Le vendredi 24 juillet 2015 à 00:06 +0200, Moritz Bandemer a écrit : > This is the .patch for bug #1257: > http://redmine.replicant.us/issues/1257 > > I've merged the patch from here: > https://android.googlesource.com/platform/packages/apps/PackageInstal > ler/+/2b3202c3ff18469b294629bf1416118f12492173 > to the Replicant sources and successfully recompiled Replicant after > that for my device. > > After flashing the patched Replicant, I've tested my productive > device > several weeks without any misbehavior. > Furthermore I've successfully checked, that Replicant isn't vulnerale > to > the "Installer Hijacking Vulnerability" anymore. > > Please review the patch, inline attached below, and apply it if you > like:
For the record, this patch was merged. > ### > > From 247913ca358693f44c66ad603c600e229b43a6c1 Mon Sep 17 00:00:00 > 2001 > From: Kenny Root <[email protected]> > Date: Thu, 14 Mar 2013 09:41:18 -0700 > Subject: [PATCH] Add manifest to verification params > > Change-Id: I088ab981cb56d4f156b6ff910d6a2270e3302dc4 > Signed-off-by: Kenny Root <[email protected]> Signed-off-by: Moritz > Bandemer <[email protected]> > --- > src/com/android/packageinstaller/InstallAppProgress.java | 6 > +++++- > src/com/android/packageinstaller/PackageInstallerActivity.java | 4 > ++++ > src/com/android/packageinstaller/PackageUtil.java | 1 > + > 3 files changed, 10 insertions(+), 1 deletion(-) > > diff --git a/src/com/android/packageinstaller/InstallAppProgress.java > b/src/com/android/packageinstaller/InstallAppProgress.java > index fc82078..71c792e 100755 > --- a/src/com/android/packageinstaller/InstallAppProgress.java > +++ b/src/com/android/packageinstaller/InstallAppProgress.java > @@ -24,6 +24,7 @@ import > android.content.DialogInterface.OnCancelListener; > import android.content.Intent; > import android.content.pm.ApplicationInfo; > import android.content.pm.IPackageInstallObserver; > +import android.content.pm.ManifestDigest; > import android.content.pm.PackageInfo; > import android.content.pm.PackageManager; > import android.content.pm.PackageManager.NameNotFoundException; > @@ -54,6 +55,8 @@ import java.util.List; > public class InstallAppProgress extends Activity implements > View.OnClickListener, OnCancelListener { > private final String TAG="InstallAppProgress"; > private boolean localLOGV = false; > + static final String EXTRA_MANIFEST_DIGEST = > + "com.android.packageinstaller.extras.manifest_digest"; > private ApplicationInfo mAppInfo; > private Uri mPackageURI; > private ProgressBar mProgressBar; > @@ -254,8 +257,9 @@ public class InstallAppProgress extends Activity > implements View.OnClickListener > Uri referrer = > getIntent().getParcelableExtra(Intent.EXTRA_REFERRER); > int originatingUid = > getIntent().getIntExtra(Intent.EXTRA_ORIGINATING_UID, > VerificationParams.NO_UID); > + ManifestDigest manifestDigest = > getIntent().getParcelableExtra(EXTRA_MANIFEST_DIGEST); > VerificationParams verificationParams = new > VerificationParams(null, originatingURI, > - referrer, originatingUid, null); > + referrer, originatingUid, manifestDigest); > PackageInstallObserver observer = new > PackageInstallObserver(); > > if ("package".equals(mPackageURI.getScheme())) { > diff --git > a/src/com/android/packageinstaller/PackageInstallerActivity.java > b/src/com/android/packageinstaller/PackageInstallerActivity.java > index 4a6db21..4d7b0c0 100644 > --- a/src/com/android/packageinstaller/PackageInstallerActivity.java > +++ b/src/com/android/packageinstaller/PackageInstallerActivity.java > @@ -26,6 +26,7 @@ import > android.content.DialogInterface.OnCancelListener; > import android.content.Intent; > import android.content.SharedPreferences; > import android.content.pm.ApplicationInfo; > +import android.content.pm.ManifestDigest; > import android.content.pm.PackageInfo; > import android.content.pm.PackageManager; > import android.content.pm.PackageUserState; > @@ -69,6 +70,7 @@ public class PackageInstallerActivity extends > Activity > implements OnCancelListen > private Uri mOriginatingURI; > private Uri mReferrerURI; > private int mOriginatingUid = VerificationParams.NO_UID; > + private ManifestDigest mPkgDigest; > > private boolean localLOGV = false; > PackageManager mPm; > @@ -520,6 +522,7 @@ public class PackageInstallerActivity extends > Activity implements OnCancelListen > mPkgInfo = PackageParser.generatePackageInfo(parsed, > null, > PackageManager.GET_PERMISSIONS, 0, 0, null, > new PackageUserState()); > + mPkgDigest = parsed.manifestDigest; > as = PackageUtil.getAppSnippet(this, > mPkgInfo.applicationInfo, sourceFile); > } > > @@ -656,6 +659,7 @@ public class PackageInstallerActivity extends > Activity implements OnCancelListen > mPkgInfo.applicationInfo); > newIntent.setData(mPackageURI); > newIntent.setClass(this, InstallAppProgress.class); > + > newIntent.putExtra(InstallAppProgress.EXTRA_MANIFEST_DIGEST, > mPkgDigest); > String installerPackageName = > getIntent().getStringExtra( > Intent.EXTRA_INSTALLER_PACKAGE_NAME); > if (mOriginatingURI != null) { > diff --git a/src/com/android/packageinstaller/PackageUtil.java > b/src/com/android/packageinstaller/PackageUtil.java > index 8681bfc..20dce43 100644 > --- a/src/com/android/packageinstaller/PackageUtil.java > +++ b/src/com/android/packageinstaller/PackageUtil.java > @@ -72,6 +72,7 @@ public class PackageUtil { > metrics.setToDefaults(); > PackageParser.Package pkg = > packageParser.parsePackage(sourceFile, > archiveFilePath, metrics, 0); > + packageParser.collectCertificates(pkg, 0); > // Nuke the parser reference. > packageParser = null; > return pkg; -- Paul Kocialkowski, Replicant developer Replicant is a fully free Android distribution running on several devices, a free software mobile operating system putting the emphasis on freedom and privacy/security. Website: https://www.replicant.us/ Blog: https://blog.replicant.us/ Wiki/tracker/forums: https://redmine.replicant.us/
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Replicant mailing list [email protected] http://lists.osuosl.org/mailman/listinfo/replicant
