for-open-source.html</a><br />patch: <a class="external" href="https://github.com/torvalds/linux/commit/30927520dbae297182990bb21d08762bcc35ce1d">https://github.com/torvalds/linux/commit/30927520dbae297182990bb21d08762bcc35ce1d</a><br />file in patchset: <code>0002-tcp_cubic-better-follow-cubic-curve-after-idle-perio.patch</code><br />to be merged in:<br />kernel/goldelico/gta04/net/<br />kernel/samsung/aries/net/<br />kernel/samsung/crespo/net/<br />kernel/samsung/espresso10/net/<br />kernel/samsung/smdk4412/net/<br />kernel/samsung/tuna/net/</p>
<blockquote>
<p>CVE-2014-2851</p>
</blockquote>
<p>more informations: <a class="external" href="http://forum.xda-developers.com/showthread.php?p=53195295#post53195295">http://forum.xda-developers.com/showthread.php?p=53195295#post53195295</a> and <a class="external" href="http://forum.xda-developers.com/showpost.php?p=53195627&postcount=130">http://forum.xda-developers.com/showpost.php?p=53195627&postcount=130</a><br />patch: <a class="external" href="https://github.com/CyanogenMod/android_kernel_bn_encore/commit/00caf17c45028843311129de54cd6af62f714f28">https://github.com/CyanogenMod/android_kernel_bn_encore/commit/00caf17c45028843311129de54cd6af62f714f28</a><br />file in patchset: <code>0003-net-ipv4-current-group_info-should-be-put-after-usin.patch</code><br />to be merged in:<br />kernel/samsung/aries/net/<br />kernel/samsung/crespo/net/<br />kernel/samsung/espresso10/net/<br />kernel/samsung/smdk4412/net/<br />kernel/samsung/tuna/net/<br />file in patchset: <code>0003-GTA04-net-ipv4-current-group_info-should-be-put-after-usin.patch</code><br />to be merged in: kernel/goldelico/gta04/net/</p>
<blockquote>
<p>security bug</p>
</blockquote>
<p>more informations: <a class="external" href="http://forum.xda-developers.com/showpost.php?p=48627823&postcount=113">http://forum.xda-developers.com/showpost.php?p=48627823&postcount=113</a><br />patch 1/2: <a class="external" href="https://github.com/CyanogenMod/android_kernel_bn_encore/commit/8f1bd0c0a8447f35b00130dd1a508dd95b5323ff">https://github.com/CyanogenMod/android_kernel_bn_encore/commit/8f1bd0c0a8447f35b00130dd1a508dd95b5323ff</a><br />file in patchset: <code>0004-Staging-TIDSPBRIDGE-Use-vm_iomap_memory-for-mmap-ing.patch</code><br />to be merged in:<br />kernel/samsung/aries/drivers/<br />kernel/samsung/crespo/drivers/<br />kernel/samsung/espresso10/drivers/<br />kernel/samsung/smdk4412/drivers/<br />kernel/samsung/tuna/drivers/<br />file in patchset: <code>0004-GTA04-Staging-TIDSPBRIDGE-Use-vm_iomap_memory-for-mmap-ing.patch</code><br />to be merged in: kernel/goldelico/gta04/drivers/<br />patch 2/2: <a class="external" href="https://github.com/CyanogenMod/android_kernel_bn_encore/commit/ae15456ce30a204942e1b92267313ffdcdebc62d">https://github.com/CyanogenMod/android_kernel_bn_encore/commit/ae15456ce30a204942e1b92267313ffdcdebc62d</a><br />file in patchset: <code>0005-tidspbridge-fix-last-patch-to-map-same-region-of-phy.patch</code><br />to be merged in: <br />kernel/samsung/aries/drivers/<br />kernel/samsung/crespo/drivers/<br />kernel/samsung/espresso10/drivers/<br />kernel/samsung/smdk4412/drivers/<br />kernel/samsung/tuna/drivers/<br />file in patchset: <code>0005-GTA04-tidspbridge-fix-last-patch-to-map-same-region-of-phy.patch</code><br />to be merged in: kernel/goldelico/gta04/drivers/</p>
<blockquote>
<p>vold_asec</p>
</blockquote>
<p>more informations: <a class="external" href="http://www.androidvulnerabilities.org/vulnerabilities/vold_asec">http://www.androidvulnerabilities.org/vulnerabilities/vold_asec</a><br />patch: <a class="external" href="https://android.googlesource.com/platform/system/vold/+/0de7c61">https://android.googlesource.com/platform/system/vold/+/0de7c61</a><br />file in patchset: <code>0006-Validate-asec-names.patch</code><br />to be merged in: system/vold/</p>
<blockquote>
