1 page.title=Nexus Security Bulletin - August 2015 2 @jd:body 3 4 <!-- 5 Copyright 2015 The Android Open Source Project 6 7 Licensed under the Apache License, Version 2.0 (the "License"); 8 you may not use this file except in compliance with the License. 9 You may obtain a copy of the License at 10 11 http://www.apache.org/licenses/LICENSE-2.0 12 13 Unless required by applicable law or agreed to in writing, software 14 distributed under the License is distributed on an "AS IS" BASIS, 15 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 See the License for the specific language governing permissions and 17 limitations under the License. 18 --> 19 20 <p><em>Published August 13, 2015</em></p> 21 22 <p>We have released a security update to Nexus devices through an over-the-air 23 (OTA) update as part of our Android Security Bulletin Monthly Release process. 24 The Nexus firmware images have also been released to the <a href="https://developers.google.com/android/nexus/images">Google Developer site</a>. Builds LMY48I or later address these issues. Partners were notified about these 25 issues on June 25, 2015 or earlier.</p> 26 27 <p>The most severe of these issues is a Critical security vulnerability that could 28 enable remote code execution on an affected device through multiple methods 29 such as email, web browsing, and MMS when processing media files.</p> 30 31 <h2 id=security_vulnerability_summary>Security Vulnerability Summary</h2> 32 33 <p>The table below contains a list of security vulnerabilities, the Common 34 Vulnerability and Exposures ID (CVE), and their assessed severity. The <a href="{@docRoot}security/overview/updates-resources.html#severity">severity assessment</a> is based on the effect that exploiting the vulnerability would have on an 35 affected device, assuming the platform and service mitigations are disabled for 36 development purposes or if successfully bypassed. </p> 37 <table> 38 <tr> 39 <th>Issue </th> 40 <th>CVE</th> 41 <th>Severity</th> 42 </tr> 43 <tr> 44 <td>Integer overflows during MP4 atom processing</td> 45 <td>CVE-2015-1538</td> 46 <td>Critical</td> 47 </tr> 48 <tr> 49 <td>An integer underflow in ESDS processing</td> 50 <td>CVE-2015-1539</td> 51 <td>Critical</td> 52 </tr> 53 <tr> 54 <td>Integer overflow in libstagefright when parsing the MPEG4 tx3g atom</td> 55 <td>CVE-2015-3824</td> 56 <td>Critical</td> 57 </tr> 58 <tr> 59 <td>Integer underflow in libstagefright when processing MPEG4 covr atoms</td> 60 <td>CVE-2015-3827</td> 61 <td>Critical</td> 62 </tr> 63 <tr> 64 <td>Integer underflow in libstagefright if size is below 6 while processing 3GPP 65 metadata</td> 66 <td>CVE-2015-3828</td> 67 <td>Critical</td> 68 </tr> 69 <tr> 70 <td>Integer overflow in libstagefright processing MPEG4 covr atoms when 71 chunk_data_size is SIZE_MAX</td> 72 <td>CVE-2015-3829</td> 73 <td>Critical</td> 74 </tr> 75 <tr> 76 <td>Buffer overflow in Sonivox Parse_wave</td> 77 <td>CVE-2015-3836</td> 78 <td>Critical</td> 79 </tr> 80 <tr> 81 <td>Buffer overflows in libstagefright MPEG4Extractor.cpp</td> 82 <td>CVE-2015-3832</td> 83 <td>Critical</td> 84 </tr> 85 <tr> 86 <td>Buffer overflow in mediaserver BpMediaHTTPConnection</td> 87 <td>CVE-2015-3831</td> 88 <td>High</td> 89 </tr> 90 <tr> 91 <td>Vulnerability in libpng: Overflow in png_Read_IDAT_data</td> 92 <td>CVE-2015-0973</td> 93 <td>High</td> 94 </tr> 95 <tr> 96 <td>Remotely exploitable memcpy() overflow in p2p_add_device() in wpa_supplicant</td> 97 <td>CVE-2015-1863</td> 98 <td>High</td> 99 </tr> 100 <tr> 101 <td>Memory Corruption in OpenSSLX509Certificate Deserialization</td> 102 <td>CVE-2015-3837</td> 103 <td>High</td> 104 </tr> 105 <tr> 106 <td>Buffer overflow in mediaserver BnHDCP</td> 107 <td>CVE-2015-3834</td> 108 <td>High</td> 109 </tr> 110 <tr> 111 <td>Buffer overflow in libstagefright OMXNodeInstance::emptyBuffer</td> 112 <td>CVE-2015-3835</td> 113 <td>High</td> 114 </tr> 115 <tr> 116 <td>Heap overflow in mediaserver AudioPolicyManager::getInputForAttr()</td> 117 <td>CVE-2015-3842</td> 118 <td>High</td> 119 </tr> 120 <tr> 121 <td>Applications can intercept or emulate SIM commands to Telephony</td> 122 <td>CVE-2015-3843</td> 123 <td>High</td> 124 </tr> 125 <tr> 126 <td>Vulnerability in Bitmap unmarshalling</td> 127 <td>CVE-2015-1536</td> 128 <td>Moderate</td> 129 </tr> 130 <tr> 131 <td>AppWidgetServiceImpl can create IntentSender with system privileges</td> 132 <td>CVE-2015-1541</td> 133 <td>Moderate</td> 134 </tr> 135 <tr> 136 <td>Mitigation bypass of restrictions on