Project

General

Profile

Issue #1263

Security revaluation pack [until Android 4.4.3 r1]

Added by My Self about 6 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
High
Assignee:
Category:
Security
Target version:
Start date:
04/02/2015
Due date:
% Done:

100%

Estimated time:
Resolution:
fixed
Device:
Grant:
Type of work:

Description

I've crawled the unofficial changelog script [http://aosp.changelog.to] by using these search criterias:
"CVE"; "secur"ity; "vul"nerability to make a list of the following security patches, which where missing in Replicant 4.2 (for now):

  • JSS15J (4.3_r2.1) to KRT16M (4.4_r1) [http://aosp.changelog.to/aosp-JSS15J-KRT16M.html]
    • https://android.googlesource.com/platform/cts/+/ed54695
      AppSecurity: Add traffic stats test, and fix file access test
      Bug: 10349057
      Patch-file: Bugfix-10349057.patch
      • Fix the private file access test which would fail because the path was wrong.
      • Add a test that ensures the private file is actually "not accessible" because it can't be as opposed to it not being there: the new test accesses a public file created at the same time as the private file.
      • Add tests around traffic stats
        • add internet permission to app that creates data.
        • generate private traffic stats (tagged sockets).
        • read back traffic stats to make sure that only public stats are visible.
  • KOT49H (4.4.2_r1) to KTU84L (4.4.3_r1) [http://aosp.changelog.to/aosp-KOT49H-KTU84L.html]
    • https://android.googlesource.com/platform/cts/+/0e2d6d9
      CtsVerifier test for lock screen vulnerability fix.
      Lock screen credential reset w/o previous credentials.
      The test asks the user to first set a lock screen password and then launch an intent to change it, using an EXTRA that was not being properly validated before the vulnerability was fixed.
      Bug: 9858403
      Patch-package: Bugfix-9858403.zip (containing the files above)
      Patch-files: Bugfix-9858403.patch
      Additionally please [git] add this files to the following path:
      • apps/CtsVerifier/res/layout/pass_fail_lockconfirm.xml
      • apps/CtsVerifier/src/com/android/cts/verifier/security/LockConfirmBypassTest.java

The only (big) part I've leaved open yet is OpenSSL, which I will provide the next time...


Files

patchset_up_to_4.4.3.zip (23.9 KB) patchset_up_to_4.4.3.zip My Self, 08/26/2015 12:00 PM

Also available in: Atom PDF