Replicant: Issueshttps://redmine.replicant.us/https://redmine.replicant.us/favicon.ico?15984615062017-03-15T16:44:23ZReplicant
Redmine Replicant - Issue #1780 (New): Update the webview apkhttps://redmine.replicant.us/issues/17802017-03-15T16:44:23ZWolfgang Wiedmeyerwreg@wiedmeyer.de
<p>Due to <a class="issue tracker-3 status-15 priority-33 priority-high2 closed child" title="Issue: Incomplete EGL implementation (Resolved)" href="https://redmine.replicant.us/issues/705">#705</a>, the webview apk in Replicant 6.0 cannot be updated. Currently, webview version 43.0.2357.134 is in use. It was released in July 2015 and has numerous security issues that were discovered since then.</p>
<p>Updating the webview apk would fix a lot of security issues and would ensure that websites can be visited securely using the browser shipped with Replicant or Lightning.</p> Replicant - Feature #1779 (New): Implement setting that allows to permanently disable the modemhttps://redmine.replicant.us/issues/17792017-03-06T22:06:03ZWolfgang Wiedmeyerwreg@wiedmeyer.de
<p>Some users don't need or don't want to use the modem of their device. Reasons might include skepticism about the level of the modem isolation, the wish to completely avoid the tracking of the mobile system or they simply don't want to have a nonfree system like the modem operating system running on their device.</p>
<p>So far, these users were advised to either buy a Replicant-supported device without a modem or to disable the radio interface layer by deleting or moving the library.</p>
<p>A more user-friendly approach would be a setting that, when enabled, would disable the modem boot when booting Replicant and that would not load the modem software to the modem.</p>
<p>When enabling the setting, the phone needs to be rebooted to ensure that the modem is not running. When disabling the setting, the user needs to be informed that the modem will only be operational after the device is rebooted.</p> Replicant - Issue #1778 (Resolved): The installation pages lack advice to backup the EFS partitionhttps://redmine.replicant.us/issues/17782017-03-05T21:27:30ZWolfgang Wiedmeyerwreg@wiedmeyer.de
<p>The installation pages of devices that have an EFS partition should advise to backup the EFS partition so users can restore the partition in case of corruption. This could prevent <a class="issue tracker-3 status-27 priority-27 priority-high3 closed" title="Issue: i9300 lost IMEI (Closed)" href="https://redmine.replicant.us/issues/1467">#1467</a> and would not require to install the proprietary stock images.</p>
<p>The page detailing the backup process should also include information about the necessary permissions the files should have to prevent <a href="http://redmine.replicant.us/boards/9/topics/8841" class="external">network issues</a>.</p> Replicant - Issue #1401 (Closed): CVE-2014-3686 wpa_supplicanthttps://redmine.replicant.us/issues/14012015-10-20T21:09:42ZWolfgang Wiedmeyerwreg@wiedmeyer.de
<p>Entry: <a class="external" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3686">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3686</a><br />I noticed that the cm-11.0 branch of CyanogenMod contains patches for this vulnerability:<br /><a class="external" href="https://github.com/CyanogenMod/android_external_wpa_supplicant_8/commit/5ed77d870e563df8560a40478204be5ea9db33e9">https://github.com/CyanogenMod/android_external_wpa_supplicant_8/commit/5ed77d870e563df8560a40478204be5ea9db33e9</a><br /><a class="external" href="https://github.com/CyanogenMod/android_external_wpa_supplicant_8/commit/8e575d91534fd8ad98b06caec872a056c7f2737c">https://github.com/CyanogenMod/android_external_wpa_supplicant_8/commit/8e575d91534fd8ad98b06caec872a056c7f2737c</a><br /><a class="external" href="https://github.com/CyanogenMod/android_external_wpa_supplicant_8/commit/b76a82e8f28a5c3f43958e0e1b3c26390725b040">https://github.com/CyanogenMod/android_external_wpa_supplicant_8/commit/b76a82e8f28a5c3f43958e0e1b3c26390725b040</a></p>
