Fix Talkback Shortcut Vulnerability

The way the talkback component was selected was vulnerable. Now the system verifies that the talkback component is provided by the system. Bug: 339609745 Change-Id: Iabadb129807b0ac02aa2e9ac1580ac0f212930ef Test: manual - tested that the talkback service is still available Flag: No Flags: Security High/Critical Severity CVEs
author: Idriss Juhoor <idriss@google.com> 2024-06-03 08:05:30 +0000
committer: Idriss Juhoor <idriss@google.com> 2024-06-03 08:05:30 +0000
commit: 1d1cef15c61d9b902cc26922212695afd233b718 (patch)
tree: e374ad007e5e7d1c6bda960172a143556ec898e3
parent: 9ec62d0b50fb29b6c823cb9ccfbb96879939eec6 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/services/core/java/com/android/server/policy/TalkbackShortcutController.java b/services/core/java/com/android/server/policy/TalkbackShortcutController.java
index b05a421e6e87..e544ae64521c 100644
--- a/services/core/java/com/android/server/policy/TalkbackShortcutController.java
+++ b/services/core/java/com/android/server/policy/TalkbackShortcutController.java
@@ -117,6 +117,7 @@ class TalkbackShortcutController {
     }
 
     private boolean isTalkback(ServiceInfo info) {
-        return TALKBACK_LABEL.equals(info.loadLabel(mPackageManager).toString());
+        return TALKBACK_LABEL.equals(info.loadLabel(mPackageManager).toString())
+            && (info.applicationInfo.isSystemApp() || info.applicationInfo.isUpdatedSystemApp());
     }
 }
author	Idriss Juhoor <idriss@google.com>	2024-06-03 08:05:30 +0000
committer	Idriss Juhoor <idriss@google.com>	2024-06-03 08:05:30 +0000
commit	1d1cef15c61d9b902cc26922212695afd233b718 (patch)
tree	e374ad007e5e7d1c6bda960172a143556ec898e3
parent	9ec62d0b50fb29b6c823cb9ccfbb96879939eec6 (diff)