ASB-A-283006437

See a problem?
Import Source
https://storage.googleapis.com/android-osv/ASB-A-283006437.json
JSON Data
https://api.osv.dev/v1/vulns/ASB-A-283006437
Aliases
  • A-283006437
  • CVE-2023-21270
Published
2023-08-01T00:00:00Z
Modified
2024-08-07T19:29:08.590970Z
Summary
Non-runtime permission flags aren't preserved upon APK updates
Details

In restorePermissionState of PermissionManagerServiceImpl.java, there is a possible way for an app to keep permissions that should be revoked due to incorrect permission flags cleared during an update. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.

References

Affected packages

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
13-next:0
Fixed
13-next:2023-08-01

Affected versions

Other

13-next

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 8812.0,
                "function_hash": "142246288412129094408514203199238561948"
            },
            "id": "ASB-A-283006437-b41927e2",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/75d59e2c837fe80573d005d614b5605f049d670b",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java",
                "function": "restorePermissionState"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "241855179621913930701588804709780155522",
                    "275479356698363652495977846336318607251",
                    "255741566803734956684115847599940359502",
                    "329511216806155411583397618051815937323",
                    "230890054020277999966381857942827090781",
                    "30743053879712092806019355833439531329",
                    "164061260477018033836468278206461597782",
                    "186425670345635799098268351722874335822",
                    "276325974263410010527862255220314547069",
                    "218520723691657242980782739382052017414",
                    "155526587664885433202374294265209902170",
                    "204856196167746811870896199949595693266",
                    "295885706405182841829403271221225263171",
                    "145729099851963986731834857453604949671",
                    "292148157103032482322089350809150613971",
                    "167382233552830894443080007920035353773",
                    "314429486213177128614653224747932411797",
                    "276325974263410010527862255220314547069",
                    "118032391002288377293566182663078948299",
                    "314595102839975675297811354990239556759",
                    "120323400186829302355158193795315749404",
                    "163986750517143368853988482277776772815",
                    "197201103724724939510754681281531348217",
                    "194974524402462089005617861962819942918",
                    "92828404067021723650658033648695093647",
                    "166946909467751980189952350180328577663",
                    "15866680198536122678978656592794424777",
                    "176595566564772642823644730206600131131",
                    "178686642698283105794922610506754798137",
                    "234428186770411006908902272106075667589",
                    "75963442116464278584509164306047510920",
                    "74776902845116693701746993520768117870",
                    "12555057430024890003862183139881997738",
                    "107490859850623254815892131356663147820",
                    "194923508558333860654626642113920483145",
                    "25435482031621032640164583620808387257",
                    "286001486748147234981313512722507028679",
                    "20353192589936882140155114595647809471",
                    "249850546937422752978060123149387108317",
                    "259493669906692371733530881195881315277",
                    "331702832483086198673641645128446701892",
                    "112187493214145262221793608858508324924",
                    "73191787758393067461880425633411347621",
                    "67881705992814538402892150868489171754"
                ]
            },
            "id": "ASB-A-283006437-df1c9da6",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/75d59e2c837fe80573d005d614b5605f049d670b",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java"
            },
            "signature_type": "Line"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/75d59e2c837fe80573d005d614b5605f049d670b"
    ],
    "spl": "2023-08-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/packages/apps/Launcher3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
13-next:0
Fixed
13-next:2023-08-01

Affected versions

Other

13-next

Ecosystem specific

{
    "fixes": [
        "https://android.googlesource.com/platform/packages/apps/Launcher3/+/6f7a11861f9158061e90d0645c4d891f29cdfc59"
    ],
    "spl": "2023-08-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12:0
Fixed
12:2023-08-01

