From 9d6662dee785a85558baaf4a96cbc1e31f680631 Mon Sep 17 00:00:00 2001 From: Tad Date: Fri, 7 Jul 2023 17:38:26 -0400 Subject: [PATCH] 15.1 July ASB work Signed-off-by: Tad --- .../android_external_freetype/360951.patch | 50 ++++++ .../360953-backport.patch | 146 ++++++++++++++++++ .../360954-backport.patch | 84 ++++++++++ .../360962-backport.patch | 99 ++++++++++++ .../android_system_bt/360969.patch | 45 ++++++ .../360898-backport.patch | 36 +++++ Scripts/LineageOS-15.1/Patch.sh | 11 +- 7 files changed, 470 insertions(+), 1 deletion(-) create mode 100644 Patches/LineageOS-15.1/android_external_freetype/360951.patch create mode 100644 Patches/LineageOS-15.1/android_frameworks_base/360953-backport.patch create mode 100644 Patches/LineageOS-15.1/android_frameworks_base/360954-backport.patch create mode 100644 Patches/LineageOS-15.1/android_frameworks_base/360962-backport.patch create mode 100644 Patches/LineageOS-15.1/android_system_bt/360969.patch create mode 100644 Patches/LineageOS-15.1/android_vendor_nxp_opensource_external_libnfc-nci/360898-backport.patch diff --git a/Patches/LineageOS-15.1/android_external_freetype/360951.patch b/Patches/LineageOS-15.1/android_external_freetype/360951.patch new file mode 100644 index 00000000..642f901f --- /dev/null +++ b/Patches/LineageOS-15.1/android_external_freetype/360951.patch @@ -0,0 +1,50 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg +Date: Sat, 19 Mar 2022 06:40:17 +0100 +Subject: [PATCH] DO NOT MERGE - Cherry-pick two upstream changes + +This cherry picks following two changes: + +0c2bdb01a2e1d24a3e592377a6d0822856e10df2 +22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 + +Bug: 271680254 +Test: N/A +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4ffa271ab538f57b65a65d434a2df9d3f8cd2f4a) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b0f8930701bf19229075cc930ad15813ff5fb07b) +Merged-In: I42469df8e8b07221d64e3f8574c4f30110dbda7e +Change-Id: I42469df8e8b07221d64e3f8574c4f30110dbda7e +--- + src/base/ftobjs.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c +index 59d65e2a6..54aa8230d 100644 +--- a/src/base/ftobjs.c ++++ b/src/base/ftobjs.c +@@ -2176,6 +2176,15 @@ + #endif + + ++ /* only use lower 31 bits together with sign bit */ ++ if ( face_index > 0 ) ++ face_index &= 0x7FFFFFFFL; ++ else ++ { ++ face_index &= 0x7FFFFFFFL; ++ face_index = -face_index; ++ } ++ + #ifdef FT_DEBUG_LEVEL_TRACE + FT_TRACE3(( "FT_Open_Face: " )); + if ( face_index < 0 ) +@@ -3041,6 +3050,9 @@ + if ( !face ) + return FT_THROW( Invalid_Face_Handle ); + ++ if ( !face->size ) ++ return FT_THROW( Invalid_Size_Handle ); ++ + if ( !req || req->width < 0 || req->height < 0 || + req->type >= FT_SIZE_REQUEST_TYPE_MAX ) + return FT_THROW( Invalid_Argument ); diff --git a/Patches/LineageOS-15.1/android_frameworks_base/360953-backport.patch b/Patches/LineageOS-15.1/android_frameworks_base/360953-backport.patch new file mode 100644 index 00000000..4cab8de9 --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/360953-backport.patch @@ -0,0 +1,146 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Lucas Lin +Date: Fri, 3 Mar 2023 08:13:50 +0000 +Subject: [PATCH] Sanitize VPN label to prevent HTML injection + +This commit will try to sanitize the content of VpnDialog. This +commit creates a function which will try to sanitize the VPN +label, if