{
  "name" : "APK unsigned shorts",
  "CVE" : [["ANDROID-9695860"]],
  "Coordinated_disclosure" : "true",
  "Categories" : ["signature"],
  "Details" : [["File offsets in zips are supposed to be unsigned but were interpreted as signed allowing different content to be verified from the content executed."]],
  "Discovered_by" : [],
  "Discovered_on" : [],
  "Submission" : [{"by":"drt24", "on":"2013-09-04"}],
  "Reported_on" : [["2013-07-10","sina-shorts"],["2013-07-10","ard-police-shorts"]],
  "Fixed_on" : [["2013-07-03","patch-unsigned-shorts"]],
  "Fix_released_on" : [["2013-07-24","verge-android-4.3"]],
  "Affected_versions" : [["1.6-4.2"]],
  "Affected_devices" : [["all"]],
  "Affected_versions_regexp" : ["([1-3]\\.[0-9]\\.[0-9])|(4\\.[0-2]\\.[0-9])"],
  "Affected_manufacturers" : [["all"]],
  "Fixed_versions" : [["4.3_r1","patch-unsigned-shorts"]],
  "references" : {
    "sina-shorts" : {
      "url" : "http://blog.sina.com.cn/s/blog_be6dacae0101bksm.html"
    },
    "ard-police-shorts" : {
      "url" : "http://www.androidpolice.com/2013/07/11/second-all-access-apk-exploit-is-revealed-just-two-days-after-master-key-goes-public-already-patched-by-google/"
    },
    "patch-unsigned-shorts" : {
      "url" : "https://android.googlesource.com/platform/libcore/+/9edf43dfcc35c761d97eb9156ac4254152ddbc55",
      "component" : "platform/libcore",
      "commit" : ["9edf43dfcc35c761d97eb9156ac4254152ddbc55","15a93894f19b27f3d85b8e3c3de8cff8a33964d3"]
    },
    "verge-android-4.3" : {
      "url" : "http://www.theverge.com/2013/7/24/4550234/android-4-3-announcement"
    }
  },
  "Surface": ["local", "app"],
  "Vector": ["insufficient-standards-verification"],
  "Target": ["apps"],
  "Channel": ["app-execution"],
  "Condition": ["affected-app-installed"],
  "Privilege": ["system", "modify-apps"]
}