ASB-A-256202273

See a problem?
Import Source
https://storage.googleapis.com/android-osv/ASB-A-256202273.json
JSON Data
https://api.osv.dev/v1/vulns/ASB-A-256202273
Aliases
  • A-256202273
  • CVE-2023-21116
Published
2023-05-01T00:00:00Z
Modified
2024-08-07T19:29:20.494841Z
Summary
"adb install -d" downgrades system apps
Details

In verifyReplacingVersionCode of InstallPackageHelper.java, there is a possible way to downgrade system apps below system image version due to a logic error in the code. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

References

Affected packages

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
13-next:0
Fixed
13-next:2023-05-01

Affected versions

Other

13-next

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 1452.0,
                "function_hash": "237048816979219317842714686710299000619"
            },
            "id": "ASB-A-256202273-689b7777",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/a4484d7f1be1fa413258fe18644d61f85611f586",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/InstallPackageHelper.java",
                "function": "verifyReplacingVersionCode"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 1956.0,
                "function_hash": "275082727597709184000753424244299309763"
            },
            "id": "ASB-A-256202273-6cc4f59f",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/ceeca68b8c3f0ed8427b0212f63defe2f075146e",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/InstallPackageHelper.java",
                "function": "verifyReplacingVersionCode"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "63605175448109501863603615311893262621",
                    "173546225366185263187613276852006820736",
                    "326190137785252094978958267753154377116",
                    "121636430540856708905499819382202482171",
                    "12470100640675359785548563315199428325",
                    "136411639950493568324331406542339470391",
                    "52084349353168562900965281274036000023",
                    "192309566731849079405040014069155480488",
                    "240044076485628183343597920015476546646",
                    "15846213334126375409777482138026109401",
                    "319783504689076465904149502568402839711",
                    "12970867237909160669962964194154689035"
                ]
            },
            "id": "ASB-A-256202273-d4508c35",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/ceeca68b8c3f0ed8427b0212f63defe2f075146e",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/InstallPackageHelper.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "252983177159641901497723896441268108671",
                    "289387077589455534524918148746428779006",
                    "166768919924717948816029414026291778836",
                    "118651231370392224840236119108995357589",
                    "329066948714175627806594661537085099266",
                    "145223966657233973943848442135262436020",
                    "152484718102809675440709313061526254350",
                    "230304300726357595687715847273695966229",
                    "320009394454379053579531924820497384068",
                    "43546057785041335342916011230490229185",
                    "9246424559103928267710257347131600408",
                    "19143163316148291948041402688674573657",
                    "15846213334126375409777482138026109401",
                    "319783504689076465904149502568402839711",
                    "12970867237909160669962964194154689035",
                    "108587633537507210242609878158511307392"
                ]
            },
            "id": "ASB-A-256202273-f49fe111",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/a4484d7f1be1fa413258fe18644d61f85611f586",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/InstallPackageHelper.java"
            },
            "signature_type": "Line"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/a4484d7f1be1fa413258fe18644d61f85611f586",
        "https://android.googlesource.com/platform/frameworks/base/+/ceeca68b8c3f0ed8427b0212f63defe2f075146e"
    ],
    "spl": "2023-05-01",
    "severity": "Moderate",
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11:0
Fixed
11:2023-05-01