<p>CVE-2013-6271 - Remove Device Locks from Android Phone</p>
</blockquote>
<p>more informations: <a class="external" href="http://blog.curesec.com/article/blog/CVE-2013-6271-Remove-Device-Locks-from-Android-Phone-26.html">http://blog.curesec.com/article/blog/CVE-2013-6271-Remove-Device-Locks-from-Android-Phone-26.html</a><br />patch: <a class="external" href="https://android.googlesource.com/platform/packages/apps/Settings/+/66026773bbf1d7631743a5b892a4f768c694f868">https://android.googlesource.com/platform/packages/apps/Settings/+/66026773bbf1d7631743a5b892a4f768c694f868</a><br />Replicant issue: <a class="external" href="http://redmine.replicant.us/issues/1359">http://redmine.replicant.us/issues/1359</a> all the credits to Wolfgang Wiedmeyer!</p>
<blockquote>
<p>CVE-2013-6282 - Qualcomm missing checks put_user get_user</p>
</blockquote>
<p>more informations: <a class="external" href="http://www.androidvulnerabilities.org/vulnerabilities/Qualcomm_missing_checks_put_user_get_user">http://www.androidvulnerabilities.org/vulnerabilities/Qualcomm_missing_checks_put_user_get_user</a><br />patch: <a class="external" href="https://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=76565e3d786bed66f247c682bd9f591098522483">https://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=76565e3d786bed66f247c682bd9f591098522483</a><br />XDA: <a class="external" href="http://forum.xda-developers.com/showpost.php?p=50453497&postcount=128">http://forum.xda-developers.com/showpost.php?p=50453497&postcount=128</a><br />CM: <a class="external" href="https://github.com/CyanogenMod/android_kernel_bn_encore/commit/300345731b3e37349dd299a67b51bd202512ef0a">https://github.com/CyanogenMod/android_kernel_bn_encore/commit/300345731b3e37349dd299a67b51bd202512ef0a</a><br />file in patchset: <code>0007-smdk4412-ARM-7527-1-uaccess-explicitly-check-__user-pointer-w.patch</code><br />to be merged in: kernel/samsung/smdk4412/<br /><strong>TODO: create patches for the following other kernels:</strong><br />kernel/samsung/aries<br />kernel/samsung/crespo<br />kernel/samsung/espresso10<br />kernel/samsung/tuna<br /> kernel/goldelico/gta04/</p>
<blockquote>
<p>CVE-2014-3153</p>
</blockquote>
<p>more informations: <a class="external" href="http://forum.xda-developers.com/showthread.php?p=53195295#post53195295">http://forum.xda-developers.com/showthread.php?p=53195295#post53195295</a> and <a class="external" href="http://forum.xda-developers.com/showpost.php?p=53195627&postcount=130">http://forum.xda-developers.com/showpost.php?p=53195627&postcount=130</a><br />patches:<br /><a class="external" href="https://github.com/CyanogenMod/android_kernel_bn_encore/commit/2222834ffe15aca6ee7cb8b0d36b859b0b1a7baa">https://github.com/CyanogenMod/android_kernel_bn_encore/commit/2222834ffe15aca6ee7cb8b0d36b859b0b1a7baa</a><br />file in patchset: <code>0008-smdk4412-futex-Add-another-early-deadlock-detection-check.patch</code><br />to be merged in: kernel/samsung/smdk4412/<br />file in patchset: <code>0008-espresso10-futex-Add-another-early-deadlock-detection-check.patch</code><br />to be merged in: kernel/samsung/espresso10<br /><strong>TODO: create patches for the following other kernels:</strong><br />kernel/samsung/aries<br />kernel/samsung/crespo<br />kernel/samsung/tuna<br />kernel/goldelico/gta04/<br /><a class="external" href="https://github.com/CyanogenMod/android_kernel_bn_encore/commit/baebae0d76389821c688aa33a95d8e872c470b35">https://github.com/CyanogenMod/android_kernel_bn_encore/commit/baebae0d76389821c688aa33a95d8e872c470b35</a><br />file in patchset: <code>0009-smdk4412-futex-Prevent-attaching-to-kernel-threads.patch</code><br />to be merged in: kernel/samsung/smdk4412/<br />file in patchset: <code>0009-espresso10-futex-Prevent-attaching-to-kernel-threads.patch</code><br />to be merged in: kernel/samsung/espresso10<br /><strong>TODO: create patches for the following other kernels:</strong><br />kernel/samsung/aries<br />kernel/samsung/crespo<br />kernel/samsung/tuna<br />kernel/goldelico/gta04/<br /><a class="external" href="https://github.com/CyanogenMod/android_kernel_bn_encore/commit/7189b4cd641fa63abe09ec03e24f3e5e0c3b6ff8">https://github.com/CyanogenMod/android_kernel_bn_encore/commit/7189b4cd641fa63abe09ec03e24f3e5e0c3b6ff8</a><br /><em>This patch was already merged to the existing Replicant 4.2 codebase.