getRecentTasks()</td> 137 <td>CVE-2015-3833</td> 138 <td>Moderate</td> 139 </tr> 140 <tr> 141 <td>ActivityManagerService.getProcessRecordLocked() may load a system UID 142 application into the wrong process</td> 143 <td>CVE-2015-3844</td> 144 <td>Moderate</td> 145 </tr> 146 <tr> 147 <td>Unbounded buffer read in libstagefright while parsing 3GPP metadata</td> 148 <td>CVE-2015-3826</td> 149 <td>Low</td> 150 </tr> 151 </table> 152 153 154 <h2 id=mitigations>Mitigations</h2> 155 156 157 <p>This is a summary of the mitigations provided by the <a href="{@docRoot}security/enhancements/index.html">Android security platform</a> and service protections such as SafetyNet. These capabilities reduce the 158 likelihood that security vulnerabilities can be successfully exploited on 159 Android.</p> 160 161 <ul> 162 <li> Exploitation for many issues on Android is made more difficult by enhancements 163 in newer versions of the Android platform. We encourage all users to update to 164 the latest version of Android where possible. 165 <li> The Android Security team is actively monitoring for abuse with Verify Apps and 166 SafetyNet which will warn about potentially harmful applications about to be 167 installed. Device rooting tools are prohibited within Google Play. To protect 168 users who install applications from outside of Google Play, Verify Apps is 169 enabled by default and will warn users about known rooting applications. Verify 170 Apps attempts to identify and block installation of known malicious 171 applications that exploit a privilege escalation vulnerability. If such an 172 application has already been installed, Verify Apps will notify the user and 173 attempt to remove any such applications. 174 <li> As appropriate, Google has updated the Hangouts and Messenger applications so 175 that media is not automatically passed to vulnerable processes (such as 176 mediaserver.) 177 </ul> 178 179 <h2 id=acknowledgements>Acknowledgements</h2> 180 181 182 <p>We would like to thank these researchers for their contributions:</p> 183 184 <ul> 185 <li> Joshua Drake: CVE-2015-1538, CVE-2015-3826 186 <li> Ben Hawkes: CVE-2015-3836 187 <li> Alexandru Blanda: CVE-2015-3832 188 <li> Micha Bednarski: CVE-2015-3831, CVE-2015-3844, CVE-2015-1541 189 <li> Alex Copot: CVE-2015-1536 190 <li> Alex Eubanks: CVE-2015-0973 191 <li> Roee Hay and Or Peles: CVE-2015-3837 192 <li> Guang Gong: CVE-2015-3834 193 <li> Gal Beniamini: CVE-2015-3835 194 <li> Wish Wu*: CVE-2015-3842 195 <li> Artem Chaykin: CVE-2015-3843 196 </ul> 197 198 <p>*Wish is also our very first <a href="https://www.google.com/about/appsecurity/android-rewards/">Android Security Rewards</a> recipient!</p> 199 200 <h3 id=integer_overflows_during_mp4_atom_processing>Integer overflows during MP4 atom processing</h3> 201 202 203 <p>There are several potential integer overflows in libstagefright that could 204 occur during MP4 atom processing, leading to memory corruption and potentially 205 remote code execution as the mediaserver process.</p> 206 207 <p>The affected functionality is provided as an application API and there are 208 multiple applications that allow it to be reached with remote content, most 209 notably MMS and browser playback of media.</p> 210 211 <p>This issue is rated as a Critical severity due to the possibility of remote 212 code execution as the privileged mediaserver service. While mediaserver is 213 guarded with SELinux, it does have access to audio and video streams as well as 214 access to privileged kernel driver device nodes on many devices that 3rd party 215 apps cannot normally access. Note that under our previous severity rating 216 guidelines, this was rated as a High severity vulnerability and was reported to 217 partners as such. Under our new guidelines, published in June 2015, it is a 218 Critical severity issue.</p> 219 <table> 220 <tr> 221 <th>CVE</th> 222 <th>Bug(s) with AOSP links</th> 223 <th>Severity</th> 224 <th>Affected versions</th> 225 </tr> 226 <tr> 227 <td>CVE-2015-1538</td> 228 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/cf1581c66c2ad8c5b1aaca2e43e350cf5974f46d">ANDROID-20139950</a> [<a href="https://android.googlesource.com/platform/frameworks/av/+/2434839bbd168469f80dd9a22f1328bc81046398">2</a>]</td> 229 <td>Critical</td> 230 <td>5.1 and below</td> 231 </tr> 232 </table> 233 234 <h3 id=an_integer_underflow_in_esds_processing>An integer underflow in ESDS processing</h3> 235 236 237 <p>There is a potential integer underflow in libstagefright that could occur 238 during ESDS atom processing, leading to memory corruption and potentially 239 remote code execution as the mediaserver process.