Please review - security-patch-bunch [until Android 4.4.3 r1] #2

Moritz Bandemer replicant at
Thu Apr 2 22:30:24 UTC 2015

I've merged the following patches to the Replicant sources and 
successfully recompiled/flashed Replicant after that for/on my device:

	Add test for CVE-2013-2094
	Detect CVE-2013-2094, the perf_event_open exploit. A patch for this 
issue can be found at
	Bug: 8962304
	Patch-files: CVE-2013-2094.patch
	Additionally please [git] add this files to the following path:
	These two files also includes the following two more Patches:
			CVE-2013-4254: detect perf_event validate_event bug
			More info:
			Bug: 11260636
			Add test for CVE-2014-1710.
			Detect devices vulnerable to CVE-2014-1710
			Bug: 13539903
	Patch-package: (containing the files above)
	AppSecurity: Add traffic stats test, and fix file access test
	* Fix the private file access test which would fail because the path 
was wrong.
	* Add a test that ensures the private file is actually "not accessible" 
because it can't be as opposed to it not being there: the new test 
accesses a public file created at the same time as the private file.
	* Add tests around traffic stats
		* add internet permission to app that creates data.
		* generate private traffic stats (tagged sockets).
		* read back traffic stats to make sure that only public stats are 
	Bug: 10349057
	Patch-file: Bugfix-10349057.patch
	CtsVerifier test for lock screen vulnerability fix.
	Lock screen credential reset w/o previous credentials.
	The test asks the user to first set a lock screen password and then 
launch an intent to change it, using an EXTRA that was not being 
properly validated before the vulnerability was fixed.
	Bug: 9858403
	Patch-files: Bugfix-9858403.patch
	Additionally please [git] add this files to the following path:
	Patch-package: (containing the files above)

Finally I've tested this productive device several weeks without any 

Replicant ticket reference:

Please review the patches attached [one by one or all together] and 
apply them, if you like.

More information about the Replicant mailing list