[Replicant] [PATCH] Add manifest to verification params
Paul Kocialkowski
contact at paulk.fr
Thu Sep 3 13:35:29 UTC 2015
Le vendredi 24 juillet 2015 à 00:06 +0200, Moritz Bandemer a écrit :
> This is the .patch for bug #1257:
> http://redmine.replicant.us/issues/1257
>
> I've merged the patch from here:
> https://android.googlesource.com/platform/packages/apps/PackageInstal
> ler/+/2b3202c3ff18469b294629bf1416118f12492173
> to the Replicant sources and successfully recompiled Replicant after
> that for my device.
>
> After flashing the patched Replicant, I've tested my productive
> device
> several weeks without any misbehavior.
> Furthermore I've successfully checked, that Replicant isn't vulnerale
> to
> the "Installer Hijacking Vulnerability" anymore.
>
> Please review the patch, inline attached below, and apply it if you
> like:
For the record, this patch was merged.
> ###
>
> From 247913ca358693f44c66ad603c600e229b43a6c1 Mon Sep 17 00:00:00
> 2001
> From: Kenny Root <kroot at google.com>
> Date: Thu, 14 Mar 2013 09:41:18 -0700
> Subject: [PATCH] Add manifest to verification params
>
> Change-Id: I088ab981cb56d4f156b6ff910d6a2270e3302dc4
> Signed-off-by: Kenny Root <kroot at google.com> Signed-off-by: Moritz
> Bandemer <replicant at posteo.mx>
> ---
> src/com/android/packageinstaller/InstallAppProgress.java | 6
> +++++-
> src/com/android/packageinstaller/PackageInstallerActivity.java | 4
> ++++
> src/com/android/packageinstaller/PackageUtil.java | 1
> +
> 3 files changed, 10 insertions(+), 1 deletion(-)
>
> diff --git a/src/com/android/packageinstaller/InstallAppProgress.java
> b/src/com/android/packageinstaller/InstallAppProgress.java
> index fc82078..71c792e 100755
> --- a/src/com/android/packageinstaller/InstallAppProgress.java
> +++ b/src/com/android/packageinstaller/InstallAppProgress.java
> @@ -24,6 +24,7 @@ import
> android.content.DialogInterface.OnCancelListener;
> import android.content.Intent;
> import android.content.pm.ApplicationInfo;
> import android.content.pm.IPackageInstallObserver;
> +import android.content.pm.ManifestDigest;
> import android.content.pm.PackageInfo;
> import android.content.pm.PackageManager;
> import android.content.pm.PackageManager.NameNotFoundException;
> @@ -54,6 +55,8 @@ import java.util.List;
> public class InstallAppProgress extends Activity implements
> View.OnClickListener, OnCancelListener {
> private final String TAG="InstallAppProgress";
> private boolean localLOGV = false;
> + static final String EXTRA_MANIFEST_DIGEST =
> + "com.android.packageinstaller.extras.manifest_digest";
> private ApplicationInfo mAppInfo;
> private Uri mPackageURI;
> private ProgressBar mProgressBar;
> @@ -254,8 +257,9 @@ public class InstallAppProgress extends Activity
> implements View.OnClickListener
> Uri referrer =
> getIntent().getParcelableExtra(Intent.EXTRA_REFERRER);
> int originatingUid =
> getIntent().getIntExtra(Intent.EXTRA_ORIGINATING_UID,
> VerificationParams.NO_UID);
> + ManifestDigest manifestDigest =
> getIntent().getParcelableExtra(EXTRA_MANIFEST_DIGEST);
> VerificationParams verificationParams = new
> VerificationParams(null, originatingURI,
> - referrer, originatingUid, null);
> + referrer, originatingUid, manifestDigest);
> PackageInstallObserver observer = new
> PackageInstallObserver();
>
> if ("package".equals(mPackageURI.getScheme())) {
> diff --git
> a/src/com/android/packageinstaller/PackageInstallerActivity.java
> b/src/com/android/packageinstaller/PackageInstallerActivity.java
> index 4a6db21..4d7b0c0 100644
> --- a/src/com/android/packageinstaller/PackageInstallerActivity.java
> +++ b/src/com/android/packageinstaller/PackageInstallerActivity.java
> @@ -26,6 +26,7 @@ import
> android.content.DialogInterface.OnCancelListener;
> import android.content.Intent;
> import android.content.SharedPreferences;
> import android.content.pm.ApplicationInfo;
> +import android.content.pm.ManifestDigest;
> import android.content.pm.PackageInfo;
> import android.content.pm.PackageManager;
> import android.content.pm.PackageUserState;
> @@ -69,6 +70,7 @@ public class PackageInstallerActivity extends
> Activity
> implements OnCancelListen
> private Uri mOriginatingURI;
> private Uri mReferrerURI;
> private int mOriginatingUid = VerificationParams.NO_UID;
> + private ManifestDigest mPkgDigest;
>
> private boolean localLOGV = false;
> PackageManager mPm;
> @@ -520,6 +522,7 @@ public class PackageInstallerActivity extends
> Activity implements OnCancelListen
> mPkgInfo = PackageParser.generatePackageInfo(parsed,
> null,
> PackageManager.GET_PERMISSIONS, 0, 0, null,
> new PackageUserState());
> + mPkgDigest = parsed.manifestDigest;
> as = PackageUtil.getAppSnippet(this,
> mPkgInfo.applicationInfo, sourceFile);
> }
>
> @@ -656,6 +659,7 @@ public class PackageInstallerActivity extends
> Activity implements OnCancelListen
> mPkgInfo.applicationInfo);
> newIntent.setData(mPackageURI);
> newIntent.setClass(this, InstallAppProgress.class);
> +
> newIntent.putExtra(InstallAppProgress.EXTRA_MANIFEST_DIGEST,
> mPkgDigest);
> String installerPackageName =
> getIntent().getStringExtra(
> Intent.EXTRA_INSTALLER_PACKAGE_NAME);
> if (mOriginatingURI != null) {
> diff --git a/src/com/android/packageinstaller/PackageUtil.java
> b/src/com/android/packageinstaller/PackageUtil.java
> index 8681bfc..20dce43 100644
> --- a/src/com/android/packageinstaller/PackageUtil.java
> +++ b/src/com/android/packageinstaller/PackageUtil.java
> @@ -72,6 +72,7 @@ public class PackageUtil {
> metrics.setToDefaults();
> PackageParser.Package pkg =
> packageParser.parsePackage(sourceFile,
> archiveFilePath, metrics, 0);
> + packageParser.collectCertificates(pkg, 0);
> // Nuke the parser reference.
> packageParser = null;
> return pkg;
--
Paul Kocialkowski, Replicant developer
Replicant is a fully free Android distribution running on several
devices, a free software mobile operating system putting the emphasis
on
freedom and privacy/security.
Website: https://www.replicant.us/
Blog: https://blog.replicant.us/
Wiki/tracker/forums: https://redmine.replicant.us/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.osuosl.org/pipermail/replicant/attachments/20150903/3ab89340/attachment-0001.asc>
More information about the Replicant
mailing list