</p> 240 241 <p>The affected functionality is provided as an application API and there are 242 multiple applications that allow it to be reached with remote content, most 243 notably MMS and browser playback of media.</p> 244 245 <p>This issue is rated as a Critical severity due to the possibility of remote 246 code execution as the privileged mediaserver service. While mediaserver is 247 guarded with SELinux, it does have access to audio and video streams as well as 248 access to privileged kernel driver device nodes on many devices that 3rd party 249 apps cannot normally access. Note that under our previous severity rating 250 guidelines, this was rated as a High severity vulnerability and was reported to 251 partners as such. Under our new guidelines, published in June 2015, it is a 252 Critical severity issue.</p> 253 <table> 254 <tr> 255 <th>CVE</th> 256 <th>Bug(s) with AOSP links</th> 257 <th>Severity</th> 258 <th>Affected versions</th> 259 </tr> 260 <tr> 261 <td>CVE-2015-1539</td> 262 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/5e751957ba692658b7f67eb03ae5ddb2cd3d970c">ANDROID-20139950</a></td> 263 <td>Critical</td> 264 <td>5.1 and below</td> 265 </tr> 266 </table> 267 268 269 <h3 id=integer_overflow_in_libstagefright_when_parsing_the_mpeg4_tx3g_atom>Integer overflow in libstagefright when parsing the MPEG4 tx3g atom</h3> 270 271 272 <p>There is a potential integer overflow in libstagefright that could occur during 273 MPEG4 tx3g data processing, leading to memory corruption and potentially remote 274 code execution as the mediaserver process.</p> 275 276 <p>The affected functionality is provided as an application API and there are 277 multiple applications that allow it to be reached with remote content, most 278 notably MMS and browser playback of media.</p> 279 280 <p>This issue is rated as a Critical severity due to the possibility of remote 281 code execution as the privileged mediaserver service. While mediaserver is 282 guarded with SELinux, it does have access to audio and video streams as well as 283 access to privileged kernel driver device nodes on many devices that 3rd party 284 apps cannot normally access.</p> 285 286 <p>Note that under our previous severity rating guidelines, this was rated as a 287 High severity vulnerability and was reported to partners as such. Under our new 288 guidelines, published in June 2015, it is a Critical severity issue.</p> 289 <table> 290 <tr> 291 <th>CVE</th> 292 <th>Bug(s) with AOSP links</th> 293 <th>Severity</th> 294 <th>Affected versions</th> 295 </tr> 296 <tr> 297 <td>CVE-2015-3824</td> 298 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/463a6f807e187828442949d1924e143cf07778c6">ANDROID-20923261</a> </td> 299 <td>Critical</td> 300 <td>5.1 and below</td> 301 </tr> 302 </table> 303 304 305 <h3 id=integer_underflow_in_libstagefright_when_processing_mpeg4_covr_atoms>Integer underflow in libstagefright when processing MPEG4 covr atoms</h3> 306 307 308 <p>There is a potential integer underflow in libstagefright that could occur 309 during MPEG4 data processing, leading to memory corruption and potentially 310 remote code execution as the mediaserver process.</p> 311 312 <p>The affected functionality is provided as an application API and there are 313 multiple applications that allow it to be reached with remote content, most 314 notably MMS and browser playback of media.</p> 315 316 <p>This issue is rated as a Critical severity due to the possibility of remote 317 code execution as the privileged mediaserver service. While mediaserver is 318 guarded with SELinux, it does have access to audio and video streams as well as 319 access to privileged kernel driver device nodes on many devices that 3rd party 320 apps cannot normally access.</p> 321 322 <p>Note that under our previous severity rating guidelines, this was rated as a 323 High severity vulnerability and was reported to partners as such. Under our new 324 guidelines, published in June 2015, it is a Critical severity issue.