https://redmine.replicant.us/https://redmine.replicant.us/favicon.ico?15984615062014-11-08T14:41:58ZReplicantReplicant - Issue #1035: Superuser vulnerabilities - CVE-2013-[6768/6769/6770]https://redmine.replicant.us/issues/1035?journal_id=28532014-11-08T14:41:58ZDenis 'GNUtoo' CarikliGNUtoo@cyberdimension.org
<ul><li><strong>Category</strong> changed from <i>51</i> to <i>Security</i></li></ul> Replicant - Issue #1035: Superuser vulnerabilities - CVE-2013-[6768/6769/6770]https://redmine.replicant.us/issues/1035?journal_id=28592014-11-08T14:43:42ZDenis 'GNUtoo' CarikliGNUtoo@cyberdimension.org
<ul></ul><p><a class="external" href="http://forum.xda-developers.com/showthread.php?t=2525552">http://forum.xda-developers.com/showthread.php?t=2525552</a> says<br />"Any application" and refers to Android, so I guess we're affected by this privilege escalation vulnerability.</p> Replicant - Issue #1035: Superuser vulnerabilities - CVE-2013-[6768/6769/6770]https://redmine.replicant.us/issues/1035?journal_id=30032014-11-10T11:33:01ZMy Self
<ul></ul><p>I would agree to that. <br />I still don't know which superuser version is embedded in the Replicant com.android.settings, so I manually (and temporarily) switched to the latest version (1.0.3.0) over the CWM flashable zip file:<br /><a class="external" href="http://download.clockworkmod.com/superuser/superuser.zip">http://download.clockworkmod.com/superuser/superuser.zip</a></p> Replicant - Issue #1035: Superuser vulnerabilities - CVE-2013-[6768/6769/6770]https://redmine.replicant.us/issues/1035?journal_id=30272014-11-14T14:52:12ZMy Self
<ul></ul><p>By the way, I don't know if Replicant is also vulnerable to old(!) "ExynosAbuse" on Exynos4 based device. Replicant supports (for now) the following Exynos 4 Samsung devices:<br />- Galaxy S 2 (I9100)<br />- Galaxy Note (N7000)<br />- Galaxy S 3 (I9300)<br />- Galaxy Note 2 (N7100)</p>
<p>Could anybody please use the .apk of the following link (with patch informations on the site) to check/verify if Replicant is vulnerable to this root-exploit, too?<br /><a class="external" href="http://forum.xda-developers.com/showthread.php?t=2050297">http://forum.xda-developers.com/showthread.php?t=2050297</a></p> Replicant - Issue #1035: Superuser vulnerabilities - CVE-2013-[6768/6769/6770]https://redmine.replicant.us/issues/1035?journal_id=30692014-11-20T08:56:03ZMy Self
<ul></ul><blockquote>
<p>Could anybody please use the .apk of the following link (with patch informations on the site) to check/verify if Replicant is vulnerable to this root-exploit, too?<br /><a class="external" href="http://forum.xda-developers.com/showthread.php?t=2050297">http://forum.xda-developers.com/showthread.php?t=2050297</a></p>
</blockquote>
<p>I've got my I9100 back and could handle it myself. <strong>Replicant 4.2.0002 seems to be <patched> against ExynosAbuse.</strong><br />So the focus will stay on Superuser vulnerabilities from above.</p> Replicant - Issue #1035: Superuser vulnerabilities - CVE-2013-[6768/6769/6770]https://redmine.replicant.us/issues/1035?journal_id=30752014-11-28T19:22:56ZPaul Kocialkowskipaulk@replicant.us
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Rejected</i></li><li><strong>Resolution</strong> set to <i>invalid</i></li></ul><p>This is already fixed in our code: <a class="external" href="https://gitorious.org/replicant/packages_apps_settings/commit/0deb0104eea19085bc68b42f128b3e9792564abe">https://gitorious.org/replicant/packages_apps_settings/commit/0deb0104eea19085bc68b42f128b3e9792564abe</a></p>
Please make sure we are actually affected by a security issue before reporting one next time, by:
<ol>
<li>running exploit code</li>
<li>checking whether there is already a fix in the source code if there is no easy exploit</li>
</ol>