1 <html devsite> 2 <head> 3 <title>Nexus - 2015 8 </title> 4 <meta name="project_path" value="/_project.yaml" /> 5 <meta name="book_path" value="/_book.yaml" /> 6 </head> 7 <body> 8 <!-- 9 Copyright 2017 The Android Open Source Project 10 11 Licensed under the Apache License, Version 2.0 (the "License"); 12 you may not use this file except in compliance with the License. 13 You may obtain a copy of the License at 14 15 http://www.apache.org/licenses/LICENSE-2.0 16 17 Unless required by applicable law or agreed to in writing, software 18 distributed under the License is distributed on an "AS IS" BASIS, 19 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20 See the License for the specific language governing permissions and 21 limitations under the License. 22 --> 23 24 25 26 <p> 27 <em> 28 2015 8 13 29 </em> 30 </p> 31 <p> 32 Android Nexus OTANexus 33 <a href="https://developers.google.com/android/nexus/images"> 34 Google 35 </a> 36 LMY48I 2015 6 25 37 </p> 38 <p> 39 MMS 40 </p> 41 <h2 id="security_vulnerability_summary" style="margin-bottom:0px"> 42 43 </h2> 44 <hr/> 45 <p> 46 CVE 47 <a href="http://source.android.com/security/overview/updates-resources.html#severity"> 48 49 </a> 50 51 </p> 52 <table> 53 <tbody> 54 <tr> 55 <th> 56 57 </th> 58 <th> 59 CVE 60 </th> 61 <th> 62 63 </th> 64 </tr> 65 <tr> 66 <td> 67 MP4 atom 68 </td> 69 <td> 70 CVE-2015-1538 71 </td> 72 <td> 73 74 </td> 75 </tr> 76 <tr> 77 <td> 78 ESDS 79 </td> 80 <td> 81 CVE-2015-1539 82 </td> 83 <td> 84 85 </td> 86 </tr> 87 <tr> 88 <td> 89 libstagefright MPEG4 tx3g atom 90 </td> 91 <td> 92 CVE-2015-3824 93 </td> 94 <td> 95 96 </td> 97 </tr> 98 <tr> 99 <td> 100 libstagefright MPEG4 covr atom 101 </td> 102 <td> 103 CVE-2015-3827 104 </td> 105 <td> 106 107 </td> 108 </tr> 109 <tr> 110 <td> 111 libstagefright 3GPP 6 112 </td> 113 <td> 114 CVE-2015-3828 115 </td> 116 <td> 117 118 </td> 119 </tr> 120 <tr> 121 <td> 122 libstagefright MPEG4 covr atom chunk_data_size SIZE_MAX 123 </td> 124 <td> 125 CVE-2015-3829 126 </td> 127 <td> 128 129 </td> 130 </tr> 131 <tr> 132 <td> 133 Sonivox Parse_wave 134 </td> 135 <td> 136 CVE-2015-3836 137 </td> 138 <td> 139 140 </td> 141 </tr> 142 <tr> 143 <td> 144 libstagefright MPEG4Extractor.cpp 145 </td> 146 <td> 147 CVE-2015-3832 148 </td> 149 <td> 150 151 </td> 152 </tr> 153 <tr> 154 <td> 155 BpMediaHTTPConnection 156 </td> 157 <td> 158 CVE-2015-3831 159 </td> 160 <td> 161 162 </td> 163 </tr> 164 <tr> 165 <td> 166 libpng : png_Read_IDAT_data 167 </td> 168 <td> 169 CVE-2015-0973 170 </td> 171 <td> 172 173 </td> 174 </tr> 175 <tr> 176 <td> 177 wpa_supplicant p2p_add_device() memcpy() 178 </td> 179 <td> 180 