</p> 325 <table> 326 <tr> 327 <th>CVE</th> 328 <th>Bug(s) with AOSP links</th> 329 <th>Severity</th> 330 <th>Affected versions</th> 331 </tr> 332 <tr> 333 <td>CVE-2015-3827</td> 334 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/f4a88c8ed4f8186b3d6e2852993e063fc33ff231">ANDROID-20923261</a></td> 335 <td>Critical</td> 336 <td>5.1 and below</td> 337 </tr> 338 </table> 339 340 341 <h3 id=integer_underflow_in_libstagefright_if_size_is_below_6_while_processing_3gpp_metadata>Integer underflow in libstagefright if size is below 6 while processing 3GPP 342 metadata</h3> 343 344 345 <p>There is a potential integer underflow in libstagefright that could occur 346 during 3GPP data processing, leading to memory corruption and potentially 347 remote code execution as the mediaserver process.</p> 348 349 <p>The affected functionality is provided as an application API and there are 350 multiple applications that allow it to be reached with remote content, most 351 notably MMS and browser playback of media.</p> 352 353 <p>This issue is rated as a Critical severity due to the possibility of remote 354 code execution as the privileged mediaserver service. While mediaserver is 355 guarded with SELinux, it does have access to audio and video streams as well as 356 access to privileged kernel driver device nodes on many devices that 3rd party 357 apps cannot normally access. Note that under our previous severity rating 358 guidelines, this was rated as a High severity vulnerability and was reported to 359 partners as such. Under our new guidelines, published in June 2015, it is a 360 Critical severity issue.</p> 361 <table> 362 <tr> 363 <th>CVE</th> 364 <th>Bug(s) with AOSP links</th> 365 <th>Severity</th> 366 <th>Affected versions</th> 367 </tr> 368 <tr> 369 <td>CVE-2015-3828</td> 370 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/f4f7e0c102819f039ebb1972b3dba1d3186bc1d1">ANDROID-20923261</a></td> 371 <td>Critical</td> 372 <td>5.0 and above</td> 373 </tr> 374 </table> 375 376 377 <h3 id=integer_overflow_in_libstagefright_processing_mpeg4_covr_atoms_when_chunk_data_size_is_size_max>Integer overflow in libstagefright processing MPEG4 covr atoms when 378 chunk_data_size is SIZE_MAX</h3> 379 380 381 <p>There is a potential integer overflow in libstagefright that could occur during 382 MPEG4 covr data processing, leading to memory corruption and potentially 383 remote code execution as the mediaserver process.</p> 384 385 <p>The affected functionality is provided as an application API and there are 386 multiple applications that allow it to be reached with remote content, most 387 notably MMS and browser playback of media.</p> 388 389 <p>This issue is rated as a Critical severity due to the possibility of remote 390 code execution as the privileged mediaserver service. While mediaserver is 391 guarded with SELinux, it does have access to audio and video streams as well as 392 access to privileged kernel driver device nodes on many devices that 3rd party 393 apps cannot normally access. Note that under our previous severity rating 394 guidelines, this was rated as a High severity vulnerability and was reported to 395 partners as such. Under our new guidelines, published in June 2015, it is a 396 Critical severity issue.</p> 397 <table> 398 <tr> 399 <th>CVE</th> 400 <th>Bug(s) with AOSP links</th> 401 <th>Severity</th> 402 <th>Affected versions</th> 403 </tr> 404 <tr> 405 <td>CVE-2015-3829</td> 406 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/2674a7218eaa3c87f2ee26d26da5b9170e10f859">ANDROID-20923261</a></td> 407 <td>Critical</td> 408 <td>5.0 and above</td> 409 </tr> 410 </table> 411 412 413 <h3 id=buffer_overflow_in_sonivox_parse_wave>Buffer overflow in Sonivox Parse_wave</h3> 414 415 416 <p>There is a potential buffer overflow in Sonivox that could occur during XMF 417 data processing, leading to memory corruption and potentially remote code 418 execution as the mediaserver process.</p> 419 420 <p>The affected functionality is provided as an application API and there are 421 multiple applications that allow it to be reached with remote content, most 422 notably MMS and browser playback of media.</p> 423 424 <p>This issue is rated as a Critical severity due to the possibility of remote 425 code execution as the privileged mediaserver service. While mediaserver is 426 guarded with SELinux, it does have access to audio and video streams as well as 427 access to privileged kernel driver device nodes on many devices that 3rd party 428 apps cannot normally access. Note that under our previous severity rating 429 guidelines, this was rated as a High severity vulnerability and was reported to 430 partners as such. Under our new guidelines, published in June 2015, it is a 431 Critical severity issue.