APK unchecked name

CVE numbers: ANDROID-9950697 [citation-needed]
Coordinated disclosure?: false
Categories: signature
Details: APK signature verification does not check name lengths correctly, creating a difference between how the zip files are verified compared with how they are extracted which allows files in an existing APK to be replaced with new files. [saurik-19] Exploited by RockMyMoto [androidpolice-rockmymoto]
Discovered by: Jay Freeman (saurik) [saurik-19], Elliott Hughes enh@google.com [android-issue-57851] on: 2013-06-30 [saurik-19]
Reported on: 2013-11-01 [saurik-19], 2013-11-01 [CydiaImpactor-396439244782067713]
Fixed on: 2013-07-21 [patch-unchecked-name]
Fix released on: Unknown
Affected versions: 4.3 and earlier [citation-needed] regex: ([1-3].[0-9].[0-9])|(4.[0-3].[0-9])
Affected devices: all [citation-needed]
Affected manufacturers: all [citation-needed]
Fixed versions: 4.4 [patch-unchecked-name]
Submission: by: Daniel R. Thomas, on: 2013-11-14

AndroidVulnerabilities.org