In verifyReplacingVersionCode of InstallPackageHelper.java, there is a possible way to downgrade system apps below system image version due to a logic error in the code. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 1452.0, "function_hash": "237048816979219317842714686710299000619" }, "id": "ASB-A-256202273-689b7777", "source": "https://android.googlesource.com/platform/frameworks/base/+/a4484d7f1be1fa413258fe18644d61f85611f586", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/InstallPackageHelper.java", "function": "verifyReplacingVersionCode" }, "signature_type": "Function" }, { "digest": { "length": 1956.0, "function_hash": "275082727597709184000753424244299309763" }, "id": "ASB-A-256202273-6cc4f59f", "source": "https://android.googlesource.com/platform/frameworks/base/+/ceeca68b8c3f0ed8427b0212f63defe2f075146e", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/InstallPackageHelper.java", "function": "verifyReplacingVersionCode" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "63605175448109501863603615311893262621", "173546225366185263187613276852006820736", "326190137785252094978958267753154377116", "121636430540856708905499819382202482171", "12470100640675359785548563315199428325", "136411639950493568324331406542339470391", "52084349353168562900965281274036000023", "192309566731849079405040014069155480488", "240044076485628183343597920015476546646", "15846213334126375409777482138026109401", "319783504689076465904149502568402839711", "12970867237909160669962964194154689035" ] }, "id": "ASB-A-256202273-d4508c35", "source": "https://android.googlesource.com/platform/frameworks/base/+/ceeca68b8c3f0ed8427b0212f63defe2f075146e", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/InstallPackageHelper.java" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "252983177159641901497723896441268108671", "289387077589455534524918148746428779006", "166768919924717948816029414026291778836", "118651231370392224840236119108995357589", "329066948714175627806594661537085099266", "145223966657233973943848442135262436020", "152484718102809675440709313061526254350", "230304300726357595687715847273695966229", "320009394454379053579531924820497384068", "43546057785041335342916011230490229185", "9246424559103928267710257347131600408", "19143163316148291948041402688674573657", "15846213334126375409777482138026109401", "319783504689076465904149502568402839711", "12970867237909160669962964194154689035", "108587633537507210242609878158511307392" ] }, "id": "ASB-A-256202273-f49fe111", "source": "https://android.googlesource.com/platform/frameworks/base/+/a4484d7f1be1fa413258fe18644d61f85611f586", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/InstallPackageHelper.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/a4484d7f1be1fa413258fe18644d61f85611f586", "https://android.googlesource.com/platform/frameworks/base/+/ceeca68b8c3f0ed8427b0212f63defe2f075146e" ], "spl": "2023-05-01", "severity": "Moderate", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 2261.0, "function_hash": "151921374874206919726116965175953254668" }, "id": "ASB-A-256202273-29b9f5a6", "source": "https://android.googlesource.com/platform/frameworks/base/+/341669af524058dd4c64a176ddc54ada589591e1", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/PackageManagerService.java", "function": "installLocationPolicy" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "222045767716832383749242769202942973343", "172263085076743103645302221398148206822", "18446807281274191545814384627051110285", "112297621029225928974437681997739513542", "331518267978878963206822687149281344246", "250787900086695259348937561781946441234", "160051001919916929319362551830565128885", "197310569562891636888240421344010323645", "51496819919166146182184529611958472721", "271137473222270698938701965978340802630", "255775851074356921542275084611197677254", "201364310431016264446019349512943794105" ] }, "id": "ASB-A-256202273-b8a8a16d", "source": "https://android.googlesource.com/platform/frameworks/base/+/341669af524058dd4c64a176ddc54ada589591e1", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/PackageManagerService.java" }, "signature_type": "Line" }, { "digest": { "length": 