Posted by Lord Tuskington on Oct 19

The exploit is the same as for this issue:

http://mail-archives.apache.org/mod_mbox/www-announce/201408.mbox/CVE-2014-3577

i.e.:

It parsed the entire subject distinguished name (DN)
for the occurrence of any <CN=> substring (regardles of field).

Therefore a DN of with a O field such as

O=”foo,CN=www.apache.org”

and a CN of “www.evil.org” and ordered such that the O appears prior to
the CN field would…

Posted by Lord Tuskington on Oct 19

I disagree with Nick Kralevich’s response. An attacker who has the ability
to locally modify an XSL file should not be able to leverage this to
achieve code execution. This crosses a trust boundary.

As for why I didn’t report this to security () android com, when Google starts
paying corporate tax instead of dodging it, I will report issues privately.

Lord Tuskington
Chief Financial Taxdodger
Google

On Sun, Oct 19, 2014 at 7:28 PM,…

Posted by Артур Истомин on Oct 19

Very interesting. What about AOSP (android open source project)? They merge
them to their branch? I think Cyanogenmod team monitors only google’s
branch and nothing more.

Posted by Lord Tuskington on Oct 19

CTS parses api-coverage.xsl without providing the FEATURE_SECURE_PROCESSING
option. See lines 60-67 of
cts/tools/cts-api-coverage/src/com/android/cts/apicoverage/HtmlReport.java:

InputStream xsl =
CtsApiCoverage.class.getResourceAsStream(“/api-coverage.xsl”);
StreamSource xslSource = new StreamSource(xsl);
TransformerFactory factory = TransformerFactory.newInstance();
Transformer transformer = factory.newTransformer(xslSource);…