<p>They can be applied to Replicant without any changes. They are also in the android_external_wpa_supplicant_8_ti repository. Is this repository actually needed in Replicant?</p>
<p>upstream patches for reference: <a class="external" href="https://w1.fi/security/2014-1/">https://w1.fi/security/2014-1/</a></p> Replicant - Issue #1395 (Closed): Nexus Security Bulletin from Septemberhttps://redmine.replicant.us/issues/13952015-10-18T19:10:16ZWolfgang Wiedmeyerwreg@wiedmeyer.de
<p>Same procedure as in <a class="issue tracker-3 status-27 priority-27 priority-high3 closed" title="Issue: Nexus Security Bulletin from August (Closed)" href="https://redmine.replicant.us/issues/1389">#1389</a>. This time the bulletin from September: <a class="external" href="https://groups.google.com/forum/?_escaped_fragment_=msg/android-security-updates/1M7qbSvACjo/Y7jewiW1AwAJ#!msg/android-security-updates/1M7qbSvACjo/Y7jewiW1AwAJ">https://groups.google.com/forum/?_escaped_fragment_=msg/android-security-updates/1M7qbSvACjo/Y7jewiW1AwAJ#!msg/android-security-updates/1M7qbSvACjo/Y7jewiW1AwAJ</a></p>
<p><strong>CVE-2015-3636: Elevation of Privilege Vulnerability in Kernel</strong><br /><a class="external" href="https://github.com/torvalds/linux/commit/a134f083e79f">https://github.com/torvalds/linux/commit/a134f083e79f</a></p>
<p><strong>Elevation of Privilege Vulnerability in Binder</strong><br /><strong>CVE-2015-3845</strong><br /><a class="external" href="https://android.googlesource.com/platform/frameworks/native/+/e68cbc3e9e66df4231e70efa3e9c41abc12aea20%5E!/">https://android.googlesource.com/platform/frameworks/native/+/e68cbc3e9e66df4231e70efa3e9c41abc12aea20%5E!/</a><br /><strong>CVE-2015-1528</strong><br /><a class="external" href="https://android.googlesource.com/platform/frameworks/native/+/7dcd0ec9c91688cfa3f679804ba6e132f9811254%5E!/">https://android.googlesource.com/platform/frameworks/native/+/7dcd0ec9c91688cfa3f679804ba6e132f9811254%5E!/</a><br /><a class="external" href="https://github.com/CyanogenMod/android_system_core/commit/d869e89766d80256117c528bbcc0854acbc068f1">https://github.com/CyanogenMod/android_system_core/commit/d869e89766d80256117c528bbcc0854acbc068f1</a></p>
<p><strong>CVE-2015-3863: Elevation of Privilege Vulnerability in Keystore</strong><br /><a class="external" href="https://android.googlesource.com/platform/system/security/+/bb9f4392c2f1b11be3acdc1737828274ff1ec55b%5E!/">https://android.googlesource.com/platform/system/security/+/bb9f4392c2f1b11be3acdc1737828274ff1ec55b%5E!/</a><br />merge conflict resolved</p>
<p><strong>CVE-2015-3849: Elevation of Privilege Vulnerability in Region</strong><br /><a class="external" href="https://android.googlesource.com/platform/frameworks/base/+/4cff1f49ff95d990d6c2614da5d5a23d02145885%5E!/">https://android.googlesource.com/platform/frameworks/base/+/4cff1f49ff95d990d6c2614da5d5a23d02145885%5E!/</a><br />merge conflict: Problem is that readFromMemory() is not available in Replicant's Skia, so I kept the unflatten function in there.</p>
