1 <html devsite> 2 <head> 3 <title>Nexus Security Bulletin - August 2015</title> 4 <meta name="project_path" value="/_project.yaml" /> 5 <meta name="book_path" value="/_book.yaml" /> 6 </head> 7 <body> 8 <!-- 9 Copyright 2017 The Android Open Source Project 10 11 Licensed under the Apache License, Version 2.0 (the "License"); 12 you may not use this file except in compliance with the License. 13 You may obtain a copy of the License at 14 15 http://www.apache.org/licenses/LICENSE-2.0 16 17 Unless required by applicable law or agreed to in writing, software 18 distributed under the License is distributed on an "AS IS" BASIS, 19 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20 See the License for the specific language governing permissions and 21 limitations under the License. 22 --> 23 24 25 26 <p><em>Published August 13, 2015</em></p> 27 28 <p>We have released a security update to Nexus devices through an over-the-air 29 (OTA) update as part of our Android Security Bulletin Monthly Release process. 30 The Nexus firmware images have also been released to the <a href="https://developers.google.com/android/nexus/images">Google Developer site</a>. Builds LMY48I or later address these issues. Partners were notified about these 31 issues on June 25, 2015 or earlier.</p> 32 33 <p>The most severe of these issues is a Critical security vulnerability that could 34 enable remote code execution on an affected device through multiple methods 35 such as email, web browsing, and MMS when processing media files. The 36 <a href="/security/overview/updates-resources.html#severity">severity 37 assessment</a> is based on the effect that exploiting the vulnerability would 38 possibly have on an affected device, assuming the platform and service 39 mitigations are disabled for development purposes or if successfully bypassed.</p> 40 41 <h2 id=mitigations>Mitigations</h2> 42 43 44 <p>This is a summary of the mitigations provided by the <a href="/security/enhancements/index.html">Android security platform</a> and service protections such as SafetyNet. These capabilities reduce the 45 likelihood that security vulnerabilities can be successfully exploited on 46 Android.</p> 47 48 <ul> 49 <li> Exploitation for many issues on Android is made more difficult by enhancements 50 in newer versions of the Android platform. We encourage all users to update to 51 the latest version of Android where possible. 52 <li> The Android Security team is actively monitoring for abuse with Verify Apps and 53 SafetyNet which will warn about potentially harmful applications about to be 54 installed. Device rooting tools are prohibited within Google Play. To protect 55 users who install applications from outside of Google Play, Verify Apps is 56 enabled by default and will warn users about known rooting applications. Verify 57 Apps attempts to identify and block installation of known malicious 58 applications that exploit a privilege escalation vulnerability. If such an 59 application has already been installed, Verify Apps will notify the user and 60 attempt to remove any such applications. 61 <li> As appropriate, Google has updated the Hangouts and Messenger applications so 62 that media is not automatically passed to vulnerable processes (such as 63 mediaserver.) 64 </ul> 65 66 <h2 id=acknowledgements>Acknowledgements</h2> 67 68 69 <p>We would like to thank these researchers for their contributions:</p> 70 71 <ul> 72 <li> Joshua Drake: CVE-2015-1538, CVE-2015-3826 73 <li> Ben Hawkes: CVE-2015-3836 74 <li> Alexandru Blanda: CVE-2015-3832 75 <li> Micha Bednarski: CVE-2015-3831, CVE-2015-3844, CVE-2015-1541 76 <li> Alex Copot: CVE-2015-1536 77 <li> Alex Eubanks: CVE-2015-0973 78 <li> Roee Hay and Or Peles: CVE-2015-3837 79 <li> Guang Gong: CVE-2015-3834 80 <li> Gal Beniamini: CVE-2015-3835 81 <li> Wish Wu*: CVE-2015-3842 82 <li> Artem Chaykin: CVE-2015-3843 83 </ul> 84 85 <p>*Wish is also our very first <a href="https://www.google.com/about/appsecurity/android-rewards/">Android Security Rewards</a> recipient!