Root [DEV] [UPDATE] More and more security holes to fix - Now the Triumph Security Thread

[MikeRL]

Google patches critical Android threat as working exploit is unleashed | Ars Technica
The security hole is of course blown out of proportion by the iDevice-loving media, but we do have to address this issue. I've touched base with dsmryder on this exploit. That was yesterday. Unfortunately, one day later, the exploit is being integrated into attack toolkits. THIS SHOULD BE HIGH PRIORITY FOR ALL OF YOU GUYS TO FIX. I'm normally extremely chill with updates, but we cannot leave even the Triumph hanging with a gaping hole. No, you don't need an antivirus. Google was kind of stupid with this exploit. They fixed it in February, but not every device (including the Nexus lineup) got the update. They also haven't released the source for said update. The eggheads made it public only a day or two ago, just in time before a black hat conference next month and the expolit to be integrated into toolkits the next day. Luckily, all the CM Nightlies are already patched. However, the Triumph is vulnerable. This is bad. They didn't make it public so unless all our CM builds were rebuilt yesterday with a repo sync, the exploit is still in there. Good news is you guys do not have to do a repo sync, which would potentially break everything and cause a headache. You can cherry pick the patch from here from Gerrit, here for ICS, here for Gingerbread, and here for Jelly Bean. You can just cherry pick it, or resync and recompile if you really want to. I also recommend modifying even the stock ROM images if possible. If VM won't fix it, we should. You know that update never will come from VM. They just never gave a crap about the Triumph.

UPDATE: More unfortunate news - now we have a SECOND master key exploit. Thank God the Chinese exposed it on Sina Weibo, without going straight to the bad guys. I can find the code that's patched in short on AndroidPolice here. Problem is, I have yet to find a commit on AOSP or CM's gerrit. I will start looking for the commit; this one's unfortunately a more complex patch. I would like to ask for all Triumph devs to assist me on the hunt for this fix. I read that there are yet more vulnerabilities CM's hackers have been fixing like ninja coders. I'll try and find them so that the devs here can patch them, and so that the Triumph, while not exactly a super phone, doesn't turn into a vulnerable piece of crap (VM's stock ROM is vulnerable, just another reason to use custom ROMs, especially on older phones like the Triumph).

UPDATE: Found hole number 2's fix here and here (just different pages for basically the same thing).

 

[dsmryder]

http://arstechnica.com/security/2013/07/google-patches-critical-android-threat-as-working-exploit-is-unleashed/
The security hole is of course blown out of proportion by the iDevice-loving media, but we do have to address this issue. I've touched base with dsmryder on this exploit. That was yesterday. Unfortunately, one day later, the exploit is being integrated into attack toolkits. THIS SHOULD BE HIGH PRIORITY FOR ALL OF YOU GUYS TO FIX. I'm normally extremely chill with updates, but we cannot leave even the Triumph hanging with a gaping hole. No, you don't need an antivirus. Google was kind of stupid with this exploit. They fixed it in February, but not every device (including the Nexus lineup) got the update. They also haven't released the source for said update. The eggheads made it public only a day or two ago, just in time before a black hat conference next month and the expolit to be integrated into toolkits the next day. Luckily, all the CM Nightlies are already patched. However, the Triumph is vulnerable. This is bad. They didn't make it public so unless all our CM builds were rebuilt yesterday with a repo sync, the exploit is still in there. Good news is you guys do not have to do a repo sync, which would potentially break everything and cause a headache. You can cherry pick the patch from here. You can cherry pick: I also recommend modifying even the stock ROM images if possible. If VM won't fix it, we should. You know that update never will come from VM. They just never gave a crap about the Triumph.

The first link has an extra http://.

Looking now.


Looking at the issue is seems the bigest concern that we would have is if someone installs an app from an unknown source. That could be an issue anyway. I am going to look into what would need to be done as the patch was pushed to JB/CM10.1.

 

[g60madman]

Mike I see the patch

Gerrit Code Review

But it's only for branch C10.1

 

[dsmryder]

Mike I see the patch

Gerrit Code Review

But it's only for branch C10.1

They said

Steve KondikPatch Set 1: Verified+1 Code-Review+2Fixes CYAN-1602.Jul 7 2:20 PM
Patch Set 1: Verified+1 Code-Review+2
Fixes CYAN-1602.


Steve KondikChange has been successfully merged into the git repository.Jul 7 2:20 PMChange has been successfully merged into the git repository.



Steve KondikPatch Set 1:Arcee, we probably want to backport this.Jul 7 2:21 PMPatch Set 1:
Arcee, we probably want to backport this.



