Skip to content
This repository has been archived by the owner on Jun 24, 2024. It is now read-only.

Please open a security advisory #172

Open
JLLeitschuh opened this issue Jan 24, 2021 · 8 comments
Open

Please open a security advisory #172

JLLeitschuh opened this issue Jan 24, 2021 · 8 comments

Comments

@JLLeitschuh
Copy link

Hello,

I'm an independent security researcher performing security research under the GitHub Security Lab Bug Bounty Program. I believe I may have found a security vulnerability in this project.

Please open a security advisory against this repository so we can privately discuss the details. This advisory can be opened by a user with admin permissions on this repository.

https://github.com/google/archive-patcher/security/advisories
@omernebil
Copy link

Hello,

You can provide detailed information on the vulnerability to g.co/AndroidSecurityReport. This will route it into Google's queue of investigation.

Thank you.

@JLLeitschuh
Copy link
Author

This has been reported here: https://issuetracker.google.com/issues/178709136

@omernebil
Copy link

omernebil commented Feb 16, 2021
edited
Loading

Thank you again for reporting the issue.

The issue was determined not to be a vulnerability and is being treated as a regular project issue. For this reason, we aren't looking for a security advisory or CVE assignment. We made the necessary changes in our codebase to handle this. The fixes will be cut in the next release cycle.

We can mark this report are resolved now.

@JLLeitschuh
Copy link
Author

The issue was determined not to be a vulnerability and is being treated as a regular project issue. For this reason, we aren't looking for a security advisory or CVE assignment.

Hi!

Could you elaborate a bit more on why you don't believe that this is a vulnerability?

@omernebil
Copy link

Our investigation showed that:

  • On pre-JB devices, the vulnerability could expose the information on which apps are about to be installed on the device to other apps.
  • However, the installed apps information becomes public right after the installation completes as the app becomes available on the device.
  • For this reason, we identified this as a regular issue and not a vulnerability.

@JLLeitschuh
Copy link
Author

JLLeitschuh commented Feb 18, 2021
edited
Loading

If this vulnerable code is being executed on Android, the system temporary on android is /sdcard on Ice Cream and before.

google/guava#4011 (comment)

As such, file permissions are completely ignored and any other app can rewrite the contents of the files written to /sdcard.

My original disclosure didn't actually consider android. Did your analysis consider cases where this vulnerable code was executed on a unix-like system that was not on android?

In the unix-like system case, doesn't the local information disclosure vulnerability exist?

From my reading of this project's README, there is no indication that this projects code is run exclusively on android, as such, all runnable location contexts need to be considered? Correct?

@omernebil
Copy link

Archive Patcher is exclusive to Android, and that's a great point that this is not clear in the documentation and it's confusing. We'll open up an issue to fix that; thank you!

@JLLeitschuh
Copy link
Author

Your "compatibility window" seems to indicate that it is also intended to be run on linux.

https://github.com/google/archive-patcher#compatibility-window

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JLLeitschuh @omernebil