the sanitized VPN label is different from the original +one, which means the VPN label might contain HTML tag or the VPN +label violates the words restriction(may contain some wording +which will mislead the user). For this kind of case, show the +package name instead of the VPN label to prevent misleading the +user. + +The malicious VPN app might be able to add a large number of line +breaks with HTML in order to hide the system-displayed text from +the user in the connection request dialog. Thus, sanitizing the +content of the dialog is needed. + +Bug: 204554636 +Test: N/A +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:2178216b98bf9865edee198f45192f0b883624ab) +Merged-In: I8eb890fd2e5797d8d6ab5b12f9c628bc9616081d +Change-Id: I8eb890fd2e5797d8d6ab5b12f9c628bc9616081d +--- + packages/VpnDialogs/res/values/strings.xml | 29 ++++++++++ + .../com/android/vpndialogs/ConfirmDialog.java | 53 +++++++++++++++++-- + 2 files changed, 77 insertions(+), 5 deletions(-) + +diff --git a/packages/VpnDialogs/res/values/strings.xml b/packages/VpnDialogs/res/values/strings.xml +index 406bcc34a101..7389f765c717 100644 +--- a/packages/VpnDialogs/res/values/strings.xml ++++ b/packages/VpnDialogs/res/values/strings.xml +@@ -50,4 +50,33 @@ + %1$s bytes / + %2$s packets + ++ ++ ++ ++ %1$s… ( ++ %2$s) ++ ++ ++ ++ ++ %1$s ( ++ %2$s) ++ + +diff --git a/packages/VpnDialogs/src/com/android/vpndialogs/ConfirmDialog.java b/packages/VpnDialogs/src/com/android/vpndialogs/ConfirmDialog.java +index 09339743db5c..43d18df3a10d 100644 +--- a/packages/VpnDialogs/src/com/android/vpndialogs/ConfirmDialog.java ++++ b/packages/VpnDialogs/src/com/android/vpndialogs/ConfirmDialog.java +@@ -42,10 +42,52 @@ public class ConfirmDialog extends AlertActivity + implements DialogInterface.OnClickListener, ImageGetter { + private static final String TAG = "VpnConfirm"; + ++ // Usually the label represents the app name, 150 code points might be enough to display the app ++ // name, and 150 code points won't cover the warning message from VpnDialog. ++ static final int MAX_VPN_LABEL_LENGTH = 150; ++ + private String mPackage; + + private IConnectivityManager mService; + ++ private View mView; ++ ++ /** ++ * This function will use the string resource to combine the VPN label and the package name. ++ * ++ * If the VPN label violates the length restriction, the first 30 code points of VPN label and ++ * the package name will be returned. Or return the VPN label and the package name directly if ++ * the VPN label doesn't violate the length restriction. ++ * ++ * The result will be something like, ++ * - ThisIsAVeryLongVpnAppNameWhich... (com.vpn.app) ++ * if the VPN label violates the length restriction. ++ * or ++ * - VpnLabelWith<br>HtmlTag (com.vpn.app) ++ * if the VPN label doesn't violate the length restriction. ++ * ++ */ ++ private String getSimplifiedLabel(String vpnLabel, String packageName) { ++ if (vpnLabel.codePointCount(0, vpnLabel.length()) > 30) { ++ return getString(R.string.sanitized_vpn_label_with_ellipsis, ++ vpnLabel.substring(0, vpnLabel.offsetByCodePoints(0, 30)), ++ packageName); ++ } ++ ++ return getString(R.string.sanitized_vpn_label, vpnLabel, packageName); ++ } ++ ++ protected String getSanitizedVpnLabel(String vpnLabel, String packageName) { ++ final String sanitizedVpnLabel = Html.escapeHtml(vpnLabel); ++ final boolean exceedMaxVpnLabelLength = sanitizedVpnLabel.codePointCount(0, ++ sanitizedVpnLabel.length()) > MAX_VPN_LABEL_LENGTH; ++ if (exceedMaxVpnLabelLength || !vpnLabel.equals(sanitizedVpnLabel)) { ++ return getSimplifiedLabel(sanitizedVpnLabel, packageName); ++ } ++ ++ return sanitizedVpnLabel; ++ } ++ + @Override + protected void onCreate(Bundle savedInstanceState) { + super.onCreate(savedInstanceState); +@@ -68,15 +110,16 @@ public class ConfirmDialog extends AlertActivity + finish(); + return; + } +- View view = View.inflate(this, R.layout.confirm, null); +- ((TextView) view.findViewById(R.id.warning)).setText( +- Html.fromHtml(getString(R.string.warning, getVpnLabel()), +- this, null /* tagHandler */)); ++ mView = View.inflate(this, R.layout.confirm, null); ++ ((TextView) mView.findViewById(R.id.warning)).setText( ++ Html.fromHtml(getString(R.string.warning, getSanitizedVpnLabel( ++ getVpnLabel().toString(), mPackage)), ++ this /* imageGetter */, null /* tagHandler */)); + mAlertParams.mTitle = getText(R.string.prompt); + mAlertParams.mPositiveButtonText = getText(android.R.string.ok); + mAlertParams.mPositiveButtonListener = this; + mAlertParams.mNegativeButtonText = getText(android.R.string.cancel); +- mAlertParams.mView = view; ++ mAlertParams.mView = mView; + setupAlert(); + + getWindow().setCloseOnTouchOutside(false); diff --git a/Patches/LineageOS-15.1/android_frameworks_base/360954-backport.patch b/Patches/LineageOS-15.1/android_frameworks_base/360954-backport.patch new file mode 100644 index 00000000..d0412ac9 --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/360954-backport.patch @@ -0,0 +1,84 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Michael Groover +Date: Fri, 31 Mar 2023 21:31:22 +0000 +Subject: [PATCH] Limit the number of supported v1 and v2 signers + +The v1 and v2 APK Signature Schemes support multiple signers; this +was intended to allow multiple entities to sign an APK. Previously, +the platform had no limits placed on the number of signers supported +in an APK, but this commit sets a hard limit of 10 supported signers +for these signature schemes to ensure a large number of signers +does not place undue burden on the platform. + +Bug: 266580022 +Test: Manually verified the platform only allowed an APK with the + maximum number of supported signers. +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6f6ee8a55f37c2b8c0df041b2bd53ec928764597) +Merged-In: I6aa86b615b203cdc69d58a593ccf8f18474ca091 +Change-Id: I6aa86b615b203cdc69d58a593ccf8f18474ca091 +--- + .../util/apk/ApkSignatureSchemeV2Verifier.java | 10 ++++++++++ + core/java/android/util/jar/StrictJarVerifier.java | 11 +++++++++++ + 2 files changed, 21 insertions(+) + +diff --git a/core/java/android/util/apk/ApkSignatureSchemeV2Verifier.java b/core/java/android/util/apk/ApkSignatureSchemeV2Verifier.java +index 0216a0752a9c..01cc065e6800 100644 +--- a/core/java/android/util/apk/ApkSignatureSchemeV2Verifier.java ++++ b/core/java/android/util/apk/ApkSignatureSchemeV2Verifier.java +@@ -219,6 +219,11 @@ public class ApkSignatureSchemeV2Verifier { + } + while (signers.hasRemaining()) { + signerCount++; ++ if (signerCount > MAX_V2_SIGNERS) { ++ throw new SecurityException( ++ "APK Signature Scheme v2 only supports a maximum of " + MAX_V2_SIGNERS ++ + " signers"); ++ } + try { + ByteBuffer