Compliance Test Suite is one portion of the process OEMs use to certify
Android builds on shipping devices. I cannot think of any instance where
the average user would run the suite (which takes several hours to do and
is a fairly complicated process https://source.android.com/compatibility/cts-intro.html )
Even if someone is building Android at home, there is no reason to run CTS
on home builds. I’m not saying this file shouldn’t be…
Before trying to sweep this thing under the carpet, you might want to
ask yourself two simple questions:
Is this kind of file ever *intended* to be used as an executable script?
If the answer is “no”; then you should apply fixes.
And:
Which is more expensive? Spending a couple of hours to fix this now,
or having someone chain this together with another (unforeseeable)
bug enabling easy exploitation a few years down the road, allowing…
Its not clear to me where its been proven. I think your post is
missing some information, like the smoking gun. (It may exist, you
just didn’t make it clear).
If I am reading the check-in correctly, it does not look like its a
MitM. Checking the CN to ensure a hostname match should be OK. But I
should probably read a bit more about the DistinguishedNameParser.
However, it is a policy violation of both the IETF and CA/Browser
Forums. Both…
I disagree with Nick Kralevich’s response. An attacker who has the ability
to locally modify an XSL file should not be able to leverage this to
achieve code execution. This crosses a trust boundary.
As for why I didn’t report this to security () android com, when Google starts
paying corporate tax instead of dodging it, I will report issues privately.
CTS parses api-coverage.xsl without providing the FEATURE_SECURE_PROCESSING
option. See lines 60-67 of
cts/tools/cts-api-coverage/src/com/android/cts/apicoverage/HtmlReport.java:
Very interesting. What about AOSP (android open source project)? They merge
them to their branch? I think Cyanogenmod team monitors only google’s
branch and nothing more.