<p><a class="external" href="https://android.googlesource.com/platform/frameworks/base/+/1e72dc7a3074cd0b44d89afbf39bbf5000ef7cc3%5E!/">https://android.googlesource.com/platform/frameworks/base/+/1e72dc7a3074cd0b44d89afbf39bbf5000ef7cc3%5E!/</a><br />merge conflict: Same as above, working around missing readFromMemory()</p>
<p><strong>CVE-2015-3858: Elevation of Privilege vulnerability in SMS enables notification bypass.</strong><br />It seems that Replicant is not affected by this. android.permission.SEND_SMS_NO_CONFIRMATION was renamed to android.permission.SEND_RESPOND_VIA_MESSAGE in API level 18 so we should be safe.</p>
<p><strong>CVE-2015-3861: Denial of Service Vulnerability in Mediaserver</strong><br /><a class="external" href="https://android.googlesource.com/platform/frameworks/av/+/304ef91624e12661e7e35c2c0c235da84a73e9c0%5E!/">https://android.googlesource.com/platform/frameworks/av/+/304ef91624e12661e7e35c2c0c235da84a73e9c0%5E!/</a><br />merge conflict resolved</p> Replicant - Issue #1389 (Closed): Nexus Security Bulletin from Augusthttps://redmine.replicant.us/issues/13892015-10-18T12:59:39ZWolfgang Wiedmeyerwreg@wiedmeyer.de
<p>Google now releases monthly security bulletins. I went through the one from August, which also includes some older security fixes: <a class="external" href="https://groups.google.com/forum/?_escaped_fragment_=msg/android-security-updates/Ugvu3fi6RQM/yzJvoTVrIQAJ#!msg/android-security-updates/Ugvu3fi6RQM/yzJvoTVrIQAJ">https://groups.google.com/forum/?_escaped_fragment_=msg/android-security-updates/Ugvu3fi6RQM/yzJvoTVrIQAJ#!msg/android-security-updates/Ugvu3fi6RQM/yzJvoTVrIQAJ</a><br />Although most of the Stagefright related stuff is already fixed in Replicant, some other security bugs aren't.<br />I added a note below the link to the commit if the patch needed to be changed.</p>
<p><strong>CVE-2015-3836: Buffer overflow in Sonivox Parse_wave</strong><br /><a class="external" href="https://android.googlesource.com/platform/external/sonivox/+/e999f077f6ef59d20282f1e04786816a31fb8be6%5E!/">https://android.googlesource.com/platform/external/sonivox/+/e999f077f6ef59d20282f1e04786816a31fb8be6%5E!/</a></p>
<p><strong>CVE-2015-3832: Buffer overflows in libstagefright MPEG4Extractor.cpp</strong><br /><a class="external" href="https://github.com/CyanogenMod/android_frameworks_av/commit/c086b29ee1353fe85e3c08cb2ea4ce1f5dd462d7">https://github.com/CyanogenMod/android_frameworks_av/commit/c086b29ee1353fe85e3c08cb2ea4ce1f5dd462d7</a><br />merge conflict resolved</p>
<p><strong>CVE-2015-0973: Vulnerability in libpng: Overflow in png_Read_IDAT_data</strong><br /><a class="external" href="https://github.com/CyanogenMod/android_external_libpng/commit/abd737d8149ee16d843c2d9d65f75ecf13d6ca99">https://github.com/CyanogenMod/android_external_libpng/commit/abd737d8149ee16d843c2d9d65f75ecf13d6ca99</a></p>
<p><strong>CVE-2015-1863: Remotely exploitable memcpy() overflow in p2p_add_device() in wpa_supplicant</strong><br /><a class="external" href="https://android.googlesource.com/platform/external/wpa_supplicant_8/+/4cf0f2d0d869c35a9ec4432861d5efa8ead4279c%5E!/">https://android.googlesource.com/platform/external/wpa_supplicant_8/+/4cf0f2d0d869c35a9ec4432861d5efa8ead4279c%5E!/</a><br />Replicant also has the repository external_wpa_supplicant_8_ti, so I applied the patch to this repository, too.</p>