</p> 86 87 <h3 id=integer_overflows_during_mp4_atom_processing>Integer overflows during MP4 atom processing</h3> 88 89 90 <p>There are several potential integer overflows in libstagefright that could 91 occur during MP4 atom processing, leading to memory corruption and potentially 92 remote code execution as the mediaserver process.</p> 93 94 <p>The affected functionality is provided as an application API and there are 95 multiple applications that allow it to be reached with remote content, most 96 notably MMS and browser playback of media.</p> 97 98 <p>This issue is rated as a Critical severity due to the possibility of remote 99 code execution as the privileged mediaserver service. While mediaserver is 100 guarded with SELinux, it does have access to audio and video streams as well as 101 access to privileged kernel driver device nodes on many devices that 3rd party 102 apps cannot normally access. Note that under our previous severity rating 103 guidelines, this was rated as a High severity vulnerability and was reported to 104 partners as such. Under our new guidelines, published in June 2015, it is a 105 Critical severity issue.</p> 106 <table> 107 <tr> 108 <th>CVE</th> 109 <th>Bug(s) with AOSP links</th> 110 <th>Severity</th> 111 <th>Affected versions</th> 112 </tr> 113 <tr> 114 <td>CVE-2015-1538</td> 115 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/cf1581c66c2ad8c5b1aaca2e43e350cf5974f46d">ANDROID-20139950</a> [<a href="https://android.googlesource.com/platform/frameworks/av/+/2434839bbd168469f80dd9a22f1328bc81046398">2</a>]</td> 116 <td>Critical</td> 117 <td>5.1 and below</td> 118 </tr> 119 </table> 120 121 <h3 id=an_integer_underflow_in_esds_processing>An integer underflow in ESDS processing</h3> 122 123 124 <p>There is a potential integer underflow in libstagefright that could occur 125 during ESDS atom processing, leading to memory corruption and potentially 126 remote code execution as the mediaserver process.</p> 127 128 <p>The affected functionality is provided as an application API and there are 129 multiple applications that allow it to be reached with remote content, most 130 notably MMS and browser playback of media.</p> 131 132 <p>This issue is rated as a Critical severity due to the possibility of remote 133 code execution as the privileged mediaserver service. While mediaserver is 134 guarded with SELinux, it does have access to audio and video streams as well as 135 access to privileged kernel driver device nodes on many devices that 3rd party 136 apps cannot normally access. Note that under our previous severity rating 137 guidelines, this was rated as a High severity vulnerability and was reported to 138 partners as such. Under our new guidelines, published in June 2015, it is a 139 Critical severity issue.</p> 140 <table> 141 <tr> 142 <th>CVE</th> 143 <th>Bug(s) with AOSP links</th> 144 <th>Severity</th> 145 <th>Affected versions</th> 146 </tr> 147 <tr> 148 <td>CVE-2015-1539</td> 149 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/5e751957ba692658b7f67eb03ae5ddb2cd3d970c">ANDROID-20139950</a></td> 150 <td>Critical</td> 151 <td>5.1 and below</td> 152 </tr> 153 </table> 154 155 156 <h3 id=integer_overflow_in_libstagefright_when_parsing_the_mpeg4_tx3g_atom>Integer overflow in libstagefright when parsing the MPEG4 tx3g atom</h3> 157 158 159 <p>There is a potential integer overflow in libstagefright that could occur during 160 MPEG4 tx3g data processing, leading to memory corruption and potentially remote 161 code execution as the mediaserver process.</p> 162 163 <p>The affected functionality is provided as an application API and there are 164 multiple applications that allow it to be reached with remote content, most 165 notably MMS and browser playback of media.</p> 166 167 <p>This issue is rated as a Critical severity due to the possibility of remote 168 code execution as the privileged mediaserver service. While mediaserver is 169 guarded with SELinux, it does have access to audio and video streams as well as 170 access to privileged kernel driver device nodes on many devices that 3rd party 171 apps cannot normally access.