Headline
CVE-2023-21254
In getCurrentState of OneTimePermissionUserManager.java, there is a possible way to hold one-time permissions after the app is being killed due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
)]}’ { "commit": "fa539c85503dc63bfb53c76b6f12b3549f14a709", "tree": "7dbbee84c812cf1976d496a487d69c5394576152", "parents": [ “c00b7e7dbc1fa30339adef693d02a51254755d7f” ], "author": { "name": "Evan Severson", "email": "[email protected]", "time": “Tue Jan 31 17:14:34 2023 -0800” }, "committer": { "name": "Android Build Coastguard Worker", "email": "[email protected]", "time": “Thu May 11 18:40:45 2023 +0000” }, "message": "[1-time permissions] Use internal api to check proc states\n\nWe need to check the proc state and the binder method has a filter that\nis affected by a bug that keeps a killed a proces in the \"pending top\"\nlist. Using the internal api isn\u0027t affected by this filter and also is\nmore correct for inprocess calls.\n\nTest: Install test app that requests permission and will exit\n immediately on granting, observe permission is no longer\n\tindefinitely held.\nBug: 254736794\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e836611f3057cf9eae589a34a39fe80d0a9145f3)\nMerged-In: I30579090c803b231fd750abbc4ad645805f7ece2\nChange-Id: I30579090c803b231fd750abbc4ad645805f7ece2\n", "tree_diff": [ { "type": "modify", "old_id": "a1c98109052e22aa66876a0ee41d102e90bfbd76", "old_mode": 33188, "old_path": "services/core/java/com/android/server/pm/permission/OneTimePermissionUserManager.java", "new_id": "d28048ce74c79e9258e8da43dc60fa8cfd8a834a", "new_mode": 33188, "new_path": “services/core/java/com/android/server/pm/permission/OneTimePermissionUserManager.java” } ] }
Related news
In SettingsHomepageActivity.java, there is a possible way to launch arbitrary activities via Settings due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.