Headline
CVE-2023-20918
In getPendingIntentLaunchFlags of ActivityOptions.java, there is a possible elevation of privilege due to a confused deputy with no additional execution privileges needed. User interaction is not needed for exploitation.
)]}’ { "commit": "16c604aa7c253ce5cf075368a258c0b21386160d", "tree": "f24047286450d197a9b7f2ff84e132ca91c53391", "parents": [ “bb1009673650778cd597bda1cd73fb352d6cc680” ], "author": { "name": "Winson Chung", "email": "[email protected]", "time": “Tue Oct 18 05:21:30 2022 +0000” }, "committer": { "name": "Justin Dunlap", "email": "[email protected]", "time": “Fri Dec 02 16:17:56 2022 -0800” }, "message": "Ensure that only SysUI can override pending intent launch flags\n\n- Originally added in ag/5139951, this method ensured that activities\n launched from widgets are always started in a new task (if the\n activity is launched in the home task, the task is not brough forward\n with the recents transition). We can restrict this to only recents\n callers since this only applies to 1p launchers in gesture nav\n (both the gesture with 3p launchers and button nav in general will\n always start the home intent directly, which makes adding the\n NEW_TASK flag unnecessary).\n\nBug: 243794108\nTest: Ensure that the original bug b/112508020 still works (with the\n test app in the bug, swipe up still works after launching an\n activity from the widget, and fails without applying the\n override flags)\nChange-Id: Id53c6a2aa6da5933d488ca06a0bfc4ef89a4c343\n(cherry picked from commit c4d3106e347922610f8c554de3ae238175ed393e)\nMerged-In: Id53c6a2aa6da5933d488ca06a0bfc4ef89a4c343\n", "tree_diff": [ { "type": "modify", "old_id": "4044cceb606b27ddac0f3b4997a7df4fa0880acc", "old_mode": 33188, "old_path": "services/core/java/com/android/server/am/PendingIntentRecord.java", "new_id": "9ccf83996782fa109392d70f2ec114e7c4fbc5fc", "new_mode": 33188, "new_path": “services/core/java/com/android/server/am/PendingIntentRecord.java” } ] }
Related news
In SettingsHomepageActivity.java, there is a possible way to launch arbitrary activities via Settings due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.