Android, an open source mobile phone platform, improperly checks developer certificates when installing packages that request the shared user identifier (uid) permission. Android versions greater and equal to 1.5 CRB17 and less than or equal to 1.5 CRB42 are affected.
4529118996146152d1d83f69c6d70389ced40256af266233bb1f2cd14f0ae955
#2009-006 Android improper package verification when using shared uids
Description:
Android, an open source mobile phone platform, improperly checks developer
certificates when installing packages that request the shared user identifier
(uid) permission.
Normally, Android applications will be allowed to share a uid if the
packages are all signed by the same developer certificate and request
permission to do so at install-time. This allows for packages from the
same author to share data. Without enforcement of that behavior, it is
possible for any application to be installed in such a manner that it
gains access to another (existing) application's data.
A patch has been made available by Android (see references).
Affected version:
Android >= 1.5 CRB17 <= 1.5 CRB42
Fixed version:
Android >= 1.5 CRB43
(Android 1.0 and 1.1 are not affected)
Credit: Panasonic
CVE: CVE-2009-1754
Timeline:
2009-05-14: Panasonic reported the issue to the Android Security Team
2009-05-18: Android Security Team requested assistance from oCERT
2009-05-19: oCERT requested CVE assignment
2009-05-22: CVE assigned
2009-05-22: advisory release
References:
http://android.git.kernel.org/?p=platform/frameworks/base.git;a=commit;h=5d6d773fab559fdc12e553d60d789f3991ac552c
Links:
http://android.git.kernel.org
http://android.com
Permalink:
http://www.ocert.org/advisories/ocert-2009-006.html
--
Will Drewry <redpig@ocert.org>
oCERT Team :: http://ocert.org