CVE-2011-3874 (aka "ZergRush") has already been backported to Android 2.2 and Android 2.3, and is available in the tip-of-tree git repository for each of those branches. Please see http://code.google.com/p/android/issues/detail?id=21681 for patch details.
In addition, our Android Compatibility Test Suite (CTS)<http://source.android.com/compatibility/overview.html>has been modified to detect this vulnerability. New Android devices, regardless of version number, cannot pass our compatibility tests without having fixed this bug. -- Nick On Sat, Dec 31, 2011 at 12:01 PM, Oleg Gryb <[email protected]> wrote: > Hello Android Security, > > I've just had an interesting conversation with +Jean-Baptiste Queru > and +Dianne Hackborn at G+ (https://plus.google.com/ > 112218872649456413744/posts/dFmpbxfpkfN) and the JBQ's advice was to > discuss it here. > > I wanted to ask you if you plan to back-port that privilege escalation > bug that being successfully exploited by zergRush and could be > definitely used by others for less noble purposes than device > rooting. > > It exploits the buffer overflow possibility in system/core/libsysutils/ > src/FrameworkListener.cpp module where limits are not enforced for the > following array: > char *argv[FrameworkListener::CMD_ARGS_MAX]; > > I could see that the bug has been fixed in ICS: > > *** ../android-4.0/system/core/libsysutils/src/FrameworkListener.cpp > 2011-12-11 19:54:29.000000000 -0800 > --- system/core/libsysutils/src/FrameworkListener.cpp 2011-12-31 > 11:15:11.000000000 -0800 > .... skipped ... > - *q = '\0'; > - if (argc >= CMD_ARGS_MAX) > - goto overflow; > .... skipped ... > > JBQ has also mentioned that it might've been back-ported to 2.2.3 and > 2.3.7, but I've just checked both of them and didn't find the change. > > Please let me know if you have any plans for back-porting that. > > Thanks & Have a Happy New Year, > Oleg. > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To post to this group, send email to > [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. > > -- Nick Kralevich | Android Security | [email protected] | 650.214.4037 -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