CVE-2015-1863 181 </td> 182 <td> 183 184 </td> 185 </tr> 186 <tr> 187 <td> 188 OpenSSLX509Certificate 189 </td> 190 <td> 191 CVE-2015-3837 192 </td> 193 <td> 194 195 </td> 196 </tr> 197 <tr> 198 <td> 199 BnHDCP 200 </td> 201 <td> 202 CVE-2015-3834 203 </td> 204 <td> 205 206 </td> 207 </tr> 208 <tr> 209 <td> 210 libstagefright OMXNodeInstance::emptyBuffer 211 </td> 212 <td> 213 CVE-2015-3835 214 </td> 215 <td> 216 217 </td> 218 </tr> 219 <tr> 220 <td> 221 AudioPolicyManager::getInputForAttr() 222 </td> 223 <td> 224 CVE-2015-3842 225 </td> 226 <td> 227 228 </td> 229 </tr> 230 <tr> 231 <td> 232 SIM 233 </td> 234 <td> 235 CVE-2015-3843 236 </td> 237 <td> 238 239 </td> 240 </tr> 241 <tr> 242 <td> 243 244 </td> 245 <td> 246 CVE-2015-1536 247 </td> 248 <td> 249 250 </td> 251 </tr> 252 <tr> 253 <td> 254 AppWidgetServiceImpl IntentSender 255 </td> 256 <td> 257 CVE-2015-1541 258 </td> 259 <td> 260 261 </td> 262 </tr> 263 <tr> 264 <td> 265 getRecentTasks() 266 </td> 267 <td> 268 CVE-2015-3833 269 </td> 270 <td> 271 272 </td> 273 </tr> 274 <tr> 275 <td> 276 ActivityManagerService.getProcessRecordLocked() UID 277 </td> 278 <td> 279 CVE-2015-3844 280 </td> 281 <td> 282 283 </td> 284 </tr> 285 <tr> 286 <td> 287 libstagefright 3GPP 288 </td> 289 <td> 290 CVE-2015-3826 291 </td> 292 <td> 293 294 </td> 295 </tr> 296 </tbody> 297 </table> 298 <h2 id="mitigations" style="margin-bottom:0px"> 299 300 </h2> 301 <hr/> 302 <p> 303 304 <a href="http://source.android.com/security/enhancements/index.html"> 305 Android 306 </a> 307 SafetyNet Android 308 </p> 309 <ul> 310 <li> 311 Android Android Android 312 </li> 313 <li> 314 Android SafetyNet Google Play Google Play 315 </li> 316 <li> 317 Google 318 </li> 319 </ul> 320 <h2 id="acknowledgements" style="margin-bottom:0px"> 321 322 </h2> 323 <hr/> 324 <p> 325 326 </p> 327 <ul> 328 <li> 329 Joshua Drake: CVE-2015-1538, CVE-2015-3826 330 </li> 331 <li> 332 Ben Hawkes: CVE-2015-3836 333 </li> 334 <li> 335 Alexandru Blanda: CVE-2015-3832 336 </li> 337 <li> 338 Micha Bednarski: CVE-2015-3831CVE-2015-3844CVE-2015-1541 339 </li> 340 <li> 341 Alex Copot: CVE-2015-1536 342 </li> 343 <li> 344 Alex Eubanks: CVE-2015-0973 345 </li> 346 <li> 347 Roee Hay Or Peles: CVE-2015-3837 348 </li> 349 <li> 350 Guang Gong: CVE-2015-3834 351 </li> 352 <li> 353 Gal Beniamini: CVE-2015-3835 354 </li> 355 <li> 356 Wish Wu*: CVE-2015-3842 357 </li> 358 <li> 359 Artem Chaykin: CVE-2015-3843 360 </li> 361 </ul> 362 <p> 363 * Wish 364 <a href="https://www.google.com/about/appsecurity/android-rewards/"> 365 Android Security Rewards 366 </a> 367 368 </p> 369 <h3 id="integer_overflows_during_mp4_atom_processing"> 370 