-
Notifications
You must be signed in to change notification settings - Fork 74
Please open a security advisory #172
Comments
Hello, You can provide detailed information on the vulnerability to g.co/AndroidSecurityReport. This will route it into Google's queue of investigation. Thank you. |
This has been reported here: https://issuetracker.google.com/issues/178709136 |
Thank you again for reporting the issue. The issue was determined not to be a vulnerability and is being treated as a regular project issue. For this reason, we aren't looking for a security advisory or CVE assignment. We made the necessary changes in our codebase to handle this. The fixes will be cut in the next release cycle. We can mark this report are resolved now. |
Hi! Could you elaborate a bit more on why you don't believe that this is a vulnerability? |
Our investigation showed that:
|
If this vulnerable code is being executed on Android, the system temporary on android is As such, file permissions are completely ignored and any other app can rewrite the contents of the files written to My original disclosure didn't actually consider android. Did your analysis consider cases where this vulnerable code was executed on a unix-like system that was not on android? In the unix-like system case, doesn't the local information disclosure vulnerability exist? From my reading of this project's README, there is no indication that this projects code is run exclusively on android, as such, all runnable location contexts need to be considered? Correct? |
Archive Patcher is exclusive to Android, and that's a great point that this is not clear in the documentation and it's confusing. We'll open up an issue to fix that; thank you! |
Your "compatibility window" seems to indicate that it is also intended to be run on linux. https://github.com/google/archive-patcher#compatibility-window |
Hello,
I'm an independent security researcher performing security research under the GitHub Security Lab Bug Bounty Program. I believe I may have found a security vulnerability in this project.
Please open a security advisory against this repository so we can privately discuss the details. This advisory can be opened by a user with admin permissions on this repository.
https://github.com/google/archive-patcher/security/advisories
The text was updated successfully, but these errors were encountered: