ANDROID-8219321漏洞主要源自Android ZipFile函数漏洞:没有进行校验重名entry逻辑漏洞,逻辑漏洞细节详见Google+文章和Bluebox Security提报Android 绕过应用签名认证漏洞原理。
原代码:
for (int i = 0; i < numEntries; ++i) {
ZipEntry newEntry = new ZipEntry(hdrBuf, bin);
mEntries.put(newEntry.getName(), newEntry);
}
修补后:
for (int i = 0; i < numEntries; ++i) {
ZipEntry newEntry = new ZipEntry(hdrBuf, bin);
String entryName = newEntry.getName();
if (mEntries.put(entryName, newEntry) != null) {
throw new ZipException("Duplicate entry name: " + entryName);
}
}
重现步骤可参考文章ANDROID-8219321漏洞、POC及其他相关信息汇总。