</p> 172 173 <p>Note that under our previous severity rating guidelines, this was rated as a 174 High severity vulnerability and was reported to partners as such. Under our new 175 guidelines, published in June 2015, it is a Critical severity issue.</p> 176 <table> 177 <tr> 178 <th>CVE</th> 179 <th>Bug(s) with AOSP links</th> 180 <th>Severity</th> 181 <th>Affected versions</th> 182 </tr> 183 <tr> 184 <td>CVE-2015-3824</td> 185 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/463a6f807e187828442949d1924e143cf07778c6">ANDROID-20923261</a> </td> 186 <td>Critical</td> 187 <td>5.1 and below</td> 188 </tr> 189 </table> 190 191 192 <h3 id=integer_underflow_in_libstagefright_when_processing_mpeg4_covr_atoms>Integer underflow in libstagefright when processing MPEG4 covr atoms</h3> 193 194 195 <p>There is a potential integer underflow in libstagefright that could occur 196 during MPEG4 data processing, leading to memory corruption and potentially 197 remote code execution as the mediaserver process.</p> 198 199 <p>The affected functionality is provided as an application API and there are 200 multiple applications that allow it to be reached with remote content, most 201 notably MMS and browser playback of media.</p> 202 203 <p>This issue is rated as a Critical severity due to the possibility of remote 204 code execution as the privileged mediaserver service. While mediaserver is 205 guarded with SELinux, it does have access to audio and video streams as well as 206 access to privileged kernel driver device nodes on many devices that 3rd party 207 apps cannot normally access.</p> 208 209 <p>Note that under our previous severity rating guidelines, this was rated as a 210 High severity vulnerability and was reported to partners as such. Under our new 211 guidelines, published in June 2015, it is a Critical severity issue.</p> 212 <table> 213 <tr> 214 <th>CVE</th> 215 <th>Bug(s) with AOSP links</th> 216 <th>Severity</th> 217 <th>Affected versions</th> 218 </tr> 219 <tr> 220 <td>CVE-2015-3827</td> 221 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/f4a88c8ed4f8186b3d6e2852993e063fc33ff231">ANDROID-20923261</a></td> 222 <td>Critical</td> 223 <td>5.1 and below</td> 224 </tr> 225 </table> 226 227 228 <h3 id=integer_underflow_in_libstagefright_if_size_is_below_6_while_processing_3gpp_metadata>Integer underflow in libstagefright if size is below 6 while processing 3GPP 229 metadata</h3> 230 231 232 <p>There is a potential integer underflow in libstagefright that could occur 233 during 3GPP data processing, leading to memory corruption and potentially 234 remote code execution as the mediaserver process.</p> 235 236 <p>The affected functionality is provided as an application API and there are 237 multiple applications that allow it to be reached with remote content, most 238 notably MMS and browser playback of media.</p> 239 240 <p>This issue is rated as a Critical severity due to the possibility of remote 241 code execution as the privileged mediaserver service. While mediaserver is 242 guarded with SELinux, it does have access to audio and video streams as well as 243 access to privileged kernel driver device nodes on many devices that 3rd party 244 apps cannot normally access. Note that under our previous severity rating 245 guidelines, this was rated as a High severity vulnerability and was reported to 246 partners as such. Under our new guidelines, published in June 2015, it is a 247 Critical severity issue.</p> 248 <table> 249 <tr> 250 <th>CVE</th> 251 <th>Bug(s) with AOSP links</th> 252 <th>Severity</th> 253 <th>Affected versions</th> 254 </tr> 255 <tr> 256 <td>CVE-2015-3828</td> 257 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/f4f7e0c102819f039ebb1972b3dba1d3186bc1d1">ANDROID-20923261</a></td> 258 <td>Critical</td> 259 <td>5.0 and above</td> 260 </tr> 261 </table> 262 263 264 <h3 id=integer_overflow_in_libstagefright_processing_mpeg4_covr_atoms_when_chunk_data_size_is_size_max>Integer overflow in libstagefright processing MPEG4 covr atoms when 265 chunk_data_size is SIZE_MAX</h3> 266 267 268 <p>There is a potential integer overflow in libstagefright that could occur during 269 MPEG4 covr data processing, leading to memory corruption and potentially 270 remote code execution as the mediaserver process.