</em><br /><a class="external" href="https://github.com/CyanogenMod/android_kernel_bn_encore/commit/439741e669d36bf077e697fefd2c55beeeff7949">https://github.com/CyanogenMod/android_kernel_bn_encore/commit/439741e669d36bf077e697fefd2c55beeeff7949</a><br />file in patchset: <code>0010-smdk4412-futex-Validate-atomic-acquisition-in-futex_lock_pi_a.patch</code><br />to be merged in: kernel/samsung/smdk4412/<br />file in patchset: <code>0010-espresso10-futex-Validate-atomic-acquisition-in-futex_lock_pi_a.patch</code><br />to be merged in: kernel/samsung/espresso10<br /><strong>TODO: create patches for the following other kernels:</strong><br />kernel/samsung/aries<br />kernel/samsung/crespo<br />kernel/samsung/tuna<br />kernel/goldelico/gta04/<br /><a class="external" href="https://github.com/CyanogenMod/android_kernel_bn_encore/commit/e07cc0930f8c57e2e8784ad4b82a072ce69bf4fd">https://github.com/CyanogenMod/android_kernel_bn_encore/commit/e07cc0930f8c57e2e8784ad4b82a072ce69bf4fd</a><br />file in patchset: <code>0011-smdk4412-futex-Always-cleanup-owner-tid-in-unlock_pi.patch</code><br />to be merged in: kernel/samsung/smdk4412/<br />file in patchset: <code>0011-espresso10-futex-Always-cleanup-owner-tid-in-unlock_pi.patch</code><br />to be merged in: kernel/samsung/espresso10<br /><strong>TODO: create patches for the following other kernels:</strong><br />kernel/samsung/aries<br />kernel/samsung/crespo<br />kernel/samsung/tuna<br />kernel/goldelico/gta04/<br /><a class="external" href="https://github.com/CyanogenMod/android_kernel_bn_encore/commit/0099c6a9ea68910e79084f4600f72e0fe2018e92">https://github.com/CyanogenMod/android_kernel_bn_encore/commit/0099c6a9ea68910e79084f4600f72e0fe2018e92</a><br />file in patchset: <code>0012-smdk4412-futex-Make-lookup_pi_state-more-robust.patch</code><br />to be merged in: kernel/samsung/smdk4412/<br />file in patchset: <code>0012-espresso10-futex-Make-lookup_pi_state-more-robust.patch</code><br />to be merged in: kernel/samsung/espresso10<br /><strong>TODO: create patches for the following other kernels:</strong><br />kernel/samsung/aries<br />kernel/samsung/crespo<br />kernel/samsung/tuna<br />kernel/goldelico/gta04/</p>
<blockquote>
<p>CVE-2014-0196 - pty race</p>
</blockquote>
<p>more informations: <a class="external" href="http://www.androidvulnerabilities.org/vulnerabilities/pty_race">http://www.androidvulnerabilities.org/vulnerabilities/pty_race</a><br />orig. patch: <a class="external" href="http://www.openwall.com/lists/oss-security/2014/05/05/6">http://www.openwall.com/lists/oss-security/2014/05/05/6</a><br />XDA: <a class="external" href="http://forum.xda-developers.com/showpost.php?p=52615662&postcount=129">http://forum.xda-developers.com/showpost.php?p=52615662&postcount=129</a><br />patch: <a class="external" href="https://github.com/steven676/ti-omap-encore-kernel3/commit/83540d5233d8f970f1d4c0c43f15d6f0ed10877c">https://github.com/steven676/ti-omap-encore-kernel3/commit/83540d5233d8f970f1d4c0c43f15d6f0ed10877c</a><br />file in patchset: <code>0013-n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch</code><br />to be merged in:<br />kernel/samsung/aries<br />kernel/samsung/crespo<br />kernel/samsung/espresso10<br />kernel/samsung/smdk4412/<br />kernel/goldelico/gta04/<br /><strong>TODO: create patches for the following other kernel:</strong><br />kernel/samsung/tuna</p>
<blockquote>
<p>CVE-2014-7912 - dhcpd buffer overrun</p>
