Isn't this the public bug tracker? https://bugzilla.xamarin.com/describecomponents.cgi?product=Android
Though, correct that case id doesn't map to anything there. -Tim Strazzere On Tue, May 19, 2015 at 2:32 PM, ValdikSS <i...@valdikss.org.ru> wrote: > They don't have public bugtracker. Case ID is 140518. > > On 05/20/2015 12:29 AM, Tim wrote: > > Thanks for posting this to FD, these didn't even include it in their > release notes; > > > > > http://developer.xamarin.com/releases/android/xamarin.android_5/xamarin.android_5.1/ > > > > Was there a bug reported in bugzilla to link back too? > > > > -Tim Strazzere > > > > On Tue, May 19, 2015 at 6:49 AM, ValdikSS <i...@valdikss.org.ru > <mailto:i...@valdikss.org.ru> <i...@valdikss.org.ru>> wrote: > > > > > > Xamarin for Android prior to version 5.1 allows to replace internal DLL > files inside the APK with files on SD card which are not in a secure > storage. > Malicious application without any special permissions could drop > backdoored DLL files into > > /storage/sdcard0/Android/data/app_id/files/.__override__/ > > and the victim application would use files from SD. > Not just the main application library could be hijacked, but also > Xamarin's System.dll and Mono.Android.dll, which are shipped in all Xamarin > for Android > applications. > > Developers should rebuild their applications using Xamarin for Android 5.1 > or newer in the release mode. > > This vulnerability was found by accident, which allowed me to eat for free > for a month. > > Timeline: > 03.04.2015 Vulnerability is found > 07.04.2015 Message sent to Xamarin > 08.04.2015 Xamarin acknowledged the vulnerability > 29.04.2015 Fixed stable version released > > > > > > > _______________________________________________ > > Sent through the Full Disclosure mailing list > > https://nmap.org/mailman/listinfo/fulldisclosure > > Web Archives & RSS: http://seclists.org/fulldisclosure/ > > > > > > > _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