Ricardo CerqueiraPatch Set 1:Yeah. This week's cycle is done, so no need to hurry.I'll …Jul 7 2:46 PMPatch Set 1:
Yeah. This week's cycle is done, so no need to hurry. I'll backport to 10, 9, and 7 when I get home.



Ricardo CerqueiraPatch Set 1:OK, all branches back to CM7 are now patchedJul 8 6:56 AMPatch Set 1:
OK, all branches back to CM7 are now patched

It would need to checked as the code for our CM7 has been seperated for a while now.

This is the CM7 commit It was back in February so as we have the code I think it will need to be forced in.

 

[dsmryder]

I found the file. I can't do it at work. If it's not done when I get home then I'll get it done

 

[dsmryder]

Building CM7 now. Let's see if I goofed up.

CM9 and the variants that use CM code will have the update in it.

 

[MikeRL]

Well, that's what I get for posting this from Firefox Nightly in the Windows 8 metro application. Yay for the fix. Good find. I'll try and update the OP with the security patch so you guys can cherry pick it if you want. You don't have to do an entire repo sync.

 

[dsmryder]

Well, that's what I get for posting this from Firefox Nightly in the Windows 8 metro application. Yay for the fix. Good find. I'll try and update the OP with the security patch so you guys can cherry pick it if you want. You don't have to do an entire repo sync.

Oh, the CM9 stuff gets a repo sync anyway, and I'm done with the CM7 part. I haven't pushed up the CM7 changes yet. I think I stillhave to merge it LOL. I am back in business though. and I hope to back port the widgets from JB to GB. Work work work.

 

[MikeRL]

LOL go to sleep before I find a way to contact the wife. Both of you. Anyhow, all you had to do was cherry pick the patch. I don't think a security patch requires all the repo syncing. But if you wanna give the Triumph another (possibly last) hurrah go on ahead. But I ask of both of you this - you do not have to keep maintaining this fully when there's another big security hole. But I would ask, and if you need it, pay you a little something in the future the keep this phone from being vulnerable. Even though this phone is in its golden days, it still will need security patches until we all notice this forum is dead. You all do know how to selectively bring patches to CM without having to bust your butt on coding. In the future, just cherry pick the security patches I warn you about. I don't care if the phone has one person still using it, I don't want ANYONE to be vulnerable. For frig's sake, XP is 10+ years old and it is STILL getting security patches, albeit not much longer. You can hold on a year or two (or till nobody visits this forum anymore for this phone, whichever comes sooner) so we can keep the remaining Triumph users secure, right? If you all don't have time, just teach me how to copy a security patch into the code and compile. Should be somewhat easy, since I more or less minimally relied on you all for compiling last time. Ubuntu is my 50% of the time OS, after all. In fact, I'd say if it weren't for school forcing Windows on me, it'd be used way more than Windows.

 

[dsmryder]

LOL go to sleep before I find a way to contact the wife. Both of you. Anyhow, all you had to do was cherry pick the patch. I don't think a security patch requires all the repo syncing. But if you wanna give the Triumph another (possibly last) hurrah go on ahead. But I ask of both of you this - you do not have to keep maintaining this fully when there's another big security hole. But I would ask, and if you need it, pay you a little something in the future the keep this phone from being vulnerable. Even though this phone is in its golden days, it still will need security patches until we all notice this forum is dead. You all do know how to selectively bring patches to CM without having to bust your butt on coding. In the future, just cherry pick the security patches I warn you about. I don't care if the phone has one person still using it, I don't want ANYONE to be vulnerable. For frig's sake, XP is 10+ years old and it is STILL getting security patches, albeit not much longer. You can hold on a year or two (or till nobody visits this forum anymore for this phone, whichever comes sooner) so we can keep the remaining Triumph users secure, right? If you all don't have time, just teach me how to copy a security patch into the code and compile. Should be somewhat easy, since I more or less minimally relied on you all for compiling last time. Ubuntu is my 50% of the time OS, after all. In fact, I'd say if it weren't for school forcing Windows on me, it'd be used way more than Windows.

That's kind of what I wa saying. The code was included in February and was picked up then for our CM9 based codes. On CM7 it isn't in line with CM and couldn't be cherry picked. Anyway, it's up. For those who want it. You might still have to wipe before you flash, but I would make my backup then flash over anyway. Actually I know you might have to because of the way gapps install..... Hollla

 

[mozzwald]

There is an app now to fix the "Master Key" vulnerability. Available in the Play store or at

http://www.rekey.io