Headline
CVE-2023-21145
In updatePictureInPictureMode of ActivityRecord.java, there is a possible bypass of background launch restrictions due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
)]}’ { "commit": "44aeef1b82ecf21187d4903c9e3666a118bdeaf3", "tree": "894adcca88504cf517a0070286bda7ee59d57d27", "parents": [ “d06f0a83dec0f6ba1b4f8543733ef50003193c45” ], "author": { "name": "Hongwei Wang", "email": "[email protected]", "time": “Thu Feb 23 13:23:37 2023 -0800” }, "committer": { "name": "Android Build Coastguard Worker", "email": "[email protected]", "time": “Thu Apr 06 00:35:24 2023 +0000” }, "message": "Remove Activity if it enters PiP without window\n\nThis is to prevent malicious app entering PiP without being visible\nfirst, like blocking onResume from completion. Which in turn\nleaves the PiP window in limbo and non-interactable.\n\nBug: 265293293\nTest: atest PinnedStackTests\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4fad1456409b79d6e649a29d5116a4fe3160bd21)\nMerged-In: I458a9508662e72a1adb9d9818105f2e9d7096d44\nChange-Id: I458a9508662e72a1adb9d9818105f2e9d7096d44\n", "tree_diff": [ { "type": "modify", "old_id": "83687e9ebccdcc958ae752131cef924f0f079ca0", "old_mode": 33188, "old_path": "services/core/java/com/android/server/wm/ActivityRecord.java", "new_id": "173a1a660ac82a7b49cc47b8c4b544c26801debb", "new_mode": 33188, "new_path": “services/core/java/com/android/server/wm/ActivityRecord.java” } ] }
Related news
In SettingsHomepageActivity.java, there is a possible way to launch arbitrary activities via Settings due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.