signer = getLengthPrefixedSlice(signers); + X509Certificate[] certs = verifySigner(signer, contentDigests, certFactory); +@@ -855,6 +860,11 @@ public class ApkSignatureSchemeV2Verifier { + + private static final int APK_SIGNATURE_SCHEME_V2_BLOCK_ID = 0x7109871a; + ++ /** ++ * The maximum number of signers supported by the v2 APK signature scheme. ++ */ ++ private static final int MAX_V2_SIGNERS = 10; ++ + private static Pair findApkSigningBlock( + RandomAccessFile apk, long centralDirOffset) + throws IOException, SignatureNotFoundException { +diff --git a/core/java/android/util/jar/StrictJarVerifier.java b/core/java/android/util/jar/StrictJarVerifier.java +index debc170fa537..fba2e0e5bc1a 100644 +--- a/core/java/android/util/jar/StrictJarVerifier.java ++++ b/core/java/android/util/jar/StrictJarVerifier.java +@@ -66,6 +66,11 @@ class StrictJarVerifier { + "SHA1", + }; + ++ /** ++ * The maximum number of signers supported by the JAR signature scheme. ++ */ ++ private static final int MAX_JAR_SIGNERS = 10; ++ + private final String jarName; + private final StrictJarManifest manifest; + private final HashMap metaEntries; +@@ -281,10 +286,16 @@ class StrictJarVerifier { + return false; + } + ++ int signerCount = 0; + Iterator it = metaEntries.keySet().iterator(); + while (it.hasNext()) { + String key = it.next(); + if (key.endsWith(".DSA") || key.endsWith(".RSA") || key.endsWith(".EC")) { ++ if (++signerCount > MAX_JAR_SIGNERS) { ++ throw new SecurityException( ++ "APK Signature Scheme v1 only supports a maximum of " + MAX_JAR_SIGNERS ++ + " signers"); ++ } + verifyCertificate(key); + it.remove(); + } diff --git a/Patches/LineageOS-15.1/android_frameworks_base/360962-backport.patch b/Patches/LineageOS-15.1/android_frameworks_base/360962-backport.patch new file mode 100644 index 00000000..871d2489 --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/360962-backport.patch @@ -0,0 +1,99 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Andr=C3=A1s=20Kurucz?= +Date: Fri, 21 Apr 2023 09:45:07 +0000 +Subject: [PATCH] Truncate ShortcutInfo Id + +Creating Conversation with a ShortcutId longer than 65_535 (max unsigned short), we did not save the conversation settings into the notification_policy.xml due to a restriction in FastDataOutput. +This put us to a state where the user changing the importance or turning off the notifications for the given conversation had no effect on notification behavior. + +Fixes: 273729476 +Test: atest ShortcutManagerTest2 +Test: Create a test app which creates a Conversation with a long shortcutId. Go to the Conversation Settings and turn off Notifications. Post a new Notification to this Conversation and see if it is displayed. +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f31df6234091b5b1de258a01dd4b2d8e5415ee2e) +Merged-In: I2617de6f9e8a7dbfd8fbeff589a7d592f00d87c5 +Change-Id: I2617de6f9e8a7dbfd8fbeff589a7d592f00d87c5 +--- + .../java/android/content/pm/ShortcutInfo.java | 20 ++++++++++++++++--- + .../server/pm/ShortcutManagerTest2.java | 10 ++++++++++ + 2 files changed, 27 insertions(+), 3 deletions(-) + +diff --git a/core/java/android/content/pm/ShortcutInfo.java b/core/java/android/content/pm/ShortcutInfo.java +index d3a3560c7229..7629b0d7f0d9 100644 +--- a/core/java/android/content/pm/ShortcutInfo.java ++++ b/core/java/android/content/pm/ShortcutInfo.java +@@ -144,6 +144,12 @@ public final class ShortcutInfo implements Parcelable { + public static final int CLONE_REMOVE_FOR_LAUNCHER_APPROVAL = CLONE_REMOVE_INTENT + | CLONE_REMOVE_RES_NAMES; + ++ /** ++ * The maximum length of Shortcut ID. IDs will be truncated at this limit. ++ * @hide ++ */ ++ public static final int MAX_ID_LENGTH = 1000; ++ + /** @hide */ + @IntDef(flag = true, + value = { +@@ -242,8 +248,7 @@ public final class ShortcutInfo implements Parcelable { + + private ShortcutInfo(Builder b) { + mUserId = b.mContext.getUserId(); +- +- mId = Preconditions.checkStringNotEmpty(b.mId, "Shortcut ID must be provided"); ++ mId = getSafeId(Preconditions.checkStringNotEmpty(b.mId, "Shortcut ID must be provided")); + + // Note we can't do other null checks here because SM.updateShortcuts() takes partial + // information. +@@ -325,6 +330,14 @@ public final class ShortcutInfo implements Parcelable { + return ret; + } + ++ @NonNull ++ private static String getSafeId(@NonNull String id) { ++ if (id.length() > MAX_ID_LENGTH) { ++ return id.substring(0, MAX_ID_LENGTH); ++ } ++ return id; ++ } ++ + /** + * Throws if any of the mandatory fields is not set. + * +@@ -1662,7 +1675,8 @@ public final class ShortcutInfo implements Parcelable { + final ClassLoader cl = getClass().getClassLoader(); + + mUserId = source.readInt(); +- mId = source.readString(); ++ mId = getSafeId(Preconditions.checkStringNotEmpty(source.readString(), ++ "Shortcut ID must be provided")); + mPackageName = source.readString(); + mActivity = source.readParcelable(cl); + mFlags = source.readInt(); +diff --git a/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java b/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java +index 3220ea960f5d..30c82350f45c 100644 +--- a/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java ++++ b/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java +@@ -53,6 +53,7 @@ import java.io.IOException; + import java.io.PrintWriter; + import java.io.StringWriter; + import java.io.Writer; ++import java.util.Collections; + import java.util.Locale; + + /** +@@ -223,6 +224,15 @@ public class ShortcutManagerTest2 extends BaseShortcutManagerTest { + }); + } + ++ public void testShortcutIdTruncated() { ++ ShortcutInfo si = new ShortcutInfo.Builder(getTestContext(), ++ String.join("", Collections.nCopies(Short.MAX_VALUE, "s"))).build(); ++ ++ assertTrue( ++ "id must be truncated to MAX_ID_LENGTH", ++ si.getId().length() <= ShortcutInfo.MAX_ID_LENGTH); ++ } ++ + public void testShortcutInfoParcel() { + setCaller(CALLING_PACKAGE_1, USER_10); + ShortcutInfo si = parceled(new ShortcutInfo.Builder(mClientContext) diff --git a/Patches/LineageOS-15.1/android_system_bt/360969.patch b/Patches/LineageOS-15.1/android_system_bt/360969.patch new file mode 100644 index 00000000..654c0a27 --- /dev/null +++ b/Patches/LineageOS-15.1/android_system_bt/360969.patch @@ -0,0 +1,45 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: tyiu +Date: Tue, 28 Mar 2023 18:40:51 +0000 +Subject: [PATCH] Fix gatt_end_operation buffer overflow + +Added boundary check for gatt_end_operation to prevent writing out of +boundary. + +Since response of the GATT server is handled in +gatt_client_handle_server_rsp() and gatt_process_read_rsp(), the maximum +lenth that can be passed into the handlers is bounded by +GATT_MAX_MTU_SIZE, which is set to 517, which is greater than +GATT_MAX_ATTR_LEN which is set to 512. The fact that there is no spec +that gaurentees MTU response to be less than or equal to 512 bytes can +cause a buffer overflow when performing memcpy without length check. + +Bug: 261068592 +Test: No test since not affecting behavior +Tag: #security +Ignore-AOSP-First: security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:dd7298e982e4bbf0138a490562679c9a4a755200) +Merged-In: I49e2797cd9300ee4cd69f2c7fa5f0073db78b873 +Change-Id: I49e2797cd9300ee4cd69f2c7fa5f0073db78b873 +--- + stack/gatt/gatt_utils.cc | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/stack/gatt/gatt_utils.cc b/stack/gatt/gatt_utils.cc +index e7cc76286..084b13c2e 100644 +--- a/stack/gatt/gatt_utils.cc ++++ b/stack/gatt/gatt_utils.cc +@@ -1326,6 +1326,13 @@ void gatt_end_operation(tGATT_CLCB* p_clcb, tGATT_STATUS status, void* p_data) { + cb_data.att_value.handle = p_clcb->s_handle; + cb_data.att_value.len = p_clcb->counter; + ++ if (cb_data.att_value.len > GATT_MAX_ATTR_LEN) { ++ LOG(WARNING) << __func__ ++ << StringPrintf(" Large cb_data.att_value, size=%d", ++ cb_data.att_value.len); ++ cb_data.att_value.len = GATT_MAX_ATTR_LEN; ++ } ++ + if (p_data && p_clcb->counter) + memcpy(cb_data.att_value.value, p_data, cb_data.att_value.len); + } diff --git a/Patches/LineageOS-15.1/android_vendor_nxp_opensource_external_libnfc-nci/360898-backport.patch b/Patches/LineageOS-15.1/android_vendor_nxp_opensource_external_libnfc-nci/360898-backport.patch new file mode 100644 index 00000000..f644534d --- /dev/null +++ b/Patches/LineageOS-15.1/android_vendor_nxp_opensource_external_libnfc-nci/360898-backport.patch @@ -0,0 +1,36 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alisher Alikhodjaev +Date: Tue, 2 May 2023 14:20:57 -0700 +Subject: [PATCH] OOBW in rw_i93_send_to_upper() + +Bug: 271849189 +Test: tag r/w +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:dc9d09e1698725712628d394bf9be4c9003579e8) +Merged-In: I1d55954e56a3f995f8dd48bf484fe9fce02b2ed1 +Change-Id: I1d55954e56a3f995f8dd48bf484fe9fce02b2ed1 + +Change-Id: I9cd9658bf50144092c1cf196fd9272ffbac2fc55 +--- + src/nfc/tags/rw_i93.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/nfc/tags/rw_i93.c b/src/nfc/tags/rw_i93.c +index fbe09fcf..9cc0429a 100644 +--- a/src/nfc/tags/rw_i93.c ++++ b/src/nfc/tags/rw_i93.c +@@ -398,6 +398,15 @@ void rw_i93_send_to_upper(NFC_HDR* p_resp) { + case I93_CMD_READ_MULTI_BLOCK: + case I93_CMD_GET_MULTI_BLK_SEC: + ++ if (UINT16_MAX - length < NFC_HDR_SIZE) { ++ rw_data.i93_cmd_cmpl.status = NFC_STATUS_FAILED; ++ rw_data.i93_cmd_cmpl.command = p_i93->sent_cmd; ++ rw_cb.tcb.i93.sent_cmd = 0; ++ ++ event = RW_I93_CMD_CMPL_EVT; ++ break; ++ } ++ + /* forward tag data or security status */ + p_buff = (NFC_HDR*)GKI_getbuf((uint16_t)(length + NFC_HDR_SIZE)); + diff --git a/Scripts/LineageOS-15.1/Patch.sh b/Scripts/LineageOS-15.1/Patch.sh index 32cead14..d8fb2e9e 100644 --- a/Scripts/LineageOS-15.1/Patch.sh +++ b/Scripts/LineageOS-15.1/Patch.sh @@ -73,7 +73,7 @@ applyPatch "$DOS_PATCHES/android_build/0001-OTA_Keys.patch"; #Add correct keys t applyPatch "$DOS_PATCHES/android_build/0002-Enable_fwrapv.patch"; #Use -fwrapv at a minimum (GrapheneOS) sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches. awk -i inplace '!