<p><strong>CVE-2015-3834: Buffer overflow in mediaserver BnHDCP</strong><br /><a class="external" href="https://android.googlesource.com/platform/frameworks/av/+/c82e31a7039a03dca7b37c65b7890ba5c1e18ced%5E!/">https://android.googlesource.com/platform/frameworks/av/+/c82e31a7039a03dca7b37c65b7890ba5c1e18ced%5E!/</a><br />merge conflict resolved</p>
<p><strong>CVE-2015-3835: Buffer overflow in libstagefright OMXNodeInstance::emptyBuffer</strong><br /><a class="external" href="https://github.com/CyanogenMod/android_frameworks_av/commit/49fa7b75b65c3047f55efb4cd2b25261f4289799">https://github.com/CyanogenMod/android_frameworks_av/commit/49fa7b75b65c3047f55efb4cd2b25261f4289799</a></p>
<p><strong>CVE-2015-3843: Applications can intercept or emulate SIM commands to Telephony</strong><br /><a class="external" href="https://android.googlesource.com/platform/frameworks/opt/telephony/+/b48581401259439dc5ef6dcf8b0f303e4cbefbe9%5E!/">https://android.googlesource.com/platform/frameworks/opt/telephony/+/b48581401259439dc5ef6dcf8b0f303e4cbefbe9%5E!/</a><br />merge conflict resolved</p>
<p><a class="external" href="https://android.googlesource.com/platform/packages/apps/Stk/+/1d8e00160c07ae308e5b460214eb2a425b93ccf7%5E!/">https://android.googlesource.com/platform/packages/apps/Stk/+/1d8e00160c07ae308e5b460214eb2a425b93ccf7%5E!/</a><br />merge conflict resolved</p>
<p><a class="external" href="https://android.googlesource.com/platform/frameworks/base/+/a5e904e7eb3aaec532de83ca52e24af18e0496b4%5E!/#F0">https://android.googlesource.com/platform/frameworks/base/+/a5e904e7eb3aaec532de83ca52e24af18e0496b4%5E!/#F0</a><br />merge conflict resolved</p>
<p><strong>CVE-2015-1536: Vulnerability in Bitmap unmarshalling</strong><br /><a class="external" href="https://android.googlesource.com/platform/frameworks/base/+/d44e5bde18a41beda39d49189bef7f2ba7c8f3cb%5E!/">https://android.googlesource.com/platform/frameworks/base/+/d44e5bde18a41beda39d49189bef7f2ba7c8f3cb%5E!/</a><br />patch does not work at all. I ported the changes manually. There is also a small change in external/skia necessary for this patch to work. Please review carefully!</p>
<p><strong>CVE-2015-3844: ActivityManagerService.getProcessRecordLocked() may load a system UID application into the wrong process</strong><br /><a class="external" href="https://github.com/CyanogenMod/android_frameworks_base/commit/22a5396c052bef500ceea2522c7d8ae61be39c4f">https://github.com/CyanogenMod/android_frameworks_base/commit/22a5396c052bef500ceea2522c7d8ae61be39c4f</a></p>
<p>Patches are attached.<br />These and my other changes can also be found in my personal repository at <a class="external" href="https://code.fossencdi.org">https://code.fossencdi.org</a></p> Replicant - Feature #1383 (Closed): Camera app on lock screenhttps://redmine.replicant.us/issues/13832015-10-09T20:38:43ZWolfgang Wiedmeyerwreg@wiedmeyer.de
<p>The built-in Camera app (LegacyCamera) does not work on the lock screen. I looked at how Open Camera and the successor of LegacyCamera, Camera2, are doing this and I ended up picking some bits from Camera2 and writing the rest myself.<br />One part was quite tricky: When the phone wakes up, the Camera goes in an OnResume, OnPause, OnResume cycle and sometimes it ends up in the OnPause state and is unresponsive. Adding the trick with the delay for OnResume from Camera2 worked.<br />When the thumbnail of the last picture is clicked, the so-called SharePopup comes up and shows the last picture enlarged. As this could be used by someone else to take a closer look at your last pic and as Open Camera and Camera2 disabled similar functionality on the lock screen, I also made the SharePopup inaccessible from the lock screen.<br />Patch is tested for several days on my Galaxy S3.</p> Replicant - Issue #1365 (Closed): Install from unknown sources and adb enabled by defaulthttps://redmine.replicant.us/issues/13652015-10-01T16:35:56ZWolfgang Wiedmeyerwreg@wiedmeyer.de