</p> 271 272 <p>The affected functionality is provided as an application API and there are 273 multiple applications that allow it to be reached with remote content, most 274 notably MMS and browser playback of media.</p> 275 276 <p>This issue is rated as a Critical severity due to the possibility of remote 277 code execution as the privileged mediaserver service. While mediaserver is 278 guarded with SELinux, it does have access to audio and video streams as well as 279 access to privileged kernel driver device nodes on many devices that 3rd party 280 apps cannot normally access. Note that under our previous severity rating 281 guidelines, this was rated as a High severity vulnerability and was reported to 282 partners as such. Under our new guidelines, published in June 2015, it is a 283 Critical severity issue.</p> 284 <table> 285 <tr> 286 <th>CVE</th> 287 <th>Bug(s) with AOSP links</th> 288 <th>Severity</th> 289 <th>Affected versions</th> 290 </tr> 291 <tr> 292 <td>CVE-2015-3829</td> 293 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/2674a7218eaa3c87f2ee26d26da5b9170e10f859">ANDROID-20923261</a></td> 294 <td>Critical</td> 295 <td>5.0 and above</td> 296 </tr> 297 </table> 298 299 300 <h3 id=buffer_overflow_in_sonivox_parse_wave>Buffer overflow in Sonivox Parse_wave</h3> 301 302 303 <p>There is a potential buffer overflow in Sonivox that could occur during XMF 304 data processing, leading to memory corruption and potentially remote code 305 execution as the mediaserver process.</p> 306 307 <p>The affected functionality is provided as an application API and there are 308 multiple applications that allow it to be reached with remote content, most 309 notably MMS and browser playback of media.</p> 310 311 <p>This issue is rated as a Critical severity due to the possibility of remote 312 code execution as the privileged mediaserver service. While mediaserver is 313 guarded with SELinux, it does have access to audio and video streams as well as 314 access to privileged kernel driver device nodes on many devices that 3rd party 315 apps cannot normally access. Note that under our previous severity rating 316 guidelines, this was rated as a High severity vulnerability and was reported to 317 partners as such. Under our new guidelines, published in June 2015, it is a 318 Critical severity issue.</p> 319 <table> 320 <tr> 321 <th>CVE</th> 322 <th>Bug(s) with AOSP links</th> 323 <th>Severity</th> 324 <th>Affected versions</th> 325 </tr> 326 <tr> 327 <td>CVE-2015-3836</td> 328 <td><a href="https://android.googlesource.com/platform/external/sonivox/+/e999f077f6ef59d20282f1e04786816a31fb8be6">ANDROID-21132860</a></td> 329 <td>Critical</td> 330 <td>5.1 and below</td> 331 </tr> 332 </table> 333 334 335 <h3 id=buffer_overflows_in_libstagefright_mpeg4extractor_cpp>Buffer overflows in libstagefright MPEG4Extractor.cpp</h3> 336 337 338 <p>There are several buffer overflows in libstagefright that could occur during 339 MP4 processing, leading to memory corruption and potentially remote code 340 execution as the mediaserver process.</p> 341 342 <p>The affected functionality is provided as an application API and there are 343 multiple applications that allow it to be reached with remote content, most 344 notably MMS and browser playback of media.</p> 345 346 <p>This issue is rated as a Critical severity due to the possibility of remote 347 code execution as the privileged mediaserver service. While mediaserver is 348 guarded with SELinux, it does have access to audio and video streams as well as 349 access to privileged kernel driver device nodes on many devices that 3rd party 350 apps cannot normally access.</p> 351 352 <p>Initially this issue was reported as a local exploit (not remotely accessible). 353 Note that under our previous severity rating guidelines, this was rated as a 354 Moderate severity vulnerability and was reported to partners as such. Under our 355 new guidelines, published in June 2015, it is a Critical severity issue.