</blockquote>
<p>more informations: <a class="external" href="http://www.androidvulnerabilities.org/vulnerabilities/dhcpd_buffer_overrun">http://www.androidvulnerabilities.org/vulnerabilities/dhcpd_buffer_overrun</a><br />patch: <a class="external" href="https://android.googlesource.com/platform/external/dhcpcd/+/73c09dd8067250734511d955d8f792b41c7213f0">https://android.googlesource.com/platform/external/dhcpcd/+/73c09dd8067250734511d955d8f792b41c7213f0</a><br />file in patchset: <code>0014-Fun_with_buffer-overrruns.patch</code><br />to be merged in: external/dhcpcd</p> Replicant - Issue #1311 (Rejected): Android KeyStore Stack Buffer Overflow - CVE-2014-3100https://redmine.replicant.us/issues/13112015-08-21T18:18:27ZMy Self
<p>Replicant seems not to be affected to the vulnerability, listed here: <a class="external" href="http://redmine.replicant.us/boards/39/topics/8283?r=10425#message-10425">http://redmine.replicant.us/boards/39/topics/8283?r=10425#message-10425</a><br />More details: <a class="external" href="https://securityintelligence.com/android-keystore-stack-buffer-overflow-to-keep-things-simple-buffers-are-always-larger-than-needed/">https://securityintelligence.com/android-keystore-stack-buffer-overflow-to-keep-things-simple-buffers-are-always-larger-than-needed/</a><br />But why not adding the the "test for keystore crashing"-patch anyway?</p>
<p><strong>Solution/Patches</strong><br />AOSP patch: <a class="external" href="https://android.googlesource.com/platform/cts/+/cb35803">https://android.googlesource.com/platform/cts/+/cb35803</a></p> Replicant - Issue #1299 (Closed): (Yet another) MediaServer vulnerability - CVE-2015-3842https://redmine.replicant.us/issues/12992015-08-18T23:38:32ZMy Self
<p>Android versions 2.3 to 5.1.1 should be affected, so Replicant is it, too.<br />More details: <a class="external" href="http://blog.trendmicro.com/trendlabs-security-intelligence/mediaserver-takes-another-hit-with-latest-android-vulnerability/">http://blog.trendmicro.com/trendlabs-security-intelligence/mediaserver-takes-another-hit-with-latest-android-vulnerability/</a></p>
<p><strong>Solution/Patches</strong><br />AOSP patch: <a class="external" href="https://android.googlesource.com/platform/frameworks/av/+/aeea52da00d210587fb3ed895de3d5f2e0264c88">https://android.googlesource.com/platform/frameworks/av/+/aeea52da00d210587fb3ed895de3d5f2e0264c88</a></p> Replicant - Issue #1287 (Closed): Stagefright vulnerabilityhttps://redmine.replicant.us/issues/12872015-07-28T00:10:08ZMy Self
<p>Within this ticket I'll check if Replicant is vulnerable to the Stagefright (<a class="external" href="http://source.android.com/devices/media.html">http://source.android.com/devices/media.html</a>) weaknesses.<br />More details: <a class="external" href="http://www.forbes.com/sites/thomasbrewster/2015/07/27/android-text-attacks/">http://www.forbes.com/sites/thomasbrewster/2015/07/27/android-text-attacks/</a><br />(And there already exists a Replicant forum thread about: <a class="external" href="http://redmine.replicant.us/boards/39/topics/10329">http://redmine.replicant.us/boards/39/topics/10329</a>)</p>
As far as I understand that vulnerability:
<ul>
<li>the weaknesses is more or less exclusively present within the hardware accelerated audio-/video-decoding, so Replicant don't have to be affected (without using that proprietary accelerations), but I have to check that in detail.</li>
<li>If Replicant is affected, it doesn't seems to be enough to:
<ul>
<li>avoid Hangouts or disable: Settings -> SMS -> Auto Retrieve MMS -> [uncheck]</li>
<li>disable auto-MMS-reception of the standard SMS app or alternative SMS apps</li>
<li>remove MMS APN: Settings -> More... -> Mobile networks -> Access Point Names -> {choose your MMS provider APN} -> three-dot-menu -> Delete APN</li>
</ul></li>
</ul>
