Headline
CVE-2023-35676
In createQuickShareAction of SaveImageInBackgroundTask.java, there is a possible way to trigger a background activity launch due to an unsafe PendingIntent. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
)]}’ { "commit": "109e58b62dc9fedcee93983678ef9d4931e72afa", "tree": "7ef156a2d1225c1cb3d43620732bf609091ed48a", "parents": [ “05b1ada4ed1326d7ad781142f4fff0de70dffeff” ], "author": { "name": "Miranda Kephart", "email": "[email protected]", "time": “Fri Apr 28 10:58:46 2023 -0400” }, "committer": { "name": "Android Build Coastguard Worker", "email": "[email protected]", "time": “Fri Jul 14 17:30:22 2023 +0000” }, "message": "[DO NOT MERGE] Update quickshare intent rather than recreating\n\nCurrently, we extract the quickshare intent and re-wrap it as a new\nPendingIntent once we get the screenshot URI. This is insecure as\nit leads to executing the original with SysUI\u0027s permissions, which\nthe app may not have. This change switches to using Intent.fillin\nto add the URI, keeping the original PendingIntent and original\npermission set.\n\nBug: 278720336\nTest: manual (to test successful quickshare), atest\nSaveImageInBackgroundTaskTest (to verify original pending intent\nunchanged)\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:02938e8ccae910d96578475a19dff0a5e746b03d)\nMerged-In: Icad3d5f939fcfb894e2038948954bc2735dbe326\nChange-Id: Icad3d5f939fcfb894e2038948954bc2735dbe326\n", "tree_diff": [ { "type": "modify", "old_id": "50ee1f7ba97aabd377d1838b2cb3e17c46a909c9", "old_mode": 33188, "old_path": "packages/SystemUI/src/com/android/systemui/screenshot/SaveImageInBackgroundTask.java", "new_id": "f4a257fdd3ec7b6b5c97b8e6252f6ddf7059ddcc", "new_mode": 33188, "new_path": “packages/SystemUI/src/com/android/systemui/screenshot/SaveImageInBackgroundTask.java” }, { "type": "modify", "old_id": "5b6e5ce95b1483c83098f72fa5cb7051bb92425d", "old_mode": 33188, "old_path": "packages/SystemUI/src/com/android/systemui/screenshot/ScreenshotController.java", "new_id": "5928c9ec608589e9b245e5a4950db5077bb75c2c", "new_mode": 33188, "new_path": “packages/SystemUI/src/com/android/systemui/screenshot/ScreenshotController.java” }, { "type": "modify", "old_id": "f703058f4a0fb6251bcf51e099b79bb58d1e82a2", "old_mode": 33188, "old_path": "packages/SystemUI/src/com/android/systemui/screenshot/SmartActionsReceiver.java", "new_id": "ecc13ee747c8b4e116310436832ba03599c137c6", "new_mode": 33188, "new_path": “packages/SystemUI/src/com/android/systemui/screenshot/SmartActionsReceiver.java” }, { "type": "add", "old_id": "0000000000000000000000000000000000000000", "old_mode": 0, "old_path": "/dev/null", "new_id": "03f8c93942184a59caa0ba86a737fa45e043b24e", "new_mode": 33188, "new_path": “packages/SystemUI/tests/src/com/android/systemui/screenshot/SaveImageInBackgroundTaskTest.kt” } ] }
Related news
In avdt_msg_asmbl of avdt_msg.cc, there is a possible out of bounds write due to an integer overflow. This could lead to paired device escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.