</p> 356 <table> 357 <tr> 358 <th>CVE</th> 359 <th>Bug(s) with AOSP links</th> 360 <th>Severity</th> 361 <th>Affected versions</th> 362 </tr> 363 <tr> 364 <td>CVE-2015-3832</td> 365 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/d48f0f145f8f0f4472bc0af668ac9a8bce44ba9b">ANDROID-19641538</a></td> 366 <td>Critical</td> 367 <td>5.1 and below</td> 368 </tr> 369 </table> 370 371 372 <h3 id=buffer_overflow_in_mediaserver_bpmediahttpconnection>Buffer overflow in mediaserver BpMediaHTTPConnection</h3> 373 374 375 <p>There is a potential buffer overflow in BpMediaHTTPConnection when 376 processing data provided by another application, leading to memory corruption 377 and potentially code execution as the mediaserver process.</p> 378 379 <p>The affected functionality is provided as an application API. We dont believe 380 the issue is remotely exploitable.</p> 381 382 <p>This issue is rated as a High severity due to the possibility of code execution 383 as the privileged mediaserver service, from a local application. While 384 mediaserver is guarded with SELinux, it does have access to audio and video 385 streams as well as access to privileged kernel driver device nodes on many 386 devices that 3rd party apps cannot normally access.</p> 387 <table> 388 <tr> 389 <th>CVE</th> 390 <th>Bug(s) with AOSP links</th> 391 <th>Severity</th> 392 <th>Affected versions</th> 393 </tr> 394 <tr> 395 <td>CVE-2015-3831</td> 396 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/51504928746edff6c94a1c498cf99c0a83bedaed">ANDROID-19400722</a></td> 397 <td>High</td> 398 <td>5.0 and 5.1</td> 399 </tr> 400 </table> 401 402 403 <h3 id=vulnerability_in_libpng_overflow_in_png_read_idat_data>Vulnerability in libpng: Overflow in png_Read_IDAT_data</h3> 404 405 406 <p>There is a potential buffer overflow that could occur in reading IDAT data 407 within the png_read_IDAT_data() function in libpng, leading to memory 408 corruption and potentially remote code execution within an application using 409 this method.</p> 410 411 <p>The affected functionality is provided as an application API. There may be 412 applications that allow it to be reached with remote content, most notably 413 messaging applications and browsers.</p> 414 415 <p>This issue is rated as a High severity due to the possibility of remote code 416 execution as an unprivileged application.</p> 417 <table> 418 <tr> 419 <th>CVE</th> 420 <th>Bug(s) with AOSP links</th> 421 <th>Severity</th> 422 <th>Affected versions</th> 423 </tr> 424 <tr> 425 <td>CVE-2015-0973</td> 426 <td><a href="https://android.googlesource.com/platform/external/libpng/+/dd0ed46397a05ae69dc8c401f5711f0db0a964fa">ANDROID-19499430</a></td> 427 <td>High</td> 428 <td>5.1 and below</td> 429 </tr> 430 </table> 431 432 433 <h3 id=remotely_exploitable_memcpy_overflow_in_p2p_add_device_in_wpa_supplicant>Remotely exploitable memcpy() overflow in p2p_add_device() in wpa_supplicant</h3> 434 435 436 <p>When wpa_supplicant is operating in WLAN Direct mode, it's vulnerable to 437 potential remote code execution due to an overflow in the p2p_add_device() 438 method. Successful exploitation could result in code execution as the 'wifi' 439 user in Android.</p> 440 441 <p>There are several mitigations that can effect successful exploitation of this 442 issue:</p> 443 444 <p>- WLAN Direct is not enabled by default on most Android devices</p> 445 446 <p>- Exploitation requires an attacker to be locally proximate (within WiFi range)</p> 447 448 <p>- The wpa_supplicant process runs as the 'wifi' user which has limited access 449 to the system</p> 450 451 <p>- Remote exploitation is mitigated by ASLR on Android 4.1 and later devices.</p> 452 453 <p>- The wpa_supplicant process is tightly constrained by SELinux policy on 454 Android 5.0 and greater</p> 455 456 <p>This issue is rated as High severity due to the possibility of remote code 457 execution. While the 'wifi' service does have capabilities that are not 458 normally accessible to 3rd party apps which could rate this as Critical, we 459 believe the limited capabilities and level of mitigation warrant decreasing the 460 severity to High.