</p> 432 <table> 433 <tr> 434 <th>CVE</th> 435 <th>Bug(s) with AOSP links</th> 436 <th>Severity</th> 437 <th>Affected versions</th> 438 </tr> 439 <tr> 440 <td>CVE-2015-3836</td> 441 <td><a href="https://android.googlesource.com/platform/external/sonivox/+/e999f077f6ef59d20282f1e04786816a31fb8be6">ANDROID-21132860</a></td> 442 <td>Critical</td> 443 <td>5.1 and below</td> 444 </tr> 445 </table> 446 447 448 <h3 id=buffer_overflows_in_libstagefright_mpeg4extractor_cpp>Buffer overflows in libstagefright MPEG4Extractor.cpp</h3> 449 450 451 <p>There are several buffer overflows in libstagefright that could occur during 452 MP4 processing, leading to memory corruption and potentially remote code 453 execution as the mediaserver process.</p> 454 455 <p>The affected functionality is provided as an application API and there are 456 multiple applications that allow it to be reached with remote content, most 457 notably MMS and browser playback of media.</p> 458 459 <p>This issue is rated as a Critical severity due to the possibility of remote 460 code execution as the privileged mediaserver service. While mediaserver is 461 guarded with SELinux, it does have access to audio and video streams as well as 462 access to privileged kernel driver device nodes on many devices that 3rd party 463 apps cannot normally access.</p> 464 465 <p>Initially this issue was reported as a local exploit (not remotely accessible). 466 Note that under our previous severity rating guidelines, this was rated as a 467 Moderate severity vulnerability and was reported to partners as such. Under our 468 new guidelines, published in June 2015, it is a Critical severity issue.</p> 469 <table> 470 <tr> 471 <th>CVE</th> 472 <th>Bug(s) with AOSP links</th> 473 <th>Severity</th> 474 <th>Affected versions</th> 475 </tr> 476 <tr> 477 <td>CVE-2015-3832</td> 478 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/d48f0f145f8f0f4472bc0af668ac9a8bce44ba9b">ANDROID-19641538</a></td> 479 <td>Critical</td> 480 <td>5.1 and below</td> 481 </tr> 482 </table> 483 484 485 <h3 id=buffer_overflow_in_mediaserver_bpmediahttpconnection>Buffer overflow in mediaserver BpMediaHTTPConnection</h3> 486 487 488 <p>There is is a potential buffer overflow in BpMediaHTTPConnection when 489 processing data provided by another application, leading to memory corruption 490 and potentially code execution as the mediaserver process.</p> 491 492 <p>The affected functionality is provided as an application API. We dont believe 493 the issue is remotely exploitable.</p> 494 495 <p>This issue is rated as a High severity due to the possibility of code execution 496 as the privileged mediaserver service, from a local application. While 497 mediaserver is guarded with SELinux, it does have access to audio and video 498 streams as well as access to privileged kernel driver device nodes on many 499 devices that 3rd party apps cannot normally access.</p> 500 <table> 501 <tr> 502 <th>CVE</th> 503 <th>Bug(s) with AOSP links</th> 504 <th>Severity</th> 505 <th>Affected versions</th> 506 </tr> 507 <tr> 508 <td>CVE-2015-3831</td> 509 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/51504928746edff6c94a1c498cf99c0a83bedaed">ANDROID-19400722</a></td> 510 <td>High</td> 511 <td>5.0 and 5.1</td> 512 </tr> 513 </table> 514 515 516 <h3 id=vulnerability_in_libpng_overflow_in_png_read_idat_data>Vulnerability in libpng: Overflow in png_Read_IDAT_data</h3> 517 518 519 <p>There is a potential buffer overflow that could occur in reading IDAT data 520 within the png_read_IDAT_data() function in libpng, leading to memory 521 corruption and potentially remote code execution within an application using 522 this method.</p> 523 524 <p>The affected functionality is provided as an application API. There may be 525 applications that allow it to be reached with remote content, most notably 526 messaging applications and browsers.</p> 527 528 <p>This issue is rated as a High severity due to the possibility of remote code 529 execution as an unprivileged application.</p> 530 <table> 531 <tr> 532 <th>CVE</th> 533 <th>Bug(s) with AOSP links</th> 534 <th>Severity</th> 535 <th>Affected versions</th> 536 </tr> 537 <tr> 538 <td>CVE-2015-0973</td> 539 <td><a href="https://android.googlesource.com/platform/external/libpng/+/dd0ed46397a05ae69dc8c401f5711f0db0a964fa">ANDROID-19499430</a></td> 540 <td>High</td> 541 <td>5.1 and below</td> 542 </tr> 543 </table> 544 545 546 <h3 id=remotely_exploitable_memcpy_overflow_in_p2p_add_device_in_wpa_supplicant>Remotely exploitable memcpy() overflow in p2p_add_device() in wpa_supplicant</h3> 547 548 549 <p>When wpa_supplicant is operating in WLAN Direct mode, it's vulnerable to 550 potential remote code execution due to an overflow in the p2p_add_device() 551 method. Successful exploitation could result in code execution as the 'wifi' 552 user in Android.