Affected versions

Other

11

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 2261.0,
                "function_hash": "151921374874206919726116965175953254668"
            },
            "id": "ASB-A-256202273-29b9f5a6",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/341669af524058dd4c64a176ddc54ada589591e1",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/PackageManagerService.java",
                "function": "installLocationPolicy"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "222045767716832383749242769202942973343",
                    "172263085076743103645302221398148206822",
                    "18446807281274191545814384627051110285",
                    "112297621029225928974437681997739513542",
                    "331518267978878963206822687149281344246",
                    "250787900086695259348937561781946441234",
                    "160051001919916929319362551830565128885",
                    "197310569562891636888240421344010323645",
                    "51496819919166146182184529611958472721",
                    "271137473222270698938701965978340802630",
                    "255775851074356921542275084611197677254",
                    "201364310431016264446019349512943794105"
                ]
            },
            "id": "ASB-A-256202273-b8a8a16d",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/341669af524058dd4c64a176ddc54ada589591e1",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/PackageManagerService.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 1826.0,
                "function_hash": "173837231139755839627835745645918749546"
            },
            "id": "ASB-A-256202273-ef86efed",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/aec76152d65cfd5774f6c0dcf4cb6009ba48c1ee",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/PackageManagerService.java",
                "function": "installLocationPolicy"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "323383019452950439022721587221536495956",
                    "141646107424512681860211450863645381191",
                    "232267897797497898648796255356180266969",
                    "2370870929644306747326625601258318868",
                    "224242779210801795990559495442269668968",
                    "178573985239065263248700329163361724145",
                    "5330287858347148278703152876231282746",
                    "302345260809465962585949430366062394237",
                    "80355994349317547252844873612813219058",
                    "124486400087777756658524270427987607217",
                    "95769274484975723426472180748048707264",
                    "64241799393178439299039606659250128714",
                    "62892260601654439480810485495744612527",
                    "146314910599677978638984550390834355582",
                    "241325659543729037384589779924087367784",
                    "17841186410307136095848426418010374499",
                    "201364310431016264446019349512943794105",
                    "132157817494603273266127851704263228499"
                ]
            },
            "id": "ASB-A-256202273-ef9b11e7",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/aec76152d65cfd5774f6c0dcf4cb6009ba48c1ee",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/PackageManagerService.java"
            },
            "signature_type": "Line"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/aec76152d65cfd5774f6c0dcf4cb6009ba48c1ee",
        "https://android.googlesource.com/platform/frameworks/base/+/341669af524058dd4c64a176ddc54ada589591e1"
    ],
    "spl": "2023-05-01",
    "severity": "Moderate",
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12:0
Fixed
12:2023-05-01

Affected versions

Other

12

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "63605175448109501863603615311893262621",
                    "250142924094795662928341993625371411063",
                    "18446807281274191545814384627051110285",
                    "340165447095735351540002167618760511049",
                    "248542275005549700453051888874914133157",
                    "136411639950493568324331406542339470391",
                    "52084349353168562900965281274036000023",
                    "249134487297397458092309921339558148163",
                    "233737105932200566546070308756911750531",
                    "258319162602653658646703650914315289041",
                    "295605658156574038169729860859021103416"
                ]
            },
            "id": "ASB-A-256202273-02759271",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/636cdf22b90ccb4866f380c307b7e1b92da03ed9",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/PackageManagerService.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 1563.0,
                "function_hash": "324227939287504300206201911245919687108"
            },
            "id": "ASB-A-256202273-4b6a4f7c",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/636cdf22b90ccb4866f380c307b7e1b92da03ed9",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/PackageManagerService.java",
                "function": "verifyReplacingVersionCode"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 1111.0,
                "function_hash": "250529198514725569443102932472638047305"
            },
            "id": "ASB-A-256202273-9bac9516",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/cc9d3867082ac1518b7264c3752442f5ca112aa1",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/PackageManagerService.java",
                "function": "verifyReplacingVersionCode"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "131655243573161465468771858895034204693",
                    "291195504830007423434832839912940856673",
                    "163754913564646426883622002668483255590",
                    "227106837693655100677620947068783042509",
                    "104806414475779496517183112360544567596",
                    "266471921177581853385264246682457700002",
                    "5330287858347148278703152876231282746",
                    "302345260809465962585949430366062394237",
                    "80355994349317547252844873612813219058",
                    "124486400087777756658524270427987607217",
                    "95769274484975723426472180748048707264",
                    "64241799393178439299039606659250128714",
                    "62892260601654439480810485495744612527",
                    "45426094693595652196730483522232069233",
                    "122916161304883719854949885499528448722",
                    "328468289020675297204756527397870397097",
                    "295605658156574038169729860859021103416",
                    "108587633537507210242609878158511307392"
                ]
            },
            "id": "ASB-A-256202273-9bf563d5",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/cc9d3867082ac1518b7264c3752442f5ca112aa1",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/PackageManagerService.java"
            },
            "signature_type": "Line"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/cc9d3867082ac1518b7264c3752442f5ca112aa1",
        "https://android.googlesource.com/platform/frameworks/base/+/636cdf22b90ccb4866f380c307b7e1b92da03ed9"
    ],
    "spl": "2023-05-01",
    "severity": "Moderate",
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12L:0
Fixed
12L:2023-05-01