/Email/' target/product/core.mk; #Remove Email -sed -i 's/2021-10-05/2023-06-05/' core/version_defaults.mk; #Bump Security String #XXX +sed -i 's/2021-10-05/2023-07-05/' core/version_defaults.mk; #Bump Security String #XXX fi; if enterAndClear "build/soong"; then @@ -108,6 +108,10 @@ applyPatch "$DOS_PATCHES/android_external_expat/337989-backport.patch"; #n-asb-2 applyPatch "$DOS_PATCHES/android_external_expat/348649.patch"; #n-asb-2023-02 Fix overeager DTD destruction (fixes #649) fi; +if enterAndClear "external/freetype"; then +applyPatch "$DOS_PATCHES/android_external_freetype/360951.patch"; #R_asb_2023-07 Cherry-pick two upstream changes +fi; + #if [ "$DOS_GRAPHENE_MALLOC_BROKEN" = true ]; then #if enterAndClear "external/hardened_malloc"; then #git revert --no-edit 3d18fb80742fd80a75481b580d102deb18c74af9; #compile fix @@ -185,6 +189,9 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/355767.patch"; #R_asb_2023-05 E applyPatch "$DOS_PATCHES/android_frameworks_base/358560-backport.patch"; #R_asb_2023-06 Check key intent for selectors and prohibited flags applyPatch "$DOS_PATCHES/android_frameworks_base/358561-backport.patch"; #R_asb_2023-06 Handle invalid data during job loading. applyPatch "$DOS_PATCHES/android_frameworks_base/358732-backport.patch"; #n-asb-2023-06 Prevent RemoteViews crashing SystemUi +applyPatch "$DOS_PATCHES/android_frameworks_base/360953-backport.patch"; #R_asb_2023-07 Sanitize VPN label to prevent HTML injection +applyPatch "$DOS_PATCHES/android_frameworks_base/360954-backport.patch"; #R_asb_2023-07 Limit the number of supported v1 and v2 signers +applyPatch "$DOS_PATCHES/android_frameworks_base/360962-backport.patch"; #R_asb_2023-07 Truncate ShortcutInfo Id applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS) applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969) applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after five failed attempts (GrapheneOS) @@ -416,6 +423,7 @@ applyPatch "$DOS_PATCHES/android_system_bt/354247.patch"; #P_asb_2023-04 Fix an applyPatch "$DOS_PATCHES/android_system_bt/358580.patch"; #R_asb_2023-06 Prevent use-after-free of HID reports applyPatch "$DOS_PATCHES/android_system_bt/358581-backport.patch"; #R_asb_2023-06 Revert "Revert "[RESTRICT AUTOMERGE] Validate buffer length in sdpu_build_uuid_seq"" applyPatch "$DOS_PATCHES/android_system_bt/358582.patch"; #R_asb_2023-06 Revert "Revert "Fix wrong BR/EDR link key downgrades (P_256->P_192)"" +applyPatch "$DOS_PATCHES/android_system_bt/360969.patch"; #R_asb_2023-07 Fix gatt_end_operation buffer overflow fi; if enterAndClear "system/ca-certificates"; then @@ -454,6 +462,7 @@ applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/33245 applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/332459-backport.patch"; #n-asb-2022-06 OOBR in nfc_ncif_proc_ee_discover_req() applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/344190-backport.patch"; #P_asb_2022-11 OOBW in phNxpNciHal_write_unlocked() applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/353760-backport.patch"; #n-asb-2023-04 OOBW in nci_snd_set_routing_cmd() +applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/360898-backport.patch"; #n-asb-2023-07 OOBW in rw_i93_send_to_upper() fi; if enterAndClear "vendor/nxp/opensource/packages/apps/Nfc"; then #keep in sync with packages/apps/Nfc