</p> 553 554 <p>There are several mitigations that can effect successful exploitation of this 555 issue:</p> 556 557 <p>- WLAN Direct is not enabled by default on most Android devices</p> 558 559 <p>- Exploitation requires an attacker to be locally proximate (within WiFi range)</p> 560 561 <p>- The wpa_supplicant process runs as the 'wifi' user which has limited access 562 to the system</p> 563 564 <p>- Remote exploitation is mitigated by ASLR on Android 4.1 and later devices.</p> 565 566 <p>- The wpa_supplicant process is tightly constrained by SELinux policy on 567 Android 5.0 and greater</p> 568 569 <p>This issue is rated as High severity due to the possibility of remote code 570 execution. While the 'wifi' service does have capabilities that are not 571 normally accessible to 3rd party apps which could rate this as Critical, we 572 believe the limited capabilities and level of mitigation warrant decreasing the 573 severity to High.</p> 574 <table> 575 <tr> 576 <th>CVE</th> 577 <th>Bug(s) with AOSP links</th> 578 <th>Severity</th> 579 <th>Affected versions</th> 580 </tr> 581 <tr> 582 <td>CVE-2015-1863</td> 583 <td><a href="https://android.googlesource.com/platform/external/wpa_supplicant_8/+/4cf0f2d0d869c35a9ec4432861d5efa8ead4279c">ANDROID-20076874</a></td> 584 <td>High</td> 585 <td>5.1 and below</td> 586 </tr> 587 </table> 588 589 590 <h3 id=memory_corruption_in_opensslx509certificate_deserialization>Memory Corruption in OpenSSLX509Certificate Deserialization</h3> 591 592 593 <p>A malicious local application can send an Intent which, when deserialized by 594 the receiving application, can decrement a value at an arbitrary memory 595 address, leading to memory corruption and potentially code execution within the 596 receiving application.</p> 597 598 <p>This issue is rated as High severity because it can be used to gain privileges 599 not accessible to a third-party application.</p> 600 <table> 601 <tr> 602 <th>CVE</th> 603 <th>Bug(s) with AOSP links</th> 604 <th>Severity</th> 605 <th>Affected versions</th> 606 </tr> 607 <tr> 608 <td>CVE-2015-3837</td> 609 <td><a href="https://android.googlesource.com/platform/external/conscrypt/+/edf7055461e2d7fa18de5196dca80896a56e3540">ANDROID-21437603</a></td> 610 <td>High</td> 611 <td>5.1 and below</td> 612 </tr> 613 </table> 614 615 616 <h3 id=buffer_overflow_in_mediaserver_bnhdcp>Buffer overflow in mediaserver BnHDCP</h3> 617 618 619 <p>There is is a potential integer overflow in libstagefright when processing data 620 provided by another application, leading to memory (heap) corruption and 621 potentially code execution as the mediaserver process.</p> 622 623 <p>This issue is rated as High severity because it can be used to gain privileges 624 not accessible to a third-party application. While mediaserver is guarded with 625 SELinux, it does have access to audio and video streams as well as access to 626 privileged kernel driver device nodes on many devices that 3rd party apps 627 cannot normally access.</p> 628 629 <p>Note that under our previous severity rating guidelines, this was rated as a 630 Moderate severity vulnerability and was reported to partners as such. Under our 631 new guidelines, published in June 2015, it is a High severity vulnerability.</p> 632 <table> 633 <tr> 634 <th>CVE</th> 635 <th>Bug(s) with AOSP links</th> 636 <th>Severity</th> 637 <th>Affected versions</th> 638 </tr> 639 <tr> 640 <td>CVE-2015-3834</td> 641 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/c82e31a7039a03dca7b37c65b7890ba5c1e18ced">ANDROID-20222489</a></td> 642 <td>High</td> 643 <td>5.1 and below</td> 644 </tr> 645 </table> 646 647 648 <h3 id=buffer_overflow_in_libstagefright_omxnodeinstance_emptybuffer>Buffer overflow in libstagefright OMXNodeInstance::emptyBuffer</h3> 649 650 651 <p>There is is a potential buffer overflow in libstagefright when processing data 652 provided by another application, leading to memory corruption and potentially 653 code execution as the mediaserver process.</p> 654 655 <p>This issue is rated as High severity because it can be used to gain privileges 656 not accessible to a third-party application. While mediaserver is guarded with 657 SELinux, it does have access to audio and video streams as well as access to 658 privileged kernel driver device nodes on many devices that 3rd party apps 659 cannot normally access.