<p>Replicant allows by default the installation of apps from unknown sources. As F-Droid nowadays works perfectly without this setting enabled, there is IMHO no reason to keep it enabled.</p>
<p>Having adb enabled by default might be a nice thing for developing and for advanced tasks, but it also adds a big attack vector. There are at the moment alone two open security bugs related to adb on this issue tracker and there might be more yet unpatched. People who need adb will very likely know how to enable it.</p> Replicant - Issue #1359 (Closed): Device lock bypass - CVE-2013-6271https://redmine.replicant.us/issues/13592015-09-28T23:55:52ZWolfgang Wiedmeyerwreg@wiedmeyer.de
<p>Replicant is affected by the following vulnerability: <a class="external" href="https://www.cvedetails.com/cve/CVE-2013-6271">https://www.cvedetails.com/cve/CVE-2013-6271</a><br />More information: <a class="external" href="http://blog.curesec.com/article/blog/CVE-2013-6271-Remove-Device-Locks-from-Android-Phone-26.html">http://blog.curesec.com/article/blog/CVE-2013-6271-Remove-Device-Locks-from-Android-Phone-26.html</a></p>
<p>You can test it for yourself with the following adb command:<br />adb shell am start -n com.android.settings/com.android.settings.ChooseLockGeneric --ez confirm_credentials false --ei lockscreen.password_type 0 --activity-clear-task<br />Your device lock should now be removed.</p>
<p>The upstream patch is here: <a class="external" href="https://android.googlesource.com/platform/packages/apps/Settings/+/66026773bbf1d7631743a5b892a4f768c694f868%5E!/">https://android.googlesource.com/platform/packages/apps/Settings/+/66026773bbf1d7631743a5b892a4f768c694f868%5E!/</a><br />The patch needed to be modified for compatibility with replicant and the modified version is attached.<br />If you run the above command with the patch applied, you should now get prompted for your lock password/pin etc. and the lock is not just removed.</p> Replicant - Issue #1353 (Closed): Security bugs 17969135 and 17671795https://redmine.replicant.us/issues/13532015-09-28T21:58:19ZWolfgang Wiedmeyerwreg@wiedmeyer.de
<p>Found two security bugs that are not yet in replicant.</p>
<p><ins>Bug 17969135</ins><br />CVE: <a class="external" href="https://www.cvedetails.com/cve/CVE-2014-8507/">https://www.cvedetails.com/cve/CVE-2014-8507/</a><br />patch: <a class="external" href="https://android.googlesource.com/platform/frameworks/base/+/48ed835468c6235905459e6ef7df032baf3e4df6%5E!/">https://android.googlesource.com/platform/frameworks/base/+/48ed835468c6235905459e6ef7df032baf3e4df6%5E!/</a></p>
<p><ins>Bug 17671795</ins><br />CVE: <a class="external" href="https://www.cvedetails.com/cve/CVE-2014-8610/">https://www.cvedetails.com/cve/CVE-2014-8610/</a><br />patch: <a class="external" href="https://android.googlesource.com/platform/packages/apps/Mms/+/008d6202fca4002a7dfe333f22377faa73585c67%5E!/">https://android.googlesource.com/platform/packages/apps/Mms/+/008d6202fca4002a7dfe333f22377faa73585c67%5E!/</a></p>
<p>Both are tested on my device. Patches are also attached.<br />Hope this helps!</p>