MP4 atom 371 </h3> 372 <p> 373 libstagefright MP4 atom 374 </p> 375 <p> 376 API MMS 377 </p> 378 <p> 379 SELinux Google 2015 6 380 </p> 381 <table> 382 <tbody> 383 <tr> 384 <th> 385 CVE 386 </th> 387 <th> 388 AOSP 389 </th> 390 <th> 391 392 </th> 393 <th> 394 395 </th> 396 </tr> 397 <tr> 398 <td> 399 CVE-2015-1538 400 </td> 401 <td> 402 <a href="https://android.googlesource.com/platform/frameworks/av/+/cf1581c66c2ad8c5b1aaca2e43e350cf5974f46d"> 403 ANDROID-20139950 404 </a> 405 [ 406 <a href="https://android.googlesource.com/platform/frameworks/av/+/2434839bbd168469f80dd9a22f1328bc81046398"> 407 2 408 </a> 409 ] 410 </td> 411 <td> 412 413 </td> 414 <td> 415 5.1 416 </td> 417 </tr> 418 </tbody> 419 </table> 420 <h3 id="an_integer_underflow_in_esds_processing"> 421 ESDS 422 </h3> 423 <p> 424 libstagefright ESDS atom 425 </p> 426 <p> 427 API MMS 428 </p> 429 <p> 430 SELinux Google 2015 6 431 </p> 432 <table> 433 <tbody> 434 <tr> 435 <th> 436 CVE 437 </th> 438 <th> 439 AOSP 440 </th> 441 <th> 442 443 </th> 444 <th> 445 446 </th> 447 </tr> 448 <tr> 449 <td> 450 CVE-2015-1539 451 </td> 452 <td> 453 <a href="https://android.googlesource.com/platform/frameworks/av/+/5e751957ba692658b7f67eb03ae5ddb2cd3d970c"> 454 ANDROID-20139950 455 </a> 456 </td> 457 <td> 458 459 </td> 460 <td> 461 5.1 462 </td> 463 </tr> 464 </tbody> 465 </table> 466 <h3 id="integer_overflow_in_libstagefright_when_parsing_the_mpeg4_tx3g_atom"> 467 libstagefright MPEG4 tx3g atom 468 </h3> 469 <p> 470 libstagefright MPEG4 tx3g 471 </p> 472 <p> 473 API MMS 474 </p> 475 <p> 476 SELinux 477 </p> 478 <p> 479 Google 2015 6 480 </p> 481 <table> 482 <tbody> 483 <tr> 484 <th> 485 CVE 486 </th> 487 <th> 488 AOSP 489 </th> 490 <th> 491 492 </th> 493 <th> 494 495 </th> 496 </tr> 497 <tr> 498 <td> 499 CVE-2015-3824 500 </td> 501 <td> 502 <a href="https://android.googlesource.com/platform/frameworks/av/+/463a6f807e187828442949d1924e143cf07778c6"> 503 ANDROID-20923261 504 </a> 505 </td> 506 <td> 507 508 </td> 509 <td> 510 5.1 511 </td> 512 </tr> 513 </tbody> 514 </table> 515 <h3 id="integer_underflow_in_libstagefright_when_processing_mpeg4_covr_atoms"> 516 libstagefright MPEG4 covr atom 517 </h3> 518 <p> 519 libstagefright MPEG4 520 </p> 521 <p> 522 API MMS 523 </p> 524 <p> 525 SELinux 526 </p> 527 <p> 528 Google 2015 6 529 </p> 530 <table> 531 <tbody> 532 <tr> 533 <th> 534 CVE 535 </th> 536 <th> 537 AOSP 538 </th> 539 <th> 540 541 </th> 542 <th> 543 544 </th> 545 </tr> 546 <tr> 547 <td> 548 CVE-2015-3827 549 </td> 550 <td> 551 <a href="https://android.googlesource.com/platform/frameworks/av/+/f4a88c8ed4f8186b3d6e2852993e063fc33ff231"> 552 ANDROID-20923261 