what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Open Source CERT Security Advisory 2009.6

Open Source CERT Security Advisory 2009.6
Posted May 25, 2009
Authored by Will Drewry, Open Source CERT | Site ocert.org

Android, an open source mobile phone platform, improperly checks developer certificates when installing packages that request the shared user identifier (uid) permission. Android versions greater and equal to 1.5 CRB17 and less than or equal to 1.5 CRB42 are affected.

tags | advisory
advisories | CVE-2009-1754
SHA-256 | 4529118996146152d1d83f69c6d70389ced40256af266233bb1f2cd14f0ae955

Open Source CERT Security Advisory 2009.6

Change Mirror Download
#2009-006 Android improper package verification when using shared uids

Description:

Android, an open source mobile phone platform, improperly checks developer
certificates when installing packages that request the shared user identifier
(uid) permission.

Normally, Android applications will be allowed to share a uid if the
packages are all signed by the same developer certificate and request
permission to do so at install-time. This allows for packages from the
same author to share data. Without enforcement of that behavior, it is
possible for any application to be installed in such a manner that it
gains access to another (existing) application's data.

A patch has been made available by Android (see references).


Affected version:

Android >= 1.5 CRB17 <= 1.5 CRB42


Fixed version:

Android >= 1.5 CRB43
(Android 1.0 and 1.1 are not affected)


Credit: Panasonic


CVE: CVE-2009-1754


Timeline:
2009-05-14: Panasonic reported the issue to the Android Security Team
2009-05-18: Android Security Team requested assistance from oCERT
2009-05-19: oCERT requested CVE assignment
2009-05-22: CVE assigned
2009-05-22: advisory release


References:
http://android.git.kernel.org/?p=platform/frameworks/base.git;a=commit;h=5d6d773fab559fdc12e553d60d789f3991ac552c

Links:
http://android.git.kernel.org
http://android.com

Permalink:
http://www.ocert.org/advisories/ocert-2009-006.html


--
Will Drewry <redpig@ocert.org>
oCERT Team :: http://ocert.org
Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    111 Files
  • 24
    May 24th
    27 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close