14.1: October 2024 ASB picks

Signed-off-by: Tavi <tavi@divested.dev>

Patches/LineageOS-14.1/android_frameworks_base/405038.patch

@@ -0,0 +1,27 @@
+From 560e0b6265e67b7a1f5e63da097e27485ba65a8f Mon Sep 17 00:00:00 2001
+From: William Loh <wloh@google.com>
+Date: Mon, 3 Jun 2024 12:56:47 -0700
+Subject: [PATCH] Fail parseUri if end is missing
+
+Bug: 318683126
+Test: atest IntentTest
+Flag: EXEMPT bugfix
+Change-Id: I5f619ced684ff505ce2b7408cd35dd3e9be89dea
+---
+ core/java/android/content/Intent.java | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/core/java/android/content/Intent.java b/core/java/android/content/Intent.java
+index 2142aae2ec74a..6c93c4651cec5 100644
+--- a/core/java/android/content/Intent.java
++++ b/core/java/android/content/Intent.java
+@@ -5112,6 +5112,9 @@ public static Intent parseUri(String uri, int flags) throws URISyntaxException {
+                 int eq = uri.indexOf('=', i);
+                 if (eq < 0) eq = i-1;
+                 int semi = uri.indexOf(';', i);
++                if (semi < 0) {
++                    throw new URISyntaxException(uri, "uri end not found");
++                }
+                 String value = eq < semi ? Uri.decode(uri.substring(eq + 1, semi)) : "";
+ 
+                 // action

Patches/LineageOS-14.1/android_frameworks_base/405039.patch

@@ -0,0 +1,32 @@
+From 9fa4be80e24143b7b7a382659ccb260f129084c1 Mon Sep 17 00:00:00 2001
+From: Dmitry Dementyev <dementyev@google.com>
+Date: Thu, 11 Jul 2024 12:39:22 -0700
+Subject: [PATCH] Update AccountManagerService checkKeyIntent.
+
+Block intents with "content" data scheme.
+
+Bug: 349780950
+Test: manual
+Flag: EXEMPT bugfix
+(cherry picked from commit c1e79495a49bd4d3e380136fe4bca7ac1a9ed763)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b43f4aebb065059d7bf9bffc31c7893fff5133a1)
+Merged-In: I8b23191d3d60036ca7ddf0ef7dcba6b38fb27b3c
+Change-Id: I8b23191d3d60036ca7ddf0ef7dcba6b38fb27b3c
+---
+ .../com/android/server/accounts/AccountManagerService.java     | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
+index 4804050c721f2..56e43b8025c87 100644
+--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
++++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
+@@ -4220,6 +4220,9 @@ protected boolean checkKeyIntent(int authUid, Intent intent) {
+                 if (resolveInfo == null) {
+                     return false;
+                 }
++                if ("content".equals(intent.getScheme())) {
++                    return false;
++                }
+                 ActivityInfo targetActivityInfo = resolveInfo.activityInfo;
+                 int targetUid = targetActivityInfo.applicationInfo.uid;
+                 if (PackageManager.SIGNATURE_MATCH != pm.checkSignatures(authUid, targetUid)) {

