Please open a security advisory

[JLLeitschuh]

Hello,

I'm an independent security researcher performing security research under the GitHub Security Lab Bug Bounty Program. I believe I may have found a security vulnerability in this project.

Please open a security advisory against this repository so we can privately discuss the details. This advisory can be opened by a user with admin permissions on this repository.

https://github.com/google/archive-patcher/security/advisories

[omernebil]

Hello,

You can provide detailed information on the vulnerability to g.co/AndroidSecurityReport. This will route it into Google's queue of investigation.

Thank you.

[JLLeitschuh]

This has been reported here: https://issuetracker.google.com/issues/178709136

[omernebil]

Thank you again for reporting the issue.

The issue was determined not to be a vulnerability and is being treated as a regular project issue. For this reason, we aren't looking for a security advisory or CVE assignment. We made the necessary changes in our codebase to handle this. The fixes will be cut in the next release cycle.

We can mark this report are resolved now.

[JLLeitschuh]

The issue was determined not to be a vulnerability and is being treated as a regular project issue. For this reason, we aren't looking for a security advisory or CVE assignment.

Hi!

Could you elaborate a bit more on why you don't believe that this is a vulnerability?

[omernebil]

Our investigation showed that:

• On pre-JB devices, the vulnerability could expose the information on which apps are about to be installed on the device to other apps.
• However, the installed apps information becomes public right after the installation completes as the app becomes available on the device.
• For this reason, we identified this as a regular issue and not a vulnerability.

[JLLeitschuh]

If this vulnerable code is being executed on Android, the system temporary on android is /sdcard on Ice Cream and before.

https://github.com/google/guava/issues/4011#issuecomment-772892561

As such, file permissions are completely ignored and any other app can rewrite the contents of the files written to /sdcard.

My original disclosure didn't actually consider android. Did your analysis consider cases where this vulnerable code was executed on a unix-like system that was not on android?

In the unix-like system case, doesn't the local information disclosure vulnerability exist?

From my reading of this project's README, there is no indication that this projects code is run exclusively on android, as such, all runnable location contexts need to be considered? Correct?

[omernebil]

Archive Patcher is exclusive to Android, and that's a great point that this is not clear in the documentation and it's confusing. We'll open up an issue to fix that; thank you!

[JLLeitschuh]

Your "compatibility window" seems to indicate that it is also intended to be run on linux.

https://github.com/google/archive-patcher#compatibility-window