</p> 660 661 <p>Note that under our previous severity rating guidelines, this was rated as a 662 Moderate severity vulnerability and was reported to partners as such. Under our 663 new guidelines, published in June 2015, it is a High severity vulnerability.</p> 664 <table> 665 <tr> 666 <th>CVE</th> 667 <th>Bug(s) with AOSP links</th> 668 <th>Severity</th> 669 <th>Affected versions</th> 670 </tr> 671 <tr> 672 <td>CVE-2015-3835</td> 673 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/086d84f45ab7b64d1a7ed7ac8ba5833664a6a5ab">ANDROID-20634516</a> [<a href="https://android.googlesource.com/platform/frameworks/av/+/3cb1b6944e776863aea316e25fdc16d7f9962902">2</a>]</td> 674 <td>High</td> 675 <td>5.1 and below</td> 676 </tr> 677 </table> 678 679 680 <h3 id=heap_overflow_in_mediaserver_audiopolicymanager_getinputforattr>Heap overflow in mediaserver AudioPolicyManager::getInputForAttr()</h3> 681 682 683 <p>There is a heap overflow in mediaserver's Audio Policy Service that could allow 684 a local application to execute arbitrary code in mediaserver's process.</p> 685 686 <p>The affected functionality is provided as an application API. We dont 687 believe the issue is remotely exploitable.</p> 688 689 <p>This issue is rated as a High severity due to the possibility of code execution 690 as the privileged mediaserver service, from a local application. While 691 mediaserver is guarded with SELinux, it does have access to audio and video 692 streams as well as access to privileged kernel driver device nodes on many 693 devices that 3rd party apps cannot normally access.</p> 694 <table> 695 <tr> 696 <th>CVE</th> 697 <th>Bug(s) with AOSP links</th> 698 <th>Severity</th> 699 <th>Affected versions</th> 700 </tr> 701 <tr> 702 <td>CVE-2015-3842</td> 703 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/aeea52da00d210587fb3ed895de3d5f2e0264c88">ANDROID-21953516</a></td> 704 <td>High</td> 705 <td>5.1 and below</td> 706 </tr> 707 </table> 708 709 710 <h3 id=applications_can_intercept_or_emulate_sim_commands_to_telephony>Applications can intercept or emulate SIM commands to Telephony</h3> 711 712 713 <p>There is a vulnerability in the SIM Toolkit (STK) framework that could allow 714 apps to intercept or emulate certain STK SIM commands to Android's Telephony 715 subsystem.</p> 716 717 <p>This issue is rated at a High severity because it could allow an unprivileged 718 app to access capabilities or data normally protected by a "signature" or 719 "system" level permission.</p> 720 <table> 721 <tr> 722 <th>CVE</th> 723 <th>Bug(s) with AOSP links</th> 724 <th>Severity</th> 725 <th>Affected versions</th> 726 </tr> 727 <tr> 728 <td>CVE-2015-3843</td> 729 <td><a href="https://android.googlesource.com/platform/frameworks/opt/telephony/+/b48581401259439dc5ef6dcf8b0f303e4cbefbe9">ANDROID-21697171</a> [<a href="https://android.googlesource.com/platform/packages/apps/Stk/+/1d8e00160c07ae308e5b460214eb2a425b93ccf7">2</a>, <a href="https://android.googlesource.com/platform/frameworks/base/+/a5e904e7eb3aaec532de83ca52e24af18e0496b4">3</a>, <a href="https://android.googlesource.com/platform/packages/services/Telephony/+/fcb1d13c320dd1a6350bc7af3166929b4d54a456">4</a>]</td> 730 <td>High</td> 731 <td>5.1 and below</td> 732 </tr> 733 </table> 734 735 736 <h3 id=vulnerability_in_bitmap_unmarshalling>Vulnerability in Bitmap unmarshalling</h3> 737 738 739 <p>An integer overflow in Bitmap_createFromParcel() could allow an app to either 740 crash the system_server process or read memory data from system_server.</p> 741 742 <p>This issue is rated as Moderate severity due to the possibility of leaking 743 sensitive data from the system_server process to an unprivileged local process. 744 While this type of vulnerability would normally be rated as High severity, the 745 severity has been reduced because the data that is leaked in a successful 746 attack cannot be controlled by the attacking process and the consequence of an 747 unsuccessful attack is to render the device temporarily unusable (requiring a 748 reboot).</p> 749 <table> 750 <tr> 751 <th>CVE</th> 752 <th>Bug(s) with AOSP links</th> 753 <th>Severity</th> 754 <th>Affected versions</th> 755 </tr> 756 <tr> 757 <td>CVE-2015-1536</td> 758 <td><a href="https://android.googlesource.com/platform/frameworks/base/+/d44e5bde18a41beda39d49189bef7f2ba7c8f3cb">ANDROID-19666945</a></td> 759 <td>Moderate</td> 760 <td>5.1 and below</td> 761 </tr> 762 </table> 763 764 765 <h3 id=appwidgetserviceimpl_can_create_intentsender_with_system_privileges>AppWidgetServiceImpl can create IntentSender with system privileges</h3> 766 767 768 <p>There is a vulnerability in AppWidgetServiceImpl in the Settings app that 769 allows an app to grant itself a URI permission by specifying 770 FLAG_GRANT_READ/WRITE_URI_PERMISSION. For example, this could be exploited to 771 read contact data without the READ_CONTACTS permission.