Patches/LineageOS-14.1/android_libcore/405037.patch

@@ -0,0 +1,51 @@
+From 25bff2717051677d510eed49e5825123682ea19a Mon Sep 17 00:00:00 2001
+From: Almaz Mingaleev <mingaleev@google.com>
+Date: Wed, 10 Jul 2024 13:38:35 +0100
+Subject: [PATCH] Do not accept zip files with invalid headers.
+
+According to Section 4.3.6 in [1] non-empty zip file starts with
+local file header. 4.3.1 allows empty files, and in such case
+file starts with "end of central directory record".
+
+This aligns ZipFile with libziparchive modulo empty zip files -
+libziparchive rejects them.
+
+Tests are skipped because sc-dev branch uses ART module
+prebuilts, but builds tests from sources which leads to presubmit
+failures.
+
+Ignore-AOSP-First: b/309938635#comment1
+
+[1] https://pkwaredownloads.blob.core.windows.net/pem/APPNOTE.txt
+
+Bug: 309938635
+Test: CtsLibcoreTestCases
+Test: CtsLibcoreOjTestCases
+Change-Id: I545cdd49ec3cc138331145f4716c8148662a478b
+Merged-In: I545cdd49ec3cc138331145f4716c8148662a478b
+---
+ ojluni/src/main/native/zip_util.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/ojluni/src/main/native/zip_util.c b/ojluni/src/main/native/zip_util.c
+index 5a2a0b8c538..1ce510e1d10 100644
+--- a/ojluni/src/main/native/zip_util.c
++++ b/ojluni/src/main/native/zip_util.c
+@@ -871,6 +871,17 @@ ZIP_Put_In_Cache0(const char *name, ZFILE zfd, char **pmsg, jlong lastModified,
+             zip->locsig = JNI_TRUE;
+         else
+             zip->locsig = JNI_FALSE;
++
++        // BEGIN Android-changed: do not accept files with invalid header.
++        if (GETSIG(errbuf) != LOCSIG && GETSIG(errbuf) != ENDSIG) {
++            if (pmsg) {
++                *pmsg = strdup("Entry at offset zero has invalid LFH signature.");
++            }
++            ZFILE_Close(zfd);
++            freeZip(zip);
++            return NULL;
++        }
++        // END Android-changed: do not accept files with invalid header.
+     }
+ 
+     // This lseek is safe because it happens during construction of the ZipFile

Scripts/LineageOS-14.1/Patch.sh

@@ -82,7 +82,7 @@ sed -i '50i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap
 sed -i '296iLOCAL_AAPT_FLAGS += --auto-add-overlay' core/package_internal.mk;
 awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
 awk -i inplace '!/Exchange2/' target/product/core.mk;
-sed -i 's/2021-06-05/2024-09-05/' core/version_defaults.mk; #Bump Security String #n-asb-2024-09 #XXX
+sed -i 's/2021-06-05/2024-10-05/' core/version_defaults.mk; #Bump Security String #n-asb-2024-10 #XXX
 fi;
 
 if enterAndClear "device/qcom/sepolicy"; then
@@ -298,6 +298,8 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/393649.patch"; #n-asb-2024-06 A
 applyPatch "$DOS_PATCHES/android_frameworks_base/396611.patch"; #n-asb-2024-07 Verify UID of incoming Zygote connections.
 applyPatch "$DOS_PATCHES/android_frameworks_base/399269.patch"; #n-asb-2024-08 Restrict USB poups while setup is in progress
 applyPatch "$DOS_PATCHES/android_frameworks_base/400926.patch"; #n-asb-2024-09 Sanitized uri scheme by removing scheme delimiter
+applyPatch "$DOS_PATCHES/android_frameworks_base/405038.patch"; #n-asb-2024-10 Fail parseUri if end is missing
+applyPatch "$DOS_PATCHES/android_frameworks_base/405039.patch"; #n-asb-2024-10 Update AccountManagerService checkKeyIntent.
 git revert --no-edit 0326bb5e41219cf502727c3aa44ebf2daa19a5b3; #Re-enable doze on devices without gms
 applyPatch "$DOS_PATCHES/android_frameworks_base/248599.patch"; #Make SET_TIME_ZONE permission match SET_TIME (AOSP)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0001-Reduced_Resolution.patch"; #Allow reducing resolution to save power TODO: Add 800x480 (DivestOS)
@@ -412,6 +414,10 @@ if enterAndClear "hardware/qcom/media-caf/msm8994"; then
 applyPatch "$DOS_PATCHES/android_hardware_qcom_media/227622.patch"; #n_asb_09-2018-qcom (CAF)
 fi;
 
+if enterAndClear "libcore"; then
+applyPatch "$DOS_PATCHES/android_libcore/405037.patch"; #n-asb-2024-10 Do not accept zip files with invalid headers.
+fi;
+
 if enterAndClear "packages/apps/Bluetooth"; then
 applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/332451.patch"; #n-asb-2022-06 Removes app access to BluetoothAdapter#setScanMode by requiring BLUETOOTH_PRIVILEGED permission.
 applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/332452.patch"; #n-asb-2022-06 Removes app access to BluetoothAdapter#setDiscoverableTimeout by requiring BLUETOOTH_PRIVILEGED permission.