553 </a> 554 </td> 555 <td> 556 557 </td> 558 <td> 559 5.1 560 </td> 561 </tr> 562 </tbody> 563 </table> 564 <h3 id="integer_underflow_in_libstagefright_if_size_is_below_6_while_processing_3gpp_metadata"> 565 libstagefright 3GPP 6 566 </h3> 567 <p> 568 libstagefright 3GPP 569 </p> 570 <p> 571 API MMS 572 </p> 573 <p> 574 SELinux Google 2015 6 575 </p> 576 <table> 577 <tbody> 578 <tr> 579 <th> 580 CVE 581 </th> 582 <th> 583 AOSP 584 </th> 585 <th> 586 587 </th> 588 <th> 589 590 </th> 591 </tr> 592 <tr> 593 <td> 594 CVE-2015-3828 595 </td> 596 <td> 597 <a href="https://android.googlesource.com/platform/frameworks/av/+/f4f7e0c102819f039ebb1972b3dba1d3186bc1d1"> 598 ANDROID-20923261 599 </a> 600 </td> 601 <td> 602 603 </td> 604 <td> 605 5.0 606 </td> 607 </tr> 608 </tbody> 609 </table> 610 <h3 id="integer_overflow_in_libstagefright_processing_mpeg4_covr_atoms_when_chunk_data_size_is_size_max"> 611 libstagefright MPEG4 covr atom chunk_data_size SIZE_MAX 612 </h3> 613 <p> 614 libstagefright MPEG4 covr 615 </p> 616 <p> 617 API MMS 618 </p> 619 <p> 620 SELinux Google 2015 6 621 </p> 622 <table> 623 <tbody> 624 <tr> 625 <th> 626 CVE 627 </th> 628 <th> 629 AOSP 630 </th> 631 <th> 632 633 </th> 634 <th> 635 636 </th> 637 </tr> 638 <tr> 639 <td> 640 CVE-2015-3829 641 </td> 642 <td> 643 <a href="https://android.googlesource.com/platform/frameworks/av/+/2674a7218eaa3c87f2ee26d26da5b9170e10f859"> 644 ANDROID-20923261 645 </a> 646 </td> 647 <td> 648 649 </td> 650 <td> 651 5.0 652 </td> 653 </tr> 654 </tbody> 655 </table> 656 <h3 id="buffer_overflow_in_sonivox_parse_wave"> 657 Sonivox Parse_wave 658 </h3> 659 <p> 660 Sonivox XMF 661 </p> 662 <p> 663 API MMS 664 </p> 665 <p> 666 SELinux Google 2015 6 667 </p> 668 <table> 669 <tbody> 670 <tr> 671 <th> 672 CVE 673 </th> 674 <th> 675 AOSP 676 </th> 677 <th> 678 679 </th> 680 <th> 681 682 </th> 683 </tr> 684 <tr> 685 <td> 686 CVE-2015-3836 687 </td> 688 <td> 689 <a href="https://android.googlesource.com/platform/external/sonivox/+/e999f077f6ef59d20282f1e04786816a31fb8be6"> 690 ANDROID-21132860 691 </a> 692 </td> 693 <td> 694 695 </td> 696 <td> 697 5.1 698 </td> 699 </tr> 700 </tbody> 701 </table> 702 <h3 id="buffer_overflows_in_libstagefright_mpeg4extractor_cpp"> 703 libstagefright MPEG4Extractor.cpp 704 </h3> 705 <p> 706 libstagefright MP4 707 </p> 708 <p> 709 API MMS 710 </p> 711 <p> 712 SELinux 713 </p> 714 <p> 715 Google 2015 6 716 </p> 717 <table> 718 <tbody> 719 <tr> 720 <th> 721 CVE 722 </th> 723 <th> 724 AOSP 725 </th> 726 <th> 727 728 </th> 729 <th> 730 731 </th> 732 </tr> 733 <tr> 734 <td> 735 CVE-2015-3832 736 </td> 737 <td> 738 <a