1 <html devsite> 2 <head> 3 <title>Nexus - 2015 8</title> 4 <meta name="project_path" value="/_project.yaml" /> 5 <meta name="book_path" value="/_book.yaml" /> 6 </head> 7 <body> 8 <!-- 9 Copyright 2017 The Android Open Source Project 10 11 Licensed under the Apache License, Version 2.0 (the "License"); 12 you may not use this file except in compliance with the License. 13 You may obtain a copy of the License at 14 15 http://www.apache.org/licenses/LICENSE-2.0 16 17 Unless required by applicable law or agreed to in writing, software 18 distributed under the License is distributed on an "AS IS" BASIS, 19 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20 See the License for the specific language governing permissions and 21 limitations under the License. 22 --> 23 24 25 26 <p> 27 <em> 28 : 2015 8 13 29 </em> 30 </p> 31 <p> 32 Google Android 33 Nexus . 34 Nexus 35 <a href="https://developers.google.com/android/nexus/images"> 36 Google 37 </a> 38 . LMY48I . 2015 39 6 25 . 40 </p> 41 <p> 42 43 , MMS 44 . 45 </p> 46 <h2 id="security_vulnerability_summary" style="margin-bottom:0px"> 47 48 </h2> 49 <hr/> 50 <p> 51 , ID(CVE), 52 . 53 <a href="http://source.android.com/security/overview/updates-resources.html#severity"> 54 55 </a> 56 57 58 . 59 </p> 60 <table> 61 <tbody> 62 <tr> 63 <th> 64 65 </th> 66 <th> 67 CVE 68 </th> 69 <th> 70 71 </th> 72 </tr> 73 <tr> 74 <td> 75 MP4 Atom 76 </td> 77 <td> 78 CVE-2015-1538 79 </td> 80 <td> 81 82 </td> 83 </tr> 84 <tr> 85 <td> 86 ESDS 87 </td> 88 <td> 89 CVE-2015-1539 90 </td> 91 <td> 92 93 </td> 94 </tr> 95 <tr> 96 <td> 97 MPEG4 tx3g Atom libstagefright 98 </td> 99 <td> 100 CVE-2015-3824 101 </td> 102 <td> 103 104 </td> 105 </tr> 106 <tr> 107 <td> 108 MPEG4 covr Atom libstagefright 109 </td> 110 <td> 111 CVE-2015-3827 112 </td> 113 <td> 114 115 </td> 116 </tr> 117 <tr> 118 <td> 119 3GPP 6 libstagefright 120 121 </td> 122 <td> 123 CVE-2015-3828 124 </td> 125 <td> 126 127 </td> 128 </tr> 129 <tr> 130 <td> 131 chunk_data_size SIZE_MAX MPEG4 covr Atom 132 libstagefright 133 </td> 134 <td> 135 CVE-2015-3829 136 </td> 137 <td> 138 139 </td> 140 </tr> 141 <tr> 142 <td> 143 Sonivox Parse_wave 144 </td> 145 <td> 146 CVE-2015-3836 147 </td> 148 <td> 149 150 </td> 151 </tr> 152 <tr> 153 <td> 154 libstagefright MPEG4Extractor.cpp 155 </td> 156 <td> 157 CVE-2015-3832 158 </td> 159 <td> 160 161 </td> 162 </tr> 163 <tr> 164 <td> 165 BpMediaHTTPConnection 166 </td> 167 <td> 168 CVE-2015-3831 169 </td> 170 <td> 171 172 </td> 173 </tr> 174 <tr> 175 <td> 176 libpng : png_Read_IDAT_data 177 </td> 178 <td> 179 CVE-2015-0973 180 </td> 181 <td> 182 183 </td> 184 </tr> 185 <tr> 186 <td> 187 wpa_supplicant p2p_add_device() memcpy() 188 </td> 189 <td> 190 CVE-2015-1863 191 </td> 192 <td> 193 194 </td> 195 </tr> 196 <tr> 197 <td> 198 OpenSSLX509Certificate 199 </td> 200 <td> 201 CVE-2015-3837 202 </td> 203 <td> 204 205 </td> 206 </tr> 207 <tr> 208 <td> 209 BnHDCP 210 </td> 211 <td> 212 CVE-2015-3834 213 </td> 214 <td> 215 216 </td> 217 </tr> 218 <tr> 219 <td> 220 libstagefright OMXNodeInstance::emptyBuffer 221 </td> 222 <td> 223 CVE-2015-3835 224 </td> 225 <td> 226 227 </td> 228 </tr> 229 <tr> 230 <td> 231 AudioPolicyManager::getInputForAttr() 232 </td> 233 <td> 234 CVE-2015-3842 235 </td> 236 <td> 237 238 </td> 239 </tr> 240 <tr> 241 <td> 242 SIM 243 </td> 244 <td> 245 CVE-2015-3843 246 </td> 247 <td> 248 249 </td> 250 </tr> 251 <tr> 252 <td> 253 Bitmap 254 </td> 255 <td> 256 CVE-2015-1536 257 </td> 258 <td> 259 260 </td> 261 </tr> 262 <tr> 263 <td> 264 AppWidgetServiceImpl IntentSender 265 </td> 266 <td> 267 CVE-2015-1541 268 </td> 269 <td> 270 271 </td> 272 </tr> 273 <tr> 274 <td> 275 getRecentTasks() 276 </td> 277 <td> 278 CVE-2015-3833 279 </td> 280 <td> 281 282 </td> 283 </tr> 284 <tr> 285 <td> 286 ActivityManagerService.getProcessRecordLocked() 287 UID 288 </td> 289 <td> 290 CVE-2015-3844 291 </td> 292 <td> 293 294 </td> 295 </tr> 296 <tr> 297 <td> 298 3GPP libstagefright 299 </td> 300 <td> 301 CVE-2015-3826 302 </td> 303 <td> 304 305 </td> 306 </tr> 307 </tbody> 308 </table> 309 <h2 id="mitigations" style="margin-bottom:0px"> 310 311 </h2> 312 <hr/> 313 <p> 314 SafetyNet 315 <a href="http://source.android.com/security/enhancements/index.html"> 316 Android 317 </a> 318 . Android 319 . 