1826.0, "function_hash": "173837231139755839627835745645918749546" }, "id": "ASB-A-256202273-ef86efed", "source": "https://android.googlesource.com/platform/frameworks/base/+/aec76152d65cfd5774f6c0dcf4cb6009ba48c1ee", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/PackageManagerService.java", "function": "installLocationPolicy" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "323383019452950439022721587221536495956", "141646107424512681860211450863645381191", "232267897797497898648796255356180266969", "2370870929644306747326625601258318868", "224242779210801795990559495442269668968", "178573985239065263248700329163361724145", "5330287858347148278703152876231282746", "302345260809465962585949430366062394237", "80355994349317547252844873612813219058", "124486400087777756658524270427987607217", "95769274484975723426472180748048707264", "64241799393178439299039606659250128714", "62892260601654439480810485495744612527", "146314910599677978638984550390834355582", "241325659543729037384589779924087367784", "17841186410307136095848426418010374499", "201364310431016264446019349512943794105", "132157817494603273266127851704263228499" ] }, "id": "ASB-A-256202273-ef9b11e7", "source": "https://android.googlesource.com/platform/frameworks/base/+/aec76152d65cfd5774f6c0dcf4cb6009ba48c1ee", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/PackageManagerService.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/aec76152d65cfd5774f6c0dcf4cb6009ba48c1ee", "https://android.googlesource.com/platform/frameworks/base/+/341669af524058dd4c64a176ddc54ada589591e1" ], "spl": "2023-05-01", "severity": "Moderate", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "63605175448109501863603615311893262621", "250142924094795662928341993625371411063", "18446807281274191545814384627051110285", "340165447095735351540002167618760511049", "248542275005549700453051888874914133157", "136411639950493568324331406542339470391", "52084349353168562900965281274036000023", "249134487297397458092309921339558148163", "233737105932200566546070308756911750531", "258319162602653658646703650914315289041", "295605658156574038169729860859021103416" ] }, "id": "ASB-A-256202273-02759271", "source": "https://android.googlesource.com/platform/frameworks/base/+/636cdf22b90ccb4866f380c307b7e1b92da03ed9", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/PackageManagerService.java" }, "signature_type": "Line" }, { "digest": { "length": 1563.0, "function_hash": "324227939287504300206201911245919687108" }, "id": "ASB-A-256202273-4b6a4f7c", "source": "https://android.googlesource.com/platform/frameworks/base/+/636cdf22b90ccb4866f380c307b7e1b92da03ed9", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/PackageManagerService.java", "function": "verifyReplacingVersionCode" }, "signature_type": "Function" }, { "digest": { "length": 1111.0, "function_hash": "250529198514725569443102932472638047305" }, "id": "ASB-A-256202273-9bac9516", "source": "https://android.googlesource.com/platform/frameworks/base/+/cc9d3867082ac1518b7264c3752442f5ca112aa1", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/PackageManagerService.java", "function": "verifyReplacingVersionCode" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "131655243573161465468771858895034204693", "291195504830007423434832839912940856673", "163754913564646426883622002668483255590", "227106837693655100677620947068783042509", "104806414475779496517183112360544567596", "266471921177581853385264246682457700002", "5330287858347148278703152876231282746", "302345260809465962585949430366062394237", "80355994349317547252844873612813219058", "124486400087777756658524270427987607217", "95769274484975723426472180748048707264", "64241799393178439299039606659250128714", "62892260601654439480810485495744612527", "45426094693595652196730483522232069233", "122916161304883719854949885499528448722", "328468289020675297204756527397870397097", "295605658156574038169729860859021103416", "108587633537507210242609878158511307392" ] }, "id": "ASB-A-256202273-9bf563d5", "source": "https://android.googlesource.com/platform/frameworks/base/+/cc9d3867082ac1518b7264c3752442f5ca112aa1", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/PackageManagerService.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/cc9d3867082ac1518b7264c3752442f5ca112aa1", "https://android.googlesource.com/platform/frameworks/base/+/636cdf22b90ccb4866f380c307b7e1b92da03ed9" ], "spl": "2023-05-01", "severity": "Moderate", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 1111.0, "function_hash": "250529198514725569443102932472638047305" }, "id": "ASB-A-256202273-556bc385", "source": "https://android.googlesource.com/platform/frameworks/base/+/eada93575f98dfc12854dbdcf54b6e5c6d417b97", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/PackageManagerService.java", "function": "verifyReplacingVersionCode" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "131655243573161465468771858895034204693", "291195504830007423434832839912940856673", "163754913564646426883622002668483255590", "227106837693655100677620947068783042509", "104806414475779496517183112360544567596", "266471921177581853385264246682457700002", "5330287858347148278703152876231282746", "302345260809465962585949430366062394237", "80355994349317547252844873612813219058", "124486400087777756658524270427987607217", "95769