href="https://android.googlesource.com/platform/frameworks/av/+/d48f0f145f8f0f4472bc0af668ac9a8bce44ba9b"> 739 ANDROID-19641538 740 </a> 741 </td> 742 <td> 743 744 </td> 745 <td> 746 5.1 747 </td> 748 </tr> 749 </tbody> 750 </table> 751 <h3 id="buffer_overflow_in_mediaserver_bpmediahttpconnection"> 752 BpMediaHTTPConnection 753 </h3> 754 <p> 755 BpMediaHTTPConnection 756 </p> 757 <p> 758 API Google 759 </p> 760 <p> 761 SELinux 762 </p> 763 <table> 764 <tbody> 765 <tr> 766 <th> 767 CVE 768 </th> 769 <th> 770 AOSP 771 </th> 772 <th> 773 774 </th> 775 <th> 776 777 </th> 778 </tr> 779 <tr> 780 <td> 781 CVE-2015-3831 782 </td> 783 <td> 784 <a href="https://android.googlesource.com/platform/frameworks/av/+/51504928746edff6c94a1c498cf99c0a83bedaed"> 785 ANDROID-19400722 786 </a> 787 </td> 788 <td> 789 790 </td> 791 <td> 792 5.0 5.1 793 </td> 794 </tr> 795 </tbody> 796 </table> 797 <h3 id="vulnerability_in_libpng_overflow_in_png_read_idat_data"> 798 libpng : png_Read_IDAT_data 799 </h3> 800 <p> 801 libpng png_read_IDAT_data() IDAT 802 </p> 803 <p> 804 API SMS 805 </p> 806 <p> 807 808 </p> 809 <table> 810 <tbody> 811 <tr> 812 <th> 813 CVE 814 </th> 815 <th> 816 AOSP 817 </th> 818 <th> 819 820 </th> 821 <th> 822 823 </th> 824 </tr> 825 <tr> 826 <td> 827 CVE-2015-0973 828 </td> 829 <td> 830 <a href="https://android.googlesource.com/platform/external/libpng/+/dd0ed46397a05ae69dc8c401f5711f0db0a964fa"> 831 ANDROID-19499430 832 </a> 833 </td> 834 <td> 835 836 </td> 837 <td> 838 5.1 839 </td> 840 </tr> 841 </tbody> 842 </table> 843 <h3 id="remotely_exploitable_memcpy_overflow_in_p2p_add_device_in_wpa_supplicant"> 844 wpa_supplicant p2p_add_device() memcpy() 845 </h3> 846 <p> 847 wpa_supplicant WLAN Direct p2p_add_device() Android wifi 848 </p> 849 <p> 850 851 </p> 852 <p> 853 - Android WLAN Direct 854 </p> 855 <p> 856 - Wi-Fi 857 </p> 858 <p> 859 - wpa_supplicant wifi 860 </p> 861 <p> 862 - Android 4.1 ASLR 863 </p> 864 <p> 865 - Android 5.0 SELinux wpa_supplicant 866 </p> 867 <p> 868 wifiGoogle 869 </p> 870 <table> 871 <tbody> 872 <tr> 873 <th> 874 CVE 875 </th> 876 <th> 877 AOSP 878 </th> 879 <th> 880 881 </th> 882 <th> 883 884 </th> 885 </tr> 886 <tr> 887 <td> 888 CVE-2015-1863 889 </td> 890 <td> 891 <a href="https://android.googlesource.com/platform/external/wpa_supplicant_8/+/4cf0f2d0d869c35a9ec4432861d5efa8ead4279c"> 892 ANDROID-20076874 893 </a> 894 </td> 895 <td> 896 897 </td> 898 <td> 899 5.1 900 </td> 901 </tr> 902 </tbody> 903 </table> 904 <h3 id="memory_corruption_in_opensslx509certificate_deserialization"> 905 OpenSSLX509Certificate 906 </h3> 907 <p> 908 909 </p> 910 <p> 911 912 </p> 913 <table> 914 <tbody> 915 <tr> 916 <th> 917 