Return-Path: X-Original-To: apmail-cordova-dev-archive@www.apache.org Delivered-To: apmail-cordova-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id D77441191C for ; Mon, 11 Aug 2014 22:10:29 +0000 (UTC) Received: (qmail 1068 invoked by uid 500); 11 Aug 2014 22:10:29 -0000 Delivered-To: apmail-cordova-dev-archive@cordova.apache.org Received: (qmail 1029 invoked by uid 500); 11 Aug 2014 22:10:29 -0000 Mailing-List: contact dev-help@cordova.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cordova.apache.org Delivered-To: mailing list dev@cordova.apache.org Received: (qmail 941 invoked by uid 99); 11 Aug 2014 22:10:29 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 11 Aug 2014 22:10:29 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of cmarcelk@gmail.com designates 209.85.216.171 as permitted sender) Received: from [209.85.216.171] (HELO mail-qc0-f171.google.com) (209.85.216.171) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 11 Aug 2014 22:10:22 +0000 Received: by mail-qc0-f171.google.com with SMTP id r5so2184028qcx.16 for ; Mon, 11 Aug 2014 15:10:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:content-transfer-encoding:date:subject:to :message-id:mime-version; bh=SFXyo8MO3lDSctGaMB+n2RDvyBbMSJo4aLjwLYG1vfI=; b=TjAPZhBWxn0Y32kLzuQ/UagjXbhaYXd/lCTqluNstnvzm1aMiBUGJ/tXCvMmzcB6wJ KYMvaDhL8OYljhHC6tomkTAPGKUu93xng311j51mDEG5ovD2P/hr/tP06v00n8zIac7X zL0hENjQuG3Rxsh+85Qxr/PQidoKv7fryopbAuHFGp30ryVUZPj6knTe6LPRhOdBk3sz 5GJ/3Jvl07U7AaT6V8+LEwjxaZCA5Lmdl6qwInnbjqO2NJtAux8jkcn+r63IM/f8IFkV V84FSinSsfJeW5NTlTMrFIThT2OI3mEy96IQgK8xgcBkVB/GVHFYZjA3AIru0SiSHVYx WJXg== X-Received: by 10.140.24.140 with SMTP id 12mr809199qgr.11.1407795001620; Mon, 11 Aug 2014 15:10:01 -0700 (PDT) Received: from [192.168.1.252] (cpe-065-190-081-241.nc.res.rr.com. [65.190.81.241]) by mx.google.com with ESMTPSA id b2sm23087196qaq.4.2014.08.11.15.10.00 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 11 Aug 2014 15:10:01 -0700 (PDT) From: Marcel Kinard Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Date: Mon, 11 Aug 2014 18:09:59 -0400 Subject: Apache Cordova 3.5.1: CVE-2014-3502 update To: dev@cordova.apache.org, security@apache.org, oss-security@lists.openwall.com, bugtraq@securityfocus.com Message-Id: <69AEC4CC-A12D-459C-8FDF-E5072D9E10DC@gmail.com> Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) X-Mailer: Apple Mail (2.1878.6) X-Virus-Checked: Checked by ClamAV on apache.org The following text is amended from the original that was sent on August = 4th. More background information on this amendment can be found at = http://cordova.apache.org/announcements/2014/08/06/android-351-update.html= Android Platform Release: 04 Aug 2014 CVE-2014-3502: Cordova apps can potentially leak data to other apps via = URL loading Severity: Medium Vendor: The Apache Software Foundation Versions Affected: Cordova Android versions up to 3.5.0 Description: Android applications built with the Cordova framework can launch other applications through the use of anchor tags, or by redirecting the = webview to an Android intent URL. An attacker who can manipulate the HTML content = of a Cordova application can create links which open other applications and = send arbitrary data to those applications. An attacker who can run arbitrary JavaScript code within the context of the Cordova application can also = set the document location to such a URL. By using this in concert with a second, vulnerable application, an attacker might be able to use this method to = send data from the Cordova application to the network. The latest release of Cordova Android takes steps to block explicit = Android intent urls, so that they can no longer be used to start arbitrary = applications on the device. Implicit intents, including URLs with schemes such as "tel", "geo", and = "sms" can still be used to open external applications by default, but this = behaviour can be overridden by plugins. Upgrade path: Developers who are concerned about this should rebuild their = applications with Cordova Android 3.5.1. Credit: This issue was discovered by David Kaplan and Roee Hay of IBM Security = Systems.=