Open3

CVE-2023-21036 "aCropalypse" 関連

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21036

Pixel Update Bulletin—March 2023

CVE: CVE-2023-21036
References: A-264261868
Type: ID(Information disclosure)
Severity: High
Subcomponent: Markup

技術情報

直接原因

Undocumented behavior change in Android 10: mode "w" no longer truncates

There's an undocumented (as far as I can tell) behavior change in Android 10 when using mode "w" with ParcelFileDescriptor.parseMode.

Android 9 and below
Using mode "w" and writing to a file that already exists truncates the file, completely overwriting it.

Android 10 and above
Using mode "w" and writing to a file that already exists no longer truncates the file being overwritten. This can result in a corrupt file if the new file is smaller than the old file.

技術デモ

ログインするとコメントできます