</p> 461 <table> 462 <tr> 463 <th>CVE</th> 464 <th>Bug(s) with AOSP links</th> 465 <th>Severity</th> 466 <th>Affected versions</th> 467 </tr> 468 <tr> 469 <td>CVE-2015-1863</td> 470 <td><a href="https://android.googlesource.com/platform/external/wpa_supplicant_8/+/4cf0f2d0d869c35a9ec4432861d5efa8ead4279c">ANDROID-20076874</a></td> 471 <td>High</td> 472 <td>5.1 and below</td> 473 </tr> 474 </table> 475 476 477 <h3 id=memory_corruption_in_opensslx509certificate_deserialization>Memory Corruption in OpenSSLX509Certificate Deserialization</h3> 478 479 480 <p>A malicious local application can send an Intent which, when deserialized by 481 the receiving application, can decrement a value at an arbitrary memory 482 address, leading to memory corruption and potentially code execution within the 483 receiving application.</p> 484 485 <p>This issue is rated as High severity because it can be used to gain privileges 486 not accessible to a third-party application.</p> 487 <table> 488 <tr> 489 <th>CVE</th> 490 <th>Bug(s) with AOSP links</th> 491 <th>Severity</th> 492 <th>Affected versions</th> 493 </tr> 494 <tr> 495 <td>CVE-2015-3837</td> 496 <td><a href="https://android.googlesource.com/platform/external/conscrypt/+/edf7055461e2d7fa18de5196dca80896a56e3540">ANDROID-21437603</a></td> 497 <td>High</td> 498 <td>5.1 and below</td> 499 </tr> 500 </table> 501 502 503 <h3 id=buffer_overflow_in_mediaserver_bnhdcp>Buffer overflow in mediaserver BnHDCP</h3> 504 505 506 <p>There is a potential integer overflow in libstagefright when processing data 507 provided by another application, leading to memory (heap) corruption and 508 potentially code execution as the mediaserver process.</p> 509 510 <p>This issue is rated as High severity because it can be used to gain privileges 511 not accessible to a third-party application. While mediaserver is guarded with 512 SELinux, it does have access to audio and video streams as well as access to 513 privileged kernel driver device nodes on many devices that 3rd party apps 514 cannot normally access.</p> 515 516 <p>Note that under our previous severity rating guidelines, this was rated as a 517 Moderate severity vulnerability and was reported to partners as such. Under our 518 new guidelines, published in June 2015, it is a High severity vulnerability.</p> 519 <table> 520 <tr> 521 <th>CVE</th> 522 <th>Bug(s) with AOSP links</th> 523 <th>Severity</th> 524 <th>Affected versions</th> 525 </tr> 526 <tr> 527 <td>CVE-2015-3834</td> 528 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/c82e31a7039a03dca7b37c65b7890ba5c1e18ced">ANDROID-20222489</a></td> 529 <td>High</td> 530 <td>5.1 and below</td> 531 </tr> 532 </table> 533 534 535 <h3 id=buffer_overflow_in_libstagefright_omxnodeinstance_emptybuffer>Buffer overflow in libstagefright OMXNodeInstance::emptyBuffer</h3> 536 537 538 <p>There is a potential buffer overflow in libstagefright when processing data 539 provided by another application, leading to memory corruption and potentially 540 code execution as the mediaserver process.</p> 541 542 <p>This issue is rated as High severity because it can be used to gain privileges 543 not accessible to a third-party application. While mediaserver is guarded with 544 SELinux, it does have access to audio and video streams as well as access to 545 privileged kernel driver device nodes on many devices that 3rd party apps 546 cannot normally access.</p> 547 548 <p>Note that under our previous severity rating guidelines, this was rated as a 549 Moderate severity vulnerability and was reported to partners as such. Under our 550 new guidelines, published in June 2015, it is a High severity vulnerability.</p> 551 <table> 552 <tr> 553 <th>CVE</th> 554 <th>Bug(s) with AOSP links</th> 555 <th>Severity</th> 556 <th>Affected versions</th> 557 </tr> 558 <tr> 559 <td>CVE-2015-3835</td> 560 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/086d84f45ab7b64d1a7ed7ac8ba5833664a6a5ab">ANDROID-20634516</a> [<a href="https://android.googlesource.com/platform/frameworks/av/+/3cb1b6944e776863aea316e25fdc16d7f9962902">2</a>]</td> 561 <td>High</td> 562 <td>5.1 and below</td> 563 </tr> 564 </table> 565 566 567 <h3 id=heap_overflow_in_mediaserver_audiopolicymanager_getinputforattr>Heap overflow in mediaserver AudioPolicyManager::getInputForAttr()</h3> 568 569 570 <p>There is a heap overflow in mediaserver's Audio Policy Service that could allow 571 a local application to execute arbitrary code in mediaserver's process.