</p> 772 773 <p>This is rated as a Moderate severity vulnerability because it can allow a local 774 app to access data normally protected by permissions with a "dangerous" 775 protection level.</p> 776 <table> 777 <tr> 778 <th>CVE</th> 779 <th>Bug(s) with AOSP links</th> 780 <th>Severity</th> 781 <th>Affected versions</th> 782 </tr> 783 <tr> 784 <td>CVE-2015-1541 </td> 785 <td><a href="https://android.googlesource.com/platform/frameworks/base/+/0b98d304c467184602b4c6bce76fda0b0274bc07">ANDROID-19618745</a></td> 786 <td>Moderate</td> 787 <td>5.1 </td> 788 </tr> 789 </table> 790 791 792 <h3 id=mitigation_bypass_of_restrictions_on_getrecenttasks>Mitigation bypass of restrictions on getRecentTasks()</h3> 793 794 795 <p>A local application can reliably determine the foreground application, 796 circumventing the getRecentTasks() restriction introduced in Android 5.0.</p> 797 798 <p>This is rated as a moderate severity vulnerability because it can allow a local 799 app to access data normally protected by permissions with a "dangerous" 800 protection level.</p> 801 802 <p>We believe this vulnerability was first described publicly at:<a href="http://stackoverflow.com/questions/24625936/getrunningtasks-doesnt-work-in-android-l">http://stackoverflow.com/questions/24625936/getrunningtasks-doesnt-work-in-android-l</a></p> 803 <table> 804 <tr> 805 <th>CVE</th> 806 <th>Bug(s) with AOSP links</th> 807 <th>Severity</th> 808 <th>Affected versions</th> 809 </tr> 810 <tr> 811 <td>CVE-2015-3833 </td> 812 <td><a href="https://android.googlesource.com/platform/frameworks/base/+/aaa0fee0d7a8da347a0c47cef5249c70efee209e">ANDROID-20034603</a></td> 813 <td>Moderate</td> 814 <td>5.0 and 5.1 </td> 815 </tr> 816 </table> 817 818 819 <h3 id=activitymanagerservice_getprocessrecordlocked_may_load_a_system_uid_application_into_the_wrong_process>ActivityManagerService.getProcessRecordLocked() may load a system UID 820 application into the wrong process</h3> 821 822 823 <p>ActivityManager's getProcessRecordLocked() method doesn't properly verify that 824 an application's process name matches the corresponding package name. In some 825 cases, this can allow ActivityManager to load the wrong process for certain 826 tasks.</p> 827 828 <p>The implications are that an app can prevent Settings from being loaded or 829 inject parameters for Settings fragments. We don't believe that this 830 vulnerability can be used to execute arbitrary code as the "system" user.</p> 831 832 <p>While the ability to access capabilities normally only accessible to "system" 833 would be rated as a High severity, we rated this one as a Moderate due to the 834 limited level of access granted by the vulnerability.</p> 835 <table> 836 <tr> 837 <th>CVE</th> 838 <th>Bug(s) with AOSP links</th> 839 <th>Severity</th> 840 <th>Affected versions</th> 841 </tr> 842 <tr> 843 <td>CVE-2015-3844 </td> 844 <td><a href="https://android.googlesource.com/platform/frameworks/base/+/e3cde784e3d99966f313fe00dcecf191f6a44a31">ANDROID-21669445</a></td> 845 <td>Moderate</td> 846 <td>5.1 and below</td> 847 </tr> 848 </table> 849 850 851 <h3 id=unbounded_buffer_read_in_libstagefright_while_parsing_3gpp_metadata>Unbounded buffer read in libstagefright while parsing 3GPP metadata</h3> 852 853 854 <p>An integer underflow during parsing of 3GPP data can result in a read operation 855 overrunning a buffer, causing mediaserver to crash.</p> 856 857 <p>This issue was originally rated as a High severity and was reported to partners 858 as such, but after further investigation it has been downgraded to Low severity 859 as the impact is limited to crashing mediaserver.</p> 860 <table> 861 <tr> 862 <th>CVE</th> 863 <th>Bug(s) with AOSP links</th> 864 <th>Severity</th> 865 <th>Affected versions</th> 866 </tr> 867 <tr> 868 <td>CVE-2015-3826</td> 869 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/f4f7e0c102819f039ebb1972b3dba1d3186bc1d1">ANDROID-20923261</a></td> 870 <td>Low</td> 871 <td>5.0 and 5.1</td> 872 </tr> 873 </table> 874 875 876 <h2 id=revisions>Revisions</h2> 877 878 879 <ul> 880 <li> August 13, 2015: Originally Published 881