<p>because you would be still vulnerable (e. g. over manipulated email-pictures, or any other app, which uses the Stagefright media framework.</p>
<p><strong>Solution/Patches</strong><br />CM diffs (I'll preventive try to bring to Replicant ASAP):<br /><a class="external" href="http://review.cyanogenmod.org/#/c/103267/">http://review.cyanogenmod.org/#/c/103267/</a><br /><a class="external" href="http://review.cyanogenmod.org/#/c/103268/">http://review.cyanogenmod.org/#/c/103268/</a><br /><a class="external" href="http://review.cyanogenmod.org/#/c/103269/">http://review.cyanogenmod.org/#/c/103269/</a><br /><a class="external" href="http://review.cyanogenmod.org/#/c/103270/">http://review.cyanogenmod.org/#/c/103270/</a><br /><a class="external" href="http://review.cyanogenmod.org/#/c/103266/">http://review.cyanogenmod.org/#/c/103266/</a></p> Replicant - Issue #1263 (Closed): Security revaluation pack [until Android 4.4.3 r1]https://redmine.replicant.us/issues/12632015-04-02T21:54:04ZMy Self
<p>I've crawled the unofficial changelog script [<a class="external" href="http://aosp.changelog.to">http://aosp.changelog.to</a>] by using these search criterias:<br /><strong>"CVE"; "secur"ity; "vul"nerability</strong> to make a list of the following security patches, which where missing in Replicant 4.2 (for now):</p>
<ul>
<li>JDQ39 (4.2.2_r1) to JWR64 (4.3_r0) [<a class="external" href="http://aosp.changelog.to/aosp-JDQ39-JWR64.html">http://aosp.changelog.to/aosp-JDQ39-JWR64.html</a>]
<ul>
<li><a class="external" href="https://android.googlesource.com/platform/frameworks/base/+/68b13ba">https://android.googlesource.com/platform/frameworks/base/+/68b13ba</a></li>
<li><a class="external" href="https://android.googlesource.com/platform/packages/apps/Phone/+/fff2f9b">https://android.googlesource.com/platform/packages/apps/Phone/+/fff2f9b</a><br /> Secure broadcasts, which prevents 3rd party spoofing.<br /> Bug: 7622253<br /> Patch-file <a class="issue tracker-9 status-27 priority-33 priority-high2 closed" title="Feature: Update wiki with information from Android build process for build in use at SFLC (Closed)" href="https://redmine.replicant.us/issues/1">#1</a>: Bugfix-7622253.patch<br /> Patch-file <a class="issue tracker-9 status-27 priority-21 priority-default closed" title="Feature: ril: Implement USSD (Closed)" href="https://redmine.replicant.us/issues/2">#2</a>: Bugfix-7622253-Phone.patch</li>
<li> <a class="external" href="https://android.googlesource.com/platform/frameworks/base/+/a2bdffe">https://android.googlesource.com/platform/frameworks/base/+/a2bdffe</a><br /> Prevent SecurityException from crashing Recents<br /> Bug: 6787477<br /> Patch-file: Bugfix-6787477.patch</li>
<li> <a class="external" href="https://android.googlesource.com/platform/libcore/+/67ff477">https://android.googlesource.com/platform/libcore/+/67ff477</a><br /> Fix Security2Test counting<br /> The test was counting the wrong thing. The alias code path is only triggered by X509 and X.509. This worked when there was only 2 providers that pointed at the opposites. When there were three the problem showed up since it wasn't incrementing the right one.<br /> Patch-file: Fix-Security2Test-counting.patch</li>
<li> <a class="external" href="https://android.googlesource.com/platform/cts/+/1b08aab">https://android.googlesource.com/platform/cts/+/1b08aab</a><br /> Add character devices to the insecure devices test.<br /> Patch-file: Add-char-dvc2insec-dvc-test.patch</li>
<li> <a class="external" href="https://android.googlesource.com/platform/cts/+/96bc825">https://android.googlesource.com/platform/cts/+/96bc825</a><br /> BannedFilesTest: Detect devices vulnerable to the cmdclient privilege escalation bug.<br /> Patch-file: Fix-cmdclient-BannedFilesTest.patch</li>