274484975723426472180748048707264", "64241799393178439299039606659250128714", "62892260601654439480810485495744612527", "45426094693595652196730483522232069233", "122916161304883719854949885499528448722", "328468289020675297204756527397870397097", "295605658156574038169729860859021103416", "108587633537507210242609878158511307392" ] }, "id": "ASB-A-256202273-6313a522", "source": "https://android.googlesource.com/platform/frameworks/base/+/eada93575f98dfc12854dbdcf54b6e5c6d417b97", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/PackageManagerService.java" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "63605175448109501863603615311893262621", "250142924094795662928341993625371411063", "18446807281274191545814384627051110285", "340165447095735351540002167618760511049", "248542275005549700453051888874914133157", "136411639950493568324331406542339470391", "52084349353168562900965281274036000023", "249134487297397458092309921339558148163", "233737105932200566546070308756911750531", "258319162602653658646703650914315289041", "295605658156574038169729860859021103416" ] }, "id": "ASB-A-256202273-7dd07e5f", "source": "https://android.googlesource.com/platform/frameworks/base/+/8e804c13abb3773e417638251490fce369766592", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/PackageManagerService.java" }, "signature_type": "Line" }, { "digest": { "length": 1563.0, "function_hash": "324227939287504300206201911245919687108" }, "id": "ASB-A-256202273-c5b50012", "source": "https://android.googlesource.com/platform/frameworks/base/+/8e804c13abb3773e417638251490fce369766592", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/PackageManagerService.java", "function": "verifyReplacingVersionCode" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/eada93575f98dfc12854dbdcf54b6e5c6d417b97", "https://android.googlesource.com/platform/frameworks/base/+/8e804c13abb3773e417638251490fce369766592" ], "spl": "2023-05-01", "severity": "Moderate", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 1956.0, "function_hash": "275082727597709184000753424244299309763" }, "id": "ASB-A-256202273-1ac3335d", "source": "https://android.googlesource.com/platform/frameworks/base/+/14a91d2bc85a633de67584b27f4cef58c1645637", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/InstallPackageHelper.java", "function": "verifyReplacingVersionCode" }, "signature_type": "Function" }, { "digest": { "length": 1452.0, "function_hash": "237048816979219317842714686710299000619" }, "id": "ASB-A-256202273-3fbed38b", "source": "https://android.googlesource.com/platform/frameworks/base/+/224da6d4c2579c01f88fb0bac9fd4c0f16ebe667", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/InstallPackageHelper.java", "function": "verifyReplacingVersionCode" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "63605175448109501863603615311893262621", "173546225366185263187613276852006820736", "326190137785252094978958267753154377116", "121636430540856708905499819382202482171", "12470100640675359785548563315199428325", "136411639950493568324331406542339470391", "52084349353168562900965281274036000023", "192309566731849079405040014069155480488", "240044076485628183343597920015476546646", "15846213334126375409777482138026109401", "319783504689076465904149502568402839711", "12970867237909160669962964194154689035" ] }, "id": "ASB-A-256202273-5d5f71cc", "source": "https://android.googlesource.com/platform/frameworks/base/+/14a91d2bc85a633de67584b27f4cef58c1645637", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/InstallPackageHelper.java" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "252983177159641901497723896441268108671", "289387077589455534524918148746428779006", "166768919924717948816029414026291778836", "118651231370392224840236119108995357589", "329066948714175627806594661537085099266", "145223966657233973943848442135262436020", "152484718102809675440709313061526254350", "230304300726357595687715847273695966229", "320009394454379053579531924820497384068", "43546057785041335342916011230490229185", "9246424559103928267710257347131600408", "19143163316148291948041402688674573657", "15846213334126375409777482138026109401", "319783504689076465904149502568402839711", "12970867237909160669962964194154689035", "108587633537507210242609878158511307392" ] }, "id": "ASB-A-256202273-7d6c016f", "source": "https://android.googlesource.com/platform/frameworks/base/+/224da6d4c2579c01f88fb0bac9fd4c0f16ebe667", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/InstallPackageHelper.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/224da6d4c2579c01f88fb0bac9fd4c0f16ebe667", "https://android.googlesource.com/platform/frameworks/base/+/14a91d2bc85a633de67584b27f4cef58c1645637" ], "spl": "2023-05-01", "severity": "Moderate", "types": [ "EoP" ] }