CVE 918 </th> 919 <th> 920 AOSP 921 </th> 922 <th> 923 924 </th> 925 <th> 926 927 </th> 928 </tr> 929 <tr> 930 <td> 931 CVE-2015-3837 932 </td> 933 <td> 934 <a href="https://android.googlesource.com/platform/external/conscrypt/+/edf7055461e2d7fa18de5196dca80896a56e3540"> 935 ANDROID-21437603 936 </a> 937 </td> 938 <td> 939 940 </td> 941 <td> 942 5.1 943 </td> 944 </tr> 945 </tbody> 946 </table> 947 <h3 id="buffer_overflow_in_mediaserver_bnhdcp"> 948 BnHDCP 949 </h3> 950 <p> 951 libstagefright 952 </p> 953 <p> 954 SELinux 955 </p> 956 <p> 957 Google 2015 6 958 </p> 959 <table> 960 <tbody> 961 <tr> 962 <th> 963 CVE 964 </th> 965 <th> 966 AOSP 967 </th> 968 <th> 969 970 </th> 971 <th> 972 973 </th> 974 </tr> 975 <tr> 976 <td> 977 CVE-2015-3834 978 </td> 979 <td> 980 <a href="https://android.googlesource.com/platform/frameworks/av/+/c82e31a7039a03dca7b37c65b7890ba5c1e18ced"> 981 ANDROID-20222489 982 </a> 983 </td> 984 <td> 985 986 </td> 987 <td> 988 5.1 989 </td> 990 </tr> 991 </tbody> 992 </table> 993 <h3 id="buffer_overflow_in_libstagefright_omxnodeinstance_emptybuffer"> 994 libstagefright OMXNodeInstance::emptyBuffer 995 </h3> 996 <p> 997 libstagefright 998 </p> 999 <p> 1000 SELinux 1001 </p> 1002 <p> 1003 Google 2015 6 1004 </p> 1005 <table> 1006 <tbody> 1007 <tr> 1008 <th> 1009 CVE 1010 </th> 1011 <th> 1012 AOSP 1013 </th> 1014 <th> 1015 1016 </th> 1017 <th> 1018 1019 </th> 1020 </tr> 1021 <tr> 1022 <td> 1023 CVE-2015-3835 1024 </td> 1025 <td> 1026 <a href="https://android.googlesource.com/platform/frameworks/av/+/086d84f45ab7b64d1a7ed7ac8ba5833664a6a5ab"> 1027 ANDROID-20634516 1028 </a> 1029 [ 1030 <a href="https://android.googlesource.com/platform/frameworks/av/+/3cb1b6944e776863aea316e25fdc16d7f9962902"> 1031 2 1032 </a> 1033 ] 1034 </td> 1035 <td> 1036 1037 </td> 1038 <td> 1039 5.1 1040 </td> 1041 </tr> 1042 </tbody> 1043 </table> 1044 <h3 id="heap_overflow_in_mediaserver_audiopolicymanager_getinputforattr"> 1045 AudioPolicyManager::getInputForAttr() 1046 </h3> 1047 <p> 1048 Audio Policy Service 1049 </p> 1050 <p> 1051 API Google 1052 </p> 1053 <p> 1054 SELinux 1055 </p> 1056 <table> 1057 <tbody> 1058 <tr> 1059 <th> 1060 CVE 1061 </th> 1062 <th> 1063 AOSP 1064 </th> 1065 <th> 1066 1067 </th> 1068 <th> 1069 1070 </th> 1071 </tr> 1072 <tr> 1073 <td> 1074 CVE-2015-3842 1075 </td> 1076 <td> 1077 <a href="https://android.googlesource.com/platform/frameworks/av/+/aeea52da00d210587fb3ed895de3d5f2e0264c88"> 1078 ANDROID-21953516 1079 </a> 1080 </td> 1081 <td> 1082 1083 </td> 1084 <td> 1085 5.1 1086 </td> 1087 </tr> 1088 </tbody> 1089 </table> 1090 <h3 id="applications_can_intercept_or_emulate_sim_commands_to_telephony"> 