</p> 572 573 <p>The affected functionality is provided as an application API. We dont 574 believe the issue is remotely exploitable.</p> 575 576 <p>This issue is rated as a High severity due to the possibility of code execution 577 as the privileged mediaserver service, from a local application. While 578 mediaserver is guarded with SELinux, it does have access to audio and video 579 streams as well as access to privileged kernel driver device nodes on many 580 devices that 3rd party apps cannot normally access.</p> 581 <table> 582 <tr> 583 <th>CVE</th> 584 <th>Bug(s) with AOSP links</th> 585 <th>Severity</th> 586 <th>Affected versions</th> 587 </tr> 588 <tr> 589 <td>CVE-2015-3842</td> 590 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/aeea52da00d210587fb3ed895de3d5f2e0264c88">ANDROID-21953516</a></td> 591 <td>High</td> 592 <td>5.1 and below</td> 593 </tr> 594 </table> 595 596 597 <h3 id=applications_can_intercept_or_emulate_sim_commands_to_telephony>Applications can intercept or emulate SIM commands to Telephony</h3> 598 599 600 <p>There is a vulnerability in the SIM Toolkit (STK) framework that could allow 601 apps to intercept or emulate certain STK SIM commands to Android's Telephony 602 subsystem.</p> 603 604 <p>This issue is rated at a High severity because it could allow an unprivileged 605 app to access capabilities or data normally protected by a "signature" or 606 "system" level permission.</p> 607 <table> 608 <tr> 609 <th>CVE</th> 610 <th>Bug(s) with AOSP links</th> 611 <th>Severity</th> 612 <th>Affected versions</th> 613 </tr> 614 <tr> 615 <td>CVE-2015-3843</td> 616 <td><a href="https://android.googlesource.com/platform/frameworks/opt/telephony/+/b48581401259439dc5ef6dcf8b0f303e4cbefbe9">ANDROID-21697171</a> [<a href="https://android.googlesource.com/platform/packages/apps/Stk/+/1d8e00160c07ae308e5b460214eb2a425b93ccf7">2</a>, <a href="https://android.googlesource.com/platform/frameworks/base/+/a5e904e7eb3aaec532de83ca52e24af18e0496b4">3</a>, <a href="https://android.googlesource.com/platform/packages/services/Telephony/+/fcb1d13c320dd1a6350bc7af3166929b4d54a456">4</a>]</td> 617 <td>High</td> 618 <td>5.1 and below</td> 619 </tr> 620 </table> 621 622 623 <h3 id=vulnerability_in_bitmap_unmarshalling>Vulnerability in Bitmap unmarshalling</h3> 624 625 626 <p>An integer overflow in Bitmap_createFromParcel() could allow an app to either 627 crash the system_server process or read memory data from system_server.</p> 628 629 <p>This issue is rated as Moderate severity due to the possibility of leaking 630 sensitive data from the system_server process to an unprivileged local process. 631 While this type of vulnerability would normally be rated as High severity, the 632 severity has been reduced because the data that is leaked in a successful 633 attack cannot be controlled by the attacking process and the consequence of an 634 unsuccessful attack is to render the device temporarily unusable (requiring a 635 reboot).</p> 636 <table> 637 <tr> 638 <th>CVE</th> 639 <th>Bug(s) with AOSP links</th> 640 <th>Severity</th> 641 <th>Affected versions</th> 642 </tr> 643 <tr> 644 <td>CVE-2015-1536</td> 645 <td><a href="https://android.googlesource.com/platform/frameworks/base/+/d44e5bde18a41beda39d49189bef7f2ba7c8f3cb">ANDROID-19666945</a></td> 646 <td>Moderate</td> 647 <td>5.1 and below</td> 648 </tr> 649 </table> 650 651 652 <h3 id=appwidgetserviceimpl_can_create_intentsender_with_system_privileges>AppWidgetServiceImpl can create IntentSender with system privileges</h3> 653 654 655 <p>There is a vulnerability in AppWidgetServiceImpl in the Settings app that 656 allows an app to grant itself a URI permission by specifying 657 FLAG_GRANT_READ/WRITE_URI_PERMISSION. For example, this could be exploited to 658 read contact data without the READ_CONTACTS permission.