320 </p> 321 <ul> 322 <li> 323 Android Android 324 . 325 Android . 326 </li> 327 <li> 328 Android 329 SafetyNet 330 . Google Play . 331 Google Play 332 . 333 334 . 335 336 . 337 </li> 338 <li> 339 Google 340 341 . 342 </li> 343 </ul> 344 <h2 id="acknowledgements" style="margin-bottom:0px"> 345 346 </h2> 347 <hr/> 348 <p> 349 . 350 </p> 351 <ul> 352 <li> 353 Joshua Drake: CVE-2015-1538, CVE-2015-3826 354 </li> 355 <li> 356 Ben Hawkes: CVE-2015-3836 357 </li> 358 <li> 359 Alexandru Blanda: CVE-2015-3832 360 </li> 361 <li> 362 Micha Bednarski: CVE-2015-3831, CVE-2015-3844, CVE-2015-1541 363 </li> 364 <li> 365 Alex Copot: CVE-2015-1536 366 </li> 367 <li> 368 Alex Eubanks: CVE-2015-0973 369 </li> 370 <li> 371 Roee Hay and Or Peles: CVE-2015-3837 372 </li> 373 <li> 374 Guang Gong: CVE-2015-3834 375 </li> 376 <li> 377 Gal Beniamini: CVE-2015-3835 378 </li> 379 <li> 380 Wish Wu*: CVE-2015-3842 381 </li> 382 <li> 383 Artem Chaykin: CVE-2015-3843 384 </li> 385 </ul> 386 <p> 387 *Wish 388 <a href="https://www.google.com/about/appsecurity/android-rewards/"> 389 Android 390 </a> 391 . 392 </p> 393 <h3 id="integer_overflows_during_mp4_atom_processing"> 394 MP4 Atom 395 </h3> 396 <p> 397 libstagefright MP4 Atom 398 399 . 400 </p> 401 <p> 402 API 403 MMS 404 . 405 </p> 406 <p> 407 408 . 409 SELinux , 410 3 411 . 412 413 . 2015 6 414 . 415 </p> 416 <table> 417 <tbody> 418 <tr> 419 <th> 420 CVE 421 </th> 422 <th> 423 AOSP 424 </th> 425 <th> 426 427 </th> 428 <th> 429 430 </th> 431 </tr> 432 <tr> 433 <td> 434 CVE-2015-1538 435 </td> 436 <td> 437 <a href="https://android.googlesource.com/platform/frameworks/av/+/cf1581c66c2ad8c5b1aaca2e43e350cf5974f46d"> 438 ANDROID-20139950 439 </a> 440 [ 441 <a href="https://android.googlesource.com/platform/frameworks/av/+/2434839bbd168469f80dd9a22f1328bc81046398"> 442 2 443 </a> 444 ] 445 </td> 446 <td> 447 448 </td> 449 <td> 450 5.1 451 </td> 452 </tr> 453 </tbody> 454 </table> 455 <h3 id="an_integer_underflow_in_esds_processing"> 456 ESDS 457 </h3> 458 <p> 459 libstagefright ESDS Atom 460 461 . 462 </p> 463 <p> 464 API 465 MMS 466 . 467 </p> 468 <p> 469 470 . 471 SELinux 472 3 473 . 474 475 . 2015 6 476 . 477 </p> 478 <table> 479 <tbody> 480 <tr> 481 <th> 482 CVE 483 </th> 484 <th> 485 AOSP 486 </th> 487 <th> 488 489 </th> 490 <th> 491 492 </th> 493 </tr> 494 <tr> 495 <td> 496 CVE-2015-1539 497 </td> 498 <td> 499 <a href="https://android.googlesource.com/platform/frameworks/av/+/5e751957ba692658b7f67eb03ae5ddb2cd3d970c"> 500 ANDROID-20139950 501 </a> 502 </td> 503 <td> 504 505 </td> 506 <td> 507 5.1 508 </td> 509 </tr> 510 </tbody> 511 </table> 512 <h3 id="integer_overflow_in_libstagefright_when_parsing_the_mpeg4_tx3g_atom"> 513 MPEG4 tx3g Atom libstagefright 514 </h3> 515 <p> 516 libstagefright MPEG4 tx3g 517 518 . 519 </p> 520 <p> 521 API , 522 MMS 523 . 524 </p> 525 <p> 526 527 . 528 SELinux 529 3 530 . 531 </p> 532 <p> 533 534 . 2015 6 535 . 536 </p> 537 <table> 538 <tbody> 539 <tr> 540 <th> 541 CVE 542 </th> 543 <th> 544 AOSP 545 </th> 546 <th> 547 548 </th> 549 <th> 550 551 </th> 552 </tr> 553 <tr> 554 <td> 555 CVE-2015-3824 556 </td> 557 <td> 558 <a href="https://android.googlesource.com/platform/frameworks/av/+/463a6f807e187828442949d1924e143cf07778c6"> 559 ANDROID-20923261 560 </a> 561 </td> 562 <td> 563 564 </td> 565 <td> 566 5.1 567 </td> 568 </tr> 569 </tbody> 570 </table> 571 <h3 id="integer_underflow_in_libstagefright_when_processing_mpeg4_covr_atoms"> 572 MPEG4 covr Atom libstagefright 573 </h3> 574 <p> 575 libstagefright MPEG4 576