1091 SIM 1092 </h3> 1093 <p> 1094 SIM STKAndroid STK SIM 1095 </p> 1096 <p> 1097 signaturesystem 1098 </p> 1099 <table> 1100 <tbody> 1101 <tr> 1102 <th> 1103 CVE 1104 </th> 1105 <th> 1106 AOSP 1107 </th> 1108 <th> 1109 1110 </th> 1111 <th> 1112 1113 </th> 1114 </tr> 1115 <tr> 1116 <td> 1117 CVE-2015-3843 1118 </td> 1119 <td> 1120 <a href="https://android.googlesource.com/platform/frameworks/opt/telephony/+/b48581401259439dc5ef6dcf8b0f303e4cbefbe9"> 1121 ANDROID-21697171 1122 </a> 1123 [ 1124 <a href="https://android.googlesource.com/platform/packages/apps/Stk/+/1d8e00160c07ae308e5b460214eb2a425b93ccf7"> 1125 2 1126 </a> 1127 1128 <a href="https://android.googlesource.com/platform/frameworks/base/+/a5e904e7eb3aaec532de83ca52e24af18e0496b4"> 1129 3 1130 </a> 1131 1132 <a href="https://android.googlesource.com/platform/packages/services/Telephony/+/fcb1d13c320dd1a6350bc7af3166929b4d54a456"> 1133 4 1134 </a> 1135 ] 1136 </td> 1137 <td> 1138 1139 </td> 1140 <td> 1141 5.1 1142 </td> 1143 </tr> 1144 </tbody> 1145 </table> 1146 <h3 id="vulnerability_in_bitmap_unmarshalling"> 1147 1148 </h3> 1149 <p> 1150 Bitmap_createFromParcel() system_server system_server 1151 </p> 1152 <p> 1153 system_server 1154 </p> 1155 <table> 1156 <tbody> 1157 <tr> 1158 <th> 1159 CVE 1160 </th> 1161 <th> 1162 AOSP 1163 </th> 1164 <th> 1165 1166 </th> 1167 <th> 1168 1169 </th> 1170 </tr> 1171 <tr> 1172 <td> 1173 CVE-2015-1536 1174 </td> 1175 <td> 1176 <a href="https://android.googlesource.com/platform/frameworks/base/+/d44e5bde18a41beda39d49189bef7f2ba7c8f3cb"> 1177 ANDROID-19666945 1178 </a> 1179 </td> 1180 <td> 1181 1182 </td> 1183 <td> 1184 5.1 1185 </td> 1186 </tr> 1187 </tbody> 1188 </table> 1189 <h3 id="appwidgetserviceimpl_can_create_intentsender_with_system_privileges"> 1190 AppWidgetServiceImpl IntentSender 1191 </h3> 1192 <p> 1193 AppWidgetServiceImpl FLAG_GRANT_READ_URI_PERMISSION FLAG_GRANT_WRITE_URI_PERMISSION URI READ_CONTACTS 1194 </p> 1195 <p> 1196 dangerous 1197 </p> 1198 <table> 1199 <tbody> 1200 <tr> 1201 <th> 1202 CVE 1203 </th> 1204 <th> 1205 AOSP 1206 </th> 1207 <th> 1208 1209 </th> 1210 <th> 1211 1212 </th> 1213 </tr> 1214 <tr> 1215 <td> 1216 CVE-2015-1541 1217 </td> 1218 <td> 1219 <a href="https://android.googlesource.com/platform/frameworks/base/+/0b98d304c467184602b4c6bce76fda0b0274bc07"> 1220 ANDROID-19618745 1221 </a> 1222 </td> 1223 <td> 1224 1225 </td> 1226 <td> 1227 5.1 1228 </td> 1229 </tr> 1230 </tbody> 1231 </table> 1232 <h3 id="mitigation_bypass_of_restrictions_on_getrecenttasks"> 1233 getRecentTasks() 1234 </h3> 1235 <p> 1236 Android 5.0 getRecentTasks() 1237 </p> 1238 <p> 1239 