<li> <a class="external" href="https://android.googlesource.com/platform/packages/apps/Email/+/54c88ff">https://android.googlesource.com/platform/packages/apps/Email/+/54c88ff</a><br /> Show an error on security exception for attachments.<br /> This uses an existing notification for bad forwarding. The text is a bit odd ("Attachment not forwarded") but avoids adding new text right now, and at least conveys the error.<br /> Bug: 8417004<br /> Patch-file: Bugfix-8417004.patch</li>
<li> <a class="external" href="https://android.googlesource.com/platform/packages/apps/Email/+/5ab92ca">https://android.googlesource.com/platform/packages/apps/Email/+/5ab92ca</a><br /> Ensure security policy notifications are shown<br /> Bug: 8510828<br /> Patch-file: Bugfix-8510828.patch</li>
</ul></li>
</ul>
<ul>
<li>JDQ39 (4.2.2_r1) to JSS15J (4.3_r2.1) [<a class="external" href="http://aosp.changelog.to/aosp-JDQ39-JSS15J.html">http://aosp.changelog.to/aosp-JDQ39-JSS15J.html</a>]
<ul>
<li> <a class="external" href="https://android.googlesource.com/platform/cts/+/deadf91">https://android.googlesource.com/platform/cts/+/deadf91</a><br /> Add test for CVE-2013-2094<br /> Detect CVE-2013-2094, the perf_event_open exploit. A patch for this issue can be found at <a class="external" href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8176cced706b5e5d15887584150764894e94e02f">http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8176cced706b5e5d15887584150764894e94e02f</a><br /> Bug: 8962304<br /> Patch-files: CVE-2013-2094.patch<br /> Additionally please [git] add this files to the following path:
<ul>
<li> tests/tests/security/jni/android_security_cts_NativeCodeTest.cpp</li>
<li> tests/tests/security/src/android/security/cts/NativeCodeTest.java<br /> These two files also includes the following two more Patches:
<ul>
<li> <a class="external" href="https://android.googlesource.com/platform/cts/+/aa93584">https://android.googlesource.com/platform/cts/+/aa93584</a><br /> CVE-2013-4254: detect perf_event validate_event bug<br /> Credit: <a class="external" href="https://github.com/deater/perf_event_tests/blob/master/exploits/arm_perf_exploit.c">https://github.com/deater/perf_event_tests/blob/master/exploits/arm_perf_exploit.c</a><br /> More info: <a class="external" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4254">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4254</a><br /> Bug: 11260636<br /> This patch is from the Android diff of: JSS15J (4.3_r2.1) to KRT16M (4.4_r1) - <a class="external" href="http://aosp.changelog.to/aosp-JSS15J-KRT16M.html">http://aosp.changelog.to/aosp-JSS15J-KRT16M.html</a></li>
<li> <a class="external" href="https://android.googlesource.com/platform/cts/+/ba28fe6">https://android.googlesource.com/platform/cts/+/ba28fe6</a><br /> Add test for CVE-2014-1710. <br /> Detect devices vulnerable to CVE-2014-1710<br /> Bug: 13539903<br /> This patch is from the Android diff of: KOT49H (4.4.2_r1) to KTU84L (4.4.3_r1) - <a class="external" href="http://aosp.changelog.to/aosp-KOT49H-KTU84L.html">http://aosp.changelog.to/aosp-KOT49H-KTU84L.html</a><br /> Patch-package: CVE-2013-2094.zip (containing the files above)</li>
</ul></li>
</ul></li>
</ul></li>
</ul>
<ul>
<li>JSS15J (4.3_r2.1) to KRT16M (4.4_r1) [<a class="external" href="http://aosp.changelog.to/aosp-JSS15J-KRT16M.html">http://aosp.changelog.to/aosp-JSS15J-KRT16M.html</a>]
<ul>
<li> <a class="external" href="https://android.googlesource.com/platform/cts/+/ed54695">https://android.googlesource.com/platform/cts/+/ed54695</a><br /> AppSecurity: Add traffic stats test, and fix file access test<br /> Bug: 10349057<br /> Patch-file: Bugfix-10349057.patch
<ul>
<li>Fix the private file access test which would fail because the path was wrong.</li>
<li>Add a test that ensures the private file is actually "not accessible" because it can't be as opposed to it not being there: the new test accesses a public file created at the same time as the private file.</li>
