Issue #1257
closedInstaller Hijacking vulnerability
100%
Description
I've checked, that Replicant is vulnerable to the Installer Hijacking vulnerability.
More informations: http://researchcenter.paloaltonetworks.com/2015/03/android-installer-hijacking-vulnerability-could-expose-android-users-to-malware/
Solution/Patch
Android diff: https://android.googlesource.com/platform/packages/apps/PackageInstaller/+/2b3202c3ff18469b294629bf1416118f12492173
Files
Updated by My Self over 9 years ago
I have to wait until the Replicant sources are fetchable again:
http://redmine.replicant.us/boards/15/topics/8817
Updated by My Self about 9 years ago
- File Add-manifest-to-verification-params.patch added
The sources are up again.
So I decided to attach the patch listed above, (and tested with the current Replicant 4.2 sources) on this ticket.
After flashing the patched Replicant, I've tested my productive device several days without any misbehavior.
Furthermore I've successfully checked, that Replicant isn't vulnerale to the "Installer Hijacking Vulnerability" anymore.
@everyone: please review the patch and apply it if you like.
Updated by My Self about 9 years ago
Additionally, the patch is provided to the mailing list, now: http://lists.osuosl.org/pipermail/replicant/Week-of-Mon-20150720/000763.html
Updated by My Self about 9 years ago
- File deleted (
Add-manifest-to-verification-params.patch)
Updated by My Self about 9 years ago
Updated by Paul Kocialkowski about 9 years ago
- Status changed from New to Closed
- Resolution set to fixed
Merged, thanks a lot!