Affected versions

Other

12L

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 1111.0,
                "function_hash": "250529198514725569443102932472638047305"
            },
            "id": "ASB-A-256202273-556bc385",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/eada93575f98dfc12854dbdcf54b6e5c6d417b97",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/PackageManagerService.java",
                "function": "verifyReplacingVersionCode"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "131655243573161465468771858895034204693",
                    "291195504830007423434832839912940856673",
                    "163754913564646426883622002668483255590",
                    "227106837693655100677620947068783042509",
                    "104806414475779496517183112360544567596",
                    "266471921177581853385264246682457700002",
                    "5330287858347148278703152876231282746",
                    "302345260809465962585949430366062394237",
                    "80355994349317547252844873612813219058",
                    "124486400087777756658524270427987607217",
                    "95769274484975723426472180748048707264",
                    "64241799393178439299039606659250128714",
                    "62892260601654439480810485495744612527",
                    "45426094693595652196730483522232069233",
                    "122916161304883719854949885499528448722",
                    "328468289020675297204756527397870397097",
                    "295605658156574038169729860859021103416",
                    "108587633537507210242609878158511307392"
                ]
            },
            "id": "ASB-A-256202273-6313a522",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/eada93575f98dfc12854dbdcf54b6e5c6d417b97",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/PackageManagerService.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "63605175448109501863603615311893262621",
                    "250142924094795662928341993625371411063",
                    "18446807281274191545814384627051110285",
                    "340165447095735351540002167618760511049",
                    "248542275005549700453051888874914133157",
                    "136411639950493568324331406542339470391",
                    "52084349353168562900965281274036000023",
                    "249134487297397458092309921339558148163",
                    "233737105932200566546070308756911750531",
                    "258319162602653658646703650914315289041",
                    "295605658156574038169729860859021103416"
                ]
            },
            "id": "ASB-A-256202273-7dd07e5f",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/8e804c13abb3773e417638251490fce369766592",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/PackageManagerService.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 1563.0,
                "function_hash": "324227939287504300206201911245919687108"
            },
            "id": "ASB-A-256202273-c5b50012",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/8e804c13abb3773e417638251490fce369766592",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/PackageManagerService.java",
                "function": "verifyReplacingVersionCode"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/eada93575f98dfc12854dbdcf54b6e5c6d417b97",
        "https://android.googlesource.com/platform/frameworks/base/+/8e804c13abb3773e417638251490fce369766592"
    ],
    "spl": "2023-05-01",
    "severity": "Moderate",
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
13:0
Fixed
13:2023-05-01

Affected versions

Other

13

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 1956.0,
                "function_hash": "275082727597709184000753424244299309763"
            },
            "id": "ASB-A-256202273-1ac3335d",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/14a91d2bc85a633de67584b27f4cef58c1645637",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/InstallPackageHelper.java",
                "function": "verifyReplacingVersionCode"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 1452.0,
                "function_hash": "237048816979219317842714686710299000619"
            },
            "id": "ASB-A-256202273-3fbed38b",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/224da6d4c2579c01f88fb0bac9fd4c0f16ebe667",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/InstallPackageHelper.java",
                "function": "verifyReplacingVersionCode"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "63605175448109501863603615311893262621",
                    "173546225366185263187613276852006820736",
                    "326190137785252094978958267753154377116",
                    "121636430540856708905499819382202482171",
                    "12470100640675359785548563315199428325",
                    "136411639950493568324331406542339470391",
                    "52084349353168562900965281274036000023",
                    "192309566731849079405040014069155480488",
                    "240044076485628183343597920015476546646",
                    "15846213334126375409777482138026109401",
                    "319783504689076465904149502568402839711",
                    "12970867237909160669962964194154689035"
                ]
            },
            "id": "ASB-A-256202273-5d5f71cc",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/14a91d2bc85a633de67584b27f4cef58c1645637",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/InstallPackageHelper.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "252983177159641901497723896441268108671",
                    "289387077589455534524918148746428779006",
                    "166768919924717948816029414026291778836",
                    "118651231370392224840236119108995357589",
                    "329066948714175627806594661537085099266",
                    "145223966657233973943848442135262436020",
                    "152484718102809675440709313061526254350",
                    "230304300726357595687715847273695966229",
                    "320009394454379053579531924820497384068",
                    "43546057785041335342916011230490229185",
                    "9246424559103928267710257347131600408",
                    "19143163316148291948041402688674573657",
                    "15846213334126375409777482138026109401",
                    "319783504689076465904149502568402839711",
                    "12970867237909160669962964194154689035",
                    "108587633537507210242609878158511307392"
                ]
            },
            "id": "ASB-A-256202273-7d6c016f",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/224da6d4c2579c01f88fb0bac9fd4c0f16ebe667",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/InstallPackageHelper.java"
            },
            "signature_type": "Line"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/224da6d4c2579c01f88fb0bac9fd4c0f16ebe667",
        "https://android.googlesource.com/platform/frameworks/base/+/14a91d2bc85a633de67584b27f4cef58c1645637"
    ],
    "spl": "2023-05-01",
    "severity": "Moderate",
    "types": [
        "EoP"
    ]
}