<li>Add tests around traffic stats
<ul>
<li>add internet permission to app that creates data.</li>
<li>generate private traffic stats (tagged sockets).</li>
<li>read back traffic stats to make sure that only public stats are visible.</li>
</ul></li>
</ul></li>
</ul></li>
</ul>
<ul>
<li>KOT49H (4.4.2_r1) to KTU84L (4.4.3_r1) [<a class="external" href="http://aosp.changelog.to/aosp-KOT49H-KTU84L.html">http://aosp.changelog.to/aosp-KOT49H-KTU84L.html</a>]
<ul>
<li><a class="external" href="https://android.googlesource.com/platform/cts/+/0e2d6d9">https://android.googlesource.com/platform/cts/+/0e2d6d9</a><br /> CtsVerifier test for lock screen vulnerability fix.<br /> Lock screen credential reset w/o previous credentials.<br /> The test asks the user to first set a lock screen password and then launch an intent to change it, using an EXTRA that was not being properly validated before the vulnerability was fixed.<br /> Bug: 9858403<br />Patch-package: Bugfix-9858403.zip (containing the files above)<br /> Patch-files: Bugfix-9858403.patch<br /> Additionally please [git] add this files to the following path:
<ul>
<li> apps/CtsVerifier/res/layout/pass_fail_lockconfirm.xml</li>
<li> apps/CtsVerifier/src/com/android/cts/verifier/security/LockConfirmBypassTest.java</li>
</ul></li>
</ul></li>
</ul>
<p>The only (big) part I've leaved open yet is OpenSSL, which I will provide the next time...</p> Replicant - Issue #1257 (Closed): Installer Hijacking vulnerabilityhttps://redmine.replicant.us/issues/12572015-03-30T16:05:58ZMy Self
<p>I've checked, that Replicant is vulnerable to the Installer Hijacking vulnerability.<br />More informations: <a class="external" href="http://researchcenter.paloaltonetworks.com/2015/03/android-installer-hijacking-vulnerability-could-expose-android-users-to-malware/">http://researchcenter.paloaltonetworks.com/2015/03/android-installer-hijacking-vulnerability-could-expose-android-users-to-malware/</a></p>
<p><strong>Solution/Patch</strong><br />Android diff: <a class="external" href="https://android.googlesource.com/platform/packages/apps/PackageInstaller/+/2b3202c3ff18469b294629bf1416118f12492173">https://android.googlesource.com/platform/packages/apps/PackageInstaller/+/2b3202c3ff18469b294629bf1416118f12492173</a></p> Replicant - Issue #1251 (Closed): GraphicBuffer overflow vulnerability - CVE-2015-1474https://redmine.replicant.us/issues/12512015-03-30T15:47:22ZMy Self
<p>I've checked, that Replicant is vulnerable to the GraphicBuffer overflow (bug: 18076253), registered as CVE-2015-1474.<br />More informations: <a class="external" href="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1474">https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1474</a></p>
<p><strong>Solution/Patch</strong><br />Android diff: <a class="external" href="https://android.googlesource.com/platform/frameworks/native/+/38803268570f90e97452cd9a30ac831661829091">https://android.googlesource.com/platform/frameworks/native/+/38803268570f90e97452cd9a30ac831661829091</a></p> Replicant - Issue #1143 (Closed): broadAnyWhere vulnerability - CVE-2014-8609https://redmine.replicant.us/issues/11432014-12-28T21:22:43ZMy Self
<p>I've checked, that Replicant is vulnerable to the broadAnyWhere (bug: 17356824), registered as CVE-2014-8609.<br />More informations: <a class="external" href="http://seclists.org/fulldisclosure/2014/Nov/81">http://seclists.org/fulldisclosure/2014/Nov/81</a><br />POC (Proof of Concept): <a class="external" href="https://www.youtube.com/watch?v=H05-6BoB4ng">https://www.youtube.com/watch?v=H05-6BoB4ng</a></p>
