Comments (8)
omernebil
commented on May 8, 2024
Hello,
You can provide detailed information on the vulnerability to g.co/AndroidSecurityReport. This will route it into Google's queue of investigation.
Thank you.
from archive-patcher.
JLLeitschuh
commented on May 8, 2024
This has been reported here: https://issuetracker.google.com/issues/178709136
from archive-patcher.
omernebil
commented on May 8, 2024
Thank you again for reporting the issue.
The issue was determined not to be a vulnerability and is being treated as a regular project issue. For this reason, we aren't looking for a security advisory or CVE assignment. We made the necessary changes in our codebase to handle this. The fixes will be cut in the next release cycle.
We can mark this report are resolved now.
from archive-patcher.
JLLeitschuh
commented on May 8, 2024
The issue was determined not to be a vulnerability and is being treated as a regular project issue. For this reason, we aren't looking for a security advisory or CVE assignment.
Hi!
Could you elaborate a bit more on why you don't believe that this is a vulnerability?
from archive-patcher.
omernebil
commented on May 8, 2024
Our investigation showed that:
- On pre-JB devices, the vulnerability could expose the information on which apps are about to be installed on the device to other apps.
- However, the installed apps information becomes public right after the installation completes as the app becomes available on the device.
- For this reason, we identified this as a regular issue and not a vulnerability.
from archive-patcher.
JLLeitschuh
commented on May 8, 2024
If this vulnerable code is being executed on Android, the system temporary on android is /sdcard on Ice Cream and before.
As such, file permissions are completely ignored and any other app can rewrite the contents of the files written to /sdcard.
My original disclosure didn't actually consider android. Did your analysis consider cases where this vulnerable code was executed on a unix-like system that was not on android?
In the unix-like system case, doesn't the local information disclosure vulnerability exist?
From my reading of this project's README, there is no indication that this projects code is run exclusively on android, as such, all runnable location contexts need to be considered? Correct?
from archive-patcher.
omernebil
commented on May 8, 2024
Archive Patcher is exclusive to Android, and that's a great point that this is not clear in the documentation and it's confusing. We'll open up an issue to fix that; thank you!
from archive-patcher.
JLLeitschuh
commented on May 8, 2024
Your "compatibility window" seems to indicate that it is also intended to be run on linux.
https://github.com/google/archive-patcher#compatibility-window
from archive-patcher.
Related Issues (20)
- Compile instructions for bsdiff_jni.cc HOT 8
- Massive performance regression in v2 non-native generator HOT 3
- Truth incompatible with android HOT 4
- Run the demo, it has a NPE, msg is "Inflater has been closed" HOT 19
- Support For iOS HOT 2
- Input too large HOT 2
- Update README to explain that bsdiff is used without compression
- java.lang.NullPointerException: Inflater has been closed HOT 3
- Is this lib production ready or deprecated? HOT 9
- How to run the sample code? HOT 4
- Very slow to apply patch on Android device HOT 3
- Failed to generate patch from APK: java.util.zip.ZipException: EOCD record not found in last 32k of archive, giving up HOT 4
- Android: java.lang.IllegalStateException: setLevel cannot be called after setInput HOT 3
- How to build code on branch v2 HOT 1
- Android 11 (R) [API 30] : Zlib not compatible on this system HOT 3
- Some zlib versions fail the DefaultDeflateCompatibilityWindow compatability test HOT 2
- Android12 aplier File failed HOT 3
- On Android 12 devices, The file generated with the patch was different from the origin file; HOT 16
- Security Policy violation Binary Artifacts HOT 23
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from archive-patcher.