Affected versions

Other

12

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 8212.0,
                "function_hash": "245572871958414356327954138591672841843"
            },
            "id": "ASB-A-283006437-1ee35752",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/0e1ebd84e27f5d4fa8bc6577705293251bcbac4f",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/permission/PermissionManagerService.java",
                "function": "restorePermissionState"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "241855179621913930701588804709780155522",
                    "275479356698363652495977846336318607251",
                    "255741566803734956684115847599940359502",
                    "329511216806155411583397618051815937323",
                    "230890054020277999966381857942827090781",
                    "30743053879712092806019355833439531329",
                    "164061260477018033836468278206461597782",
                    "186425670345635799098268351722874335822",
                    "276325974263410010527862255220314547069",
                    "218520723691657242980782739382052017414",
                    "155526587664885433202374294265209902170",
                    "204856196167746811870896199949595693266",
                    "295885706405182841829403271221225263171",
                    "145729099851963986731834857453604949671",
                    "292148157103032482322089350809150613971",
                    "167382233552830894443080007920035353773",
                    "314429486213177128614653224747932411797",
                    "276325974263410010527862255220314547069",
                    "118032391002288377293566182663078948299",
                    "314595102839975675297811354990239556759",
                    "163722187449539808166127513629106944859",
                    "146762435681937213432946232827403882886",
                    "37911553657853436485296153724958281419",
                    "108645160186932075327622118651056146738",
                    "92828404067021723650658033648695093647",
                    "166946909467751980189952350180328577663",
                    "15866680198536122678978656592794424777",
                    "176595566564772642823644730206600131131",
                    "178686642698283105794922610506754798137",
                    "234428186770411006908902272106075667589",
                    "75963442116464278584509164306047510920",
                    "74776902845116693701746993520768117870",
                    "12555057430024890003862183139881997738",
                    "107490859850623254815892131356663147820",
                    "194923508558333860654626642113920483145",
                    "25435482031621032640164583620808387257",
                    "286001486748147234981313512722507028679",
                    "20353192589936882140155114595647809471",
                    "249850546937422752978060123149387108317",
                    "160578629446369328838463630213056123111",
                    "55800704381838252904979346999253933746",
                    "250265219113820724228197185886707073118",
                    "19782484586458661874039702862718242670",
                    "25424149211409059614636043450427951459"
                ]
            },
            "id": "ASB-A-283006437-444d16b0",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/0e1ebd84e27f5d4fa8bc6577705293251bcbac4f",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/permission/PermissionManagerService.java"
            },
            "signature_type": "Line"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/0e1ebd84e27f5d4fa8bc6577705293251bcbac4f"
    ],
    "spl": "2023-08-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12L:0
Fixed
12L:2023-08-01

Affected versions

Other

12L

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "241855179621913930701588804709780155522",
                    "275479356698363652495977846336318607251",
                    "255741566803734956684115847599940359502",
                    "329511216806155411583397618051815937323",
                    "230890054020277999966381857942827090781",
                    "30743053879712092806019355833439531329",
                    "164061260477018033836468278206461597782",
                    "186425670345635799098268351722874335822",
                    "276325974263410010527862255220314547069",
                    "218520723691657242980782739382052017414",
                    "155526587664885433202374294265209902170",
                    "204856196167746811870896199949595693266",
                    "295885706405182841829403271221225263171",
                    "145729099851963986731834857453604949671",
                    "292148157103032482322089350809150613971",
                    "167382233552830894443080007920035353773",
                    "314429486213177128614653224747932411797",
                    "276325974263410010527862255220314547069",
                    "118032391002288377293566182663078948299",
                    "314595102839975675297811354990239556759",
                    "163722187449539808166127513629106944859",
                    "146762435681937213432946232827403882886",
                    "37911553657853436485296153724958281419",
                    "108645160186932075327622118651056146738",
                    "92828404067021723650658033648695093647",
                    "166946909467751980189952350180328577663",
                    "15866680198536122678978656592794424777",
                    "176595566564772642823644730206600131131",
                    "178686642698283105794922610506754798137",
                    "234428186770411006908902272106075667589",
                    "75963442116464278584509164306047510920",
                    "74776902845116693701746993520768117870",
                    "12555057430024890003862183139881997738",
                    "107490859850623254815892131356663147820",
                    "194923508558333860654626642113920483145",
                    "25435482031621032640164583620808387257",
                    "286001486748147234981313512722507028679",
                    "20353192589936882140155114595647809471",
                    "249850546937422752978060123149387108317",
                    "160578629446369328838463630213056123111",
                    "55800704381838252904979346999253933746",
                    "250265219113820724228197185886707073118",
                    "19782484586458661874039702862718242670",
                    "25424149211409059614636043450427951459"
                ]
            },
            "id": "ASB-A-283006437-2df8e8a0",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/0e1ebd84e27f5d4fa8bc6577705293251bcbac4f",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/permission/PermissionManagerService.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 8212.0,
                "function_hash": "245572871958414356327954138591672841843"
            },
            "id": "ASB-A-283006437-a3f25229",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/0e1ebd84e27f5d4fa8bc6577705293251bcbac4f",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/permission/PermissionManagerService.java",
                "function": "restorePermissionState"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/0e1ebd84e27f5d4fa8bc6577705293251bcbac4f"
    ],
    "spl": "2023-08-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
13:0
Fixed
13:2023-08-01

