ASB-A-264029851

See a problem?
Import Source
https://storage.googleapis.com/android-osv/ASB-A-264029851.json
JSON Data
https://api.osv.dev/v1/vulns/ASB-A-264029851
Aliases
  • A-264029851
  • CVE-2023-35674
Published
2023-09-01T00:00:00Z
Modified
2024-08-07T19:29:48.949681Z
Summary
Background Activity Launch via TYPE_PRESENTATION
Details

In onCreate of WindowState.java, there is a possible way to launch a background activity due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

References

Affected packages

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
13-next:0
Fixed
13-next:2023-09-01

Affected versions

Other

13-next

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "185024076188985592697592657200111398921",
                    "255133638716784176650648678599829280208",
                    "221334879092567230297954167268086863808",
                    "104232059452926191079370652715497707313",
                    "17577955838972545061065088638555892591",
                    "340092115117716892634110623799607735440",
                    "3955563167083734528194287429410886808",
                    "142705210300934374365406619340716582477"
                ]
            },
            "id": "ASB-A-264029851-45f4d0bb",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/050005fd2f19a5bc2d7a1c7786b4ded1945fb807",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/wm/WindowState.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 461.0,
                "function_hash": "40944750017110693121515483246201261836"
            },
            "id": "ASB-A-264029851-faa2b792",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/050005fd2f19a5bc2d7a1c7786b4ded1945fb807",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/wm/WindowState.java",
                "function": "onSurfaceShownChanged"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/050005fd2f19a5bc2d7a1c7786b4ded1945fb807"
    ],
    "spl": "2023-09-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11:0
Fixed
11:2023-09-01

Affected versions

Other

11

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "97260578544918248991463186177328886441",
                    "119343172529379441452430847437454128779",
                    "215138338139349316760125805301963934604",
                    "48223376524673286516200772446024508334",
                    "172239829722657991414987393139096621482",
                    "334997900967039618802761655709050408035",
                    "168345275794499243708915044743680084759",
                    "108738882280443592871400280875675509294",
                    "29356192979170191859971992315528918007",
                    "210158276655113248346893409686026237450",
                    "30214045548178003426689801848769202821"
                ]
            },
            "id": "ASB-A-264029851-1ae9f4f4",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/07019d9060d31d12b1d2cbb10635dfaa1b36c95c",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/wm/WindowState.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 151.0,
                "function_hash": "282644488101311748694964662225614431131"
            },
            "id": "ASB-A-264029851-c22b6fb2",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/07019d9060d31d12b1d2cbb10635dfaa1b36c95c",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/wm/WindowState.java",
                "function": "isNonToastOrStartingOrPrivatePresentation"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/07019d9060d31d12b1d2cbb10635dfaa1b36c95c"
    ],
    "spl": "2023-09-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12:0
Fixed
12:2023-09-01

Affected versions

Other

12

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 566.0,
                "function_hash": "168749629929425575047631186685372659187"
            },
            "id": "ASB-A-264029851-09170f03",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/bf60a0c6f153a55714d4879bb6cf5b239381a22a",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/wm/WindowState.java",
                "function": "onSurfaceShownChanged"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "197372349787029204334728444664611643510",
                    "309997718070563876267114674274505731218",
                    "221334879092567230297954167268086863808",
                    "104232059452926191079370652715497707313",
                    "113282503497021672669107396203861564138",
                    "4565792421663824132010776155881907794",
                    "3955563167083734528194287429410886808",
                    "142705210300934374365406619340716582477"
                ]
            },
            "id": "ASB-A-264029851-ee825087",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/bf60a0c6f153a55714d4879bb6cf5b239381a22a",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/wm/WindowState.java"
            },
            "signature_type": "Line"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/bf60a0c6f153a55714d4879bb6cf5b239381a22a"
    ],
    "spl": "2023-09-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12L:0
Fixed
12L:2023-09-01

Affected versions

Other

12L

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 573.0,
                "function_hash": "333509893200142190169172937928280843382"
            },
            "id": "ASB-A-264029851-54d4deca",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/42557cb5710527a3ed1a6683d2dad82777ba34de",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/wm/WindowState.java",
                "function": "onSurfaceShownChanged"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "197372349787029204334728444664611643510",
                    "309997718070563876267114674274505731218",
                    "221334879092567230297954167268086863808",
                    "104232059452926191079370652715497707313",
                    "195434201744059629031553280034407819621",
                    "4565792421663824132010776155881907794",
                    "3955563167083734528194287429410886808",
                    "142705210300934374365406619340716582477"
                ]
            },
            "id": "ASB-A-264029851-87fed0b0",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/42557cb5710527a3ed1a6683d2dad82777ba34de",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/wm/WindowState.java"
            },
            "signature_type": "Line"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/42557cb5710527a3ed1a6683d2dad82777ba34de"
    ],
    "spl": "2023-09-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
13:0
Fixed
13:2023-09-01

Affected versions

Other

13

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 426.0,
                "function_hash": "18693669996602847281805167538283739496"
            },
            "id": "ASB-A-264029851-61afed30",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/5bf9607bec3f1224158cfcff7dd91ac558b46c0f",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/wm/WindowState.java",
                "function": "onSurfaceShownChanged"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "197372349787029204334728444664611643510",
                    "309997718070563876267114674274505731218",
                    "221334879092567230297954167268086863808",
                    "104232059452926191079370652715497707313",
                    "17577955838972545061065088638555892591",
                    "340092115117716892634110623799607735440",
                    "3955563167083734528194287429410886808",
                    "142705210300934374365406619340716582477"
                ]
            },
            "id": "ASB-A-264029851-ccc1de09",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/5bf9607bec3f1224158cfcff7dd91ac558b46c0f",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/wm/WindowState.java"
            },
            "signature_type": "Line"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/5bf9607bec3f1224158cfcff7dd91ac558b46c0f"
    ],
    "spl": "2023-09-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}