</p> 659 660 <p>This is rated as a Moderate severity vulnerability because it can allow a local 661 app to access data normally protected by permissions with a "dangerous" 662 protection level.</p> 663 <table> 664 <tr> 665 <th>CVE</th> 666 <th>Bug(s) with AOSP links</th> 667 <th>Severity</th> 668 <th>Affected versions</th> 669 </tr> 670 <tr> 671 <td>CVE-2015-1541 </td> 672 <td><a href="https://android.googlesource.com/platform/frameworks/base/+/0b98d304c467184602b4c6bce76fda0b0274bc07">ANDROID-19618745</a></td> 673 <td>Moderate</td> 674 <td>5.1 </td> 675 </tr> 676 </table> 677 678 679 <h3 id=mitigation_bypass_of_restrictions_on_getrecenttasks>Mitigation bypass of restrictions on getRecentTasks()</h3> 680 681 682 <p>A local application can reliably determine the foreground application, 683 circumventing the getRecentTasks() restriction introduced in Android 5.0.</p> 684 685 <p>This is rated as a moderate severity vulnerability because it can allow a local 686 app to access data normally protected by permissions with a "dangerous" 687 protection level.</p> 688 689 <p>We believe this vulnerability was first described publicly on 690 <a href="http://stackoverflow.com/questions/24625936/getrunningtasks-doesnt-work-in-android-l">Stack Overflow</a>.</p> 691 <table> 692 <tr> 693 <th>CVE</th> 694 <th>Bug(s) with AOSP links</th> 695 <th>Severity</th> 696 <th>Affected versions</th> 697 </tr> 698 <tr> 699 <td>CVE-2015-3833 </td> 700 <td><a href="https://android.googlesource.com/platform/frameworks/base/+/aaa0fee0d7a8da347a0c47cef5249c70efee209e">ANDROID-20034603</a></td> 701 <td>Moderate</td> 702 <td>5.0 and 5.1 </td> 703 </tr> 704 </table> 705 706 707 <h3 id=activitymanagerservice_getprocessrecordlocked_may_load_a_system_uid_application_into_the_wrong_process>ActivityManagerService.getProcessRecordLocked() may load a system UID 708 application into the wrong process</h3> 709 710 711 <p>ActivityManager's getProcessRecordLocked() method doesn't properly verify that 712 an application's process name matches the corresponding package name. In some 713 cases, this can allow ActivityManager to load the wrong process for certain 714 tasks.</p> 715 716 <p>The implications are that an app can prevent Settings from being loaded or 717 inject parameters for Settings fragments. We don't believe that this 718 vulnerability can be used to execute arbitrary code as the "system" user.</p> 719 720 <p>While the ability to access capabilities normally only accessible to "system" 721 would be rated as a High severity, we rated this one as a Moderate due to the 722 limited level of access granted by the vulnerability.</p> 723 <table> 724 <tr> 725 <th>CVE</th> 726 <th>Bug(s) with AOSP links</th> 727 <th>Severity</th> 728 <th>Affected versions</th> 729 </tr> 730 <tr> 731 <td>CVE-2015-3844 </td> 732 <td><a href="https://android.googlesource.com/platform/frameworks/base/+/e3cde784e3d99966f313fe00dcecf191f6a44a31">ANDROID-21669445</a></td> 733 <td>Moderate</td> 734 <td>5.1 and below</td> 735 </tr> 736 </table> 737 738 739 <h3 id=unbounded_buffer_read_in_libstagefright_while_parsing_3gpp_metadata>Unbounded buffer read in libstagefright while parsing 3GPP metadata</h3> 740 741 742 <p>An integer underflow during parsing of 3GPP data can result in a read operation 743 overrunning a buffer, causing mediaserver to crash.</p> 744 745 <p>This issue was originally rated as a High severity and was reported to partners 746 as such, but after further investigation it has been downgraded to Low severity 747 as the impact is limited to crashing mediaserver.</p> 748 <table> 749 <tr> 750 <th>CVE</th> 751 <th>Bug(s) with AOSP links</th> 752 <th>Severity</th> 753 <th>Affected versions</th> 754 </tr> 755 <tr> 756 <td>CVE-2015-3826</td> 757 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/f4f7e0c102819f039ebb1972b3dba1d3186bc1d1">ANDROID-20923261</a></td> 758 <td>Low</td> 759 <td>5.0 and 5.1</td> 760 </tr> 761 </table> 762 763 764 <h2 id=revisions>Revisions</h2> 765 766 767 <ul> 768 <li> August 13, 2015: Originally Published 769 770 </body> 771 </html> 772
