Headline
CVE-2023-35675
In loadMediaResumptionControls of MediaResumeListener.kt, there is a possible way to play and listen to media files played by another user on the same device due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
)]}’ { "commit": "c1cf4b9746c9641190730172522324ccd5b8c914", "tree": "8d25b1a0e76a99f4ad4862e72c3841c6d75925b4", "parents": [ “f810d81839af38ee121c446105ca67cb12992fc6” ], "author": { "name": "Beth Thibodeau", "email": "[email protected]", "time": “Thu Jun 22 18:26:44 2023 -0500” }, "committer": { "name": "Duy Truong", "email": "[email protected]", "time": “Wed Jul 19 17:51:46 2023 -0700” }, "message": "Improve user handling when querying for resumable media\n\n- Before trying to query recent media from a saved component, check\n whether the current user actually has that component installed\n- Track user when creating the MediaBrowser, in case the user changes\n before the MBS returns a result\n\nTest: atest MediaResumeListenerTest\nBug: 284297711\n(cherry picked from commit e566a250ad61e269119b475c7ebdae6ca962c4a7)\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d61741288b4d7614e4677428aac6418f6f1d79f0)\nMerged-In: I838ff0e125acadabc8436a00dbff707cc4be6249\nChange-Id: I838ff0e125acadabc8436a00dbff707cc4be6249\n", "tree_diff": [ { "type": "modify", "old_id": "cc06b6c678794756e09fb5a2915727137f21fc48", "old_mode": 33188, "old_path": "packages/SystemUI/src/com/android/systemui/media/MediaResumeListener.kt", "new_id": "bad87de438e5f4c5e6154f606bd673e1ebc21bab", "new_mode": 33188, "new_path": “packages/SystemUI/src/com/android/systemui/media/MediaResumeListener.kt” }, { "type": "modify", "old_id": "40a5653a15a0e4d787714c00a042d64f3b868a4a", "old_mode": 33188, "old_path": "packages/SystemUI/src/com/android/systemui/media/ResumeMediaBrowser.java", "new_id": "018697f772e0024ea6101501a62e55027b23ca1b", "new_mode": 33188, "new_path": “packages/SystemUI/src/com/android/systemui/media/ResumeMediaBrowser.java” }, { "type": "modify", "old_id": "3d1380b6bd243ccaa79bb1f4fc512444f9ab4494", "old_mode": 33188, "old_path": "packages/SystemUI/src/com/android/systemui/media/ResumeMediaBrowserFactory.java", "new_id": "fca0ab7e531650f01663aceb0f770b098ccf232c", "new_mode": 33188, "new_path": “packages/SystemUI/src/com/android/systemui/media/ResumeMediaBrowserFactory.java” }, { "type": "modify", "old_id": "3d3ac836d26499639288249db236b2c7a4b405d5", "old_mode": 33188, "old_path": "packages/SystemUI/tests/src/com/android/systemui/media/MediaResumeListenerTest.kt", "new_id": "e7df1a219d3e2502da142a8be84371d63ef4f99e", "new_mode": 33188, "new_path": “packages/SystemUI/tests/src/com/android/systemui/media/MediaResumeListenerTest.kt” }, { "type": "modify", "old_id": "dafaa6b936968ea7f59078be6405875b43444421", "old_mode": 33188, "old_path": "packages/SystemUI/tests/src/com/android/systemui/media/ResumeMediaBrowserTest.kt", "new_id": "e3134d482955c2aa56ecd990be5bedd4af6abe43", "new_mode": 33188, "new_path": “packages/SystemUI/tests/src/com/android/systemui/media/ResumeMediaBrowserTest.kt” } ] }
Related news
In avdt_msg_asmbl of avdt_msg.cc, there is a possible out of bounds write due to an integer overflow. This could lead to paired device escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.