<p><strong>Solution</strong><br />AOSP diff: <a class="external" href="https://android.googlesource.com/platform/packages/apps/Settings/+/37b58a4">https://android.googlesource.com/platform/packages/apps/Settings/+/37b58a4</a><br />CM commit: <a class="external" href="https://github.com/CyanogenMod/android_packages_apps_Settings/commit/0d7a9ae528029b5f767136c238b6beff3f400ea0">https://github.com/CyanogenMod/android_packages_apps_Settings/commit/0d7a9ae528029b5f767136c238b6beff3f400ea0</a></p> Replicant - Issue #1113 (Closed): Privilege Escalation vulnerability - CVE-2014-7911https://redmine.replicant.us/issues/11132014-12-08T18:16:59ZMy Self
<p><strong>Description</strong><br />I've checked, that Replicant is vulnerable to the Privilege Escalation (using ObjectInputStream), registered as CVE-2014-7911<br />more informations: <a class="external" href="http://seclists.org/fulldisclosure/2014/Nov/51">http://seclists.org/fulldisclosure/2014/Nov/51</a></p>
<p><strong>Solution</strong><br />AOSP (5.0) patch: <a class="external" href="https://android.googlesource.com/platform/libcore/+/738c833d38d41f8f76eb7e77ab39add82b1ae1e2">https://android.googlesource.com/platform/libcore/+/738c833d38d41f8f76eb7e77ab39add82b1ae1e2</a><br />CM commit: <a class="external" href="https://github.com/CyanogenMod/android_libcore/commit/2d0fbea07c1a3c4368ddb07609d1a86993ed6de9">https://github.com/CyanogenMod/android_libcore/commit/2d0fbea07c1a3c4368ddb07609d1a86993ed6de9</a></p> Replicant - Issue #1041 (Closed): BASH (aka shellshock) vulnerability - CVE-2014-[6271/6277/6278/...https://redmine.replicant.us/issues/10412014-11-06T10:20:50ZMy Self
<p>I hope it's a good idea to open a bug ticket about the forum topic: <a class="external" href="http://redmine.replicant.us/boards/9/topics/6729">http://redmine.replicant.us/boards/9/topics/6729</a></p>
<p><strong>Summary</strong><br />Replicant is (at the moment) vulnerable to the shellshock vulnerabilities.<br />Two patches "CVE-2014-6271 and CVE-2014-7169" are merged to Replicant in the meanwhile:<br /><a class="external" href="https://gitorious.org/replicant/external_bash/commits/64368c6fd95e4f749e6133398ad4d5fce3c9b940">https://gitorious.org/replicant/external_bash/commits/64368c6fd95e4f749e6133398ad4d5fce3c9b940</a></p>
<p>But there are some more issues:<br /><a class="external" href="https://access.redhat.com/security/cve/CVE-2014-7186">https://access.redhat.com/security/cve/CVE-2014-7186</a><br /><a class="external" href="https://access.redhat.com/security/cve/CVE-2014-7187">https://access.redhat.com/security/cve/CVE-2014-7187</a><br /><a class="external" href="https://access.redhat.com/security/cve/CVE-2014-6277">https://access.redhat.com/security/cve/CVE-2014-6277</a><br /><a class="external" href="https://access.redhat.com/security/cve/CVE-2014-6278">https://access.redhat.com/security/cve/CVE-2014-6278</a><br />with available patches:<br /><a class="external" href="https://github.com/CyanogenMod/android_external_bash/commit/027626f9f273edf1c435c223f93768ec6dcc5301">https://github.com/CyanogenMod/android_external_bash/commit/027626f9f273edf1c435c223f93768ec6dcc5301</a><br /><a class="external" href="https://github.com/CyanogenMod/android_external_bash/commit/bd2cb35e07e5cef774220e8b57bace207f162e50">https://github.com/CyanogenMod/android_external_bash/commit/bd2cb35e07e5cef774220e8b57bace207f162e50</a><br /><a class="external" href="https://github.com/CyanogenMod/android_external_bash/commit/369692c969182053c3a8f81775fa022934e3bd95">https://github.com/CyanogenMod/android_external_bash/commit/369692c969182053c3a8f81775fa022934e3bd95</a><br /><a class="external" href="https://github.com/CyanogenMod/android_external_bash/commit/658bb3b21b2923f5e37dfe1ae2262fac5297d1af">https://github.com/CyanogenMod/android_external_bash/commit/658bb3b21b2923f5e37dfe1ae2262fac5297d1af</a></p>
<p>Alternativly I would really appreciate it if the whole BASH version could be updated. <br />Here is the version "4.3.30" as a open source and shellshock fixed version, which I've successfully tested with Replicant 4.2:<br /><a class="external" href="https://github.com/3lo0sh/bash-arm">https://github.com/3lo0sh/bash-arm</a></p>