dangerous 1240 </p> 1241 <p> 1242 1243 <a href="http://stackoverflow.com/questions/24625936/getrunningtasks-doesnt-work-in-android-l"> 1244 http://stackoverflow.com/questions/24625936/getrunningtasks-doesnt-work-in-android-l 1245 </a> 1246 1247 </p> 1248 <table> 1249 <tbody> 1250 <tr> 1251 <th> 1252 CVE 1253 </th> 1254 <th> 1255 AOSP 1256 </th> 1257 <th> 1258 1259 </th> 1260 <th> 1261 1262 </th> 1263 </tr> 1264 <tr> 1265 <td> 1266 CVE-2015-3833 1267 </td> 1268 <td> 1269 <a href="https://android.googlesource.com/platform/frameworks/base/+/aaa0fee0d7a8da347a0c47cef5249c70efee209e"> 1270 ANDROID-20034603 1271 </a> 1272 </td> 1273 <td> 1274 1275 </td> 1276 <td> 1277 5.0 5.1 1278 </td> 1279 </tr> 1280 </tbody> 1281 </table> 1282 <h3 id="activitymanagerservice_getprocessrecordlocked_may_load_a_system_uid_application_into_the_wrong_process"> 1283 ActivityManagerService.getProcessRecordLocked() UID 1284 </h3> 1285 <p> 1286 ActivityManager getProcessRecordLocked() ActivityManager 1287 </p> 1288 <p> 1289 Google system 1290 </p> 1291 <p> 1292 system 1293 </p> 1294 <table> 1295 <tbody> 1296 <tr> 1297 <th> 1298 CVE 1299 </th> 1300 <th> 1301 AOSP 1302 </th> 1303 <th> 1304 1305 </th> 1306 <th> 1307 1308 </th> 1309 </tr> 1310 <tr> 1311 <td> 1312 CVE-2015-3844 1313 </td> 1314 <td> 1315 <a href="https://android.googlesource.com/platform/frameworks/base/+/e3cde784e3d99966f313fe00dcecf191f6a44a31"> 1316 ANDROID-21669445 1317 </a> 1318 </td> 1319 <td> 1320 1321 </td> 1322 <td> 1323 5.1 1324 </td> 1325 </tr> 1326 </tbody> 1327 </table> 1328 <h3 id="unbounded_buffer_read_in_libstagefright_while_parsing_3gpp_metadata"> 1329 libstagefright 3GPP 1330 </h3> 1331 <p> 1332 3GPP 1333 </p> 1334 <p> 1335 1336 </p> 1337 <table> 1338 <tbody> 1339 <tr> 1340 <th> 1341 CVE 1342 </th> 1343 <th> 1344 AOSP 1345 </th> 1346 <th> 1347 1348 </th> 1349 <th> 1350 1351 </th> 1352 </tr> 1353 <tr> 1354 <td> 1355 CVE-2015-3826 1356 </td> 1357 <td> 1358 <a href="https://android.googlesource.com/platform/frameworks/av/+/f4f7e0c102819f039ebb1972b3dba1d3186bc1d1"> 1359 ANDROID-20923261 1360 </a> 1361 </td> 1362 <td> 1363 1364 </td> 1365 <td> 1366 5.0 5.1 1367 </td> 1368 </tr> 1369 </tbody> 1370 </table> 1371 <h2 id="revisions" style="margin-bottom:0px"> 1372 1373 </h2> 1374 <hr/> 1375 <ul> 1376 <li> 1377 2015 8 13 : 1378 </li> 1379 </ul> 1380 </div> 1381 <div class="content-footer-sac" itemscope="" itemtype="http://schema.org/SiteNavigationElement"> 1382 <div class="layout-content-col col-9" style="padding-top:4px"> 1383 </div> 1384 <div class="paging-links layout-content-col col-4"> 1385 </div> 1386 </div> 1387 </div> 1388 1389 </body> 1390 </html> 1391