Affected versions

Other

13

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 8661.0,
                "function_hash": "145104657252555869640414577518760746497"
            },
            "id": "ASB-A-283006437-11162f0b",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/4ebd48959ce962b87c3468724ee4d7390714e3f3",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java",
                "function": "restorePermissionState"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "241855179621913930701588804709780155522",
                    "275479356698363652495977846336318607251",
                    "255741566803734956684115847599940359502",
                    "329511216806155411583397618051815937323",
                    "230890054020277999966381857942827090781",
                    "30743053879712092806019355833439531329",
                    "164061260477018033836468278206461597782",
                    "186425670345635799098268351722874335822",
                    "276325974263410010527862255220314547069",
                    "218520723691657242980782739382052017414",
                    "155526587664885433202374294265209902170",
                    "204856196167746811870896199949595693266",
                    "295885706405182841829403271221225263171",
                    "145729099851963986731834857453604949671",
                    "292148157103032482322089350809150613971",
                    "167382233552830894443080007920035353773",
                    "314429486213177128614653224747932411797",
                    "276325974263410010527862255220314547069",
                    "118032391002288377293566182663078948299",
                    "314595102839975675297811354990239556759",
                    "163722187449539808166127513629106944859",
                    "146762435681937213432946232827403882886",
                    "37911553657853436485296153724958281419",
                    "108645160186932075327622118651056146738",
                    "92828404067021723650658033648695093647",
                    "166946909467751980189952350180328577663",
                    "15866680198536122678978656592794424777",
                    "176595566564772642823644730206600131131",
                    "178686642698283105794922610506754798137",
                    "234428186770411006908902272106075667589",
                    "75963442116464278584509164306047510920",
                    "74776902845116693701746993520768117870",
                    "12555057430024890003862183139881997738",
                    "107490859850623254815892131356663147820",
                    "194923508558333860654626642113920483145",
                    "25435482031621032640164583620808387257",
                    "286001486748147234981313512722507028679",
                    "20353192589936882140155114595647809471",
                    "249850546937422752978060123149387108317",
                    "160578629446369328838463630213056123111",
                    "55800704381838252904979346999253933746",
                    "250265219113820724228197185886707073118",
                    "19782484586458661874039702862718242670",
                    "25424149211409059614636043450427951459"
                ]
            },
            "id": "ASB-A-283006437-437192db",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/4ebd48959ce962b87c3468724ee4d7390714e3f3",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java"
            },
            "signature_type": "Line"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/4ebd48959ce962b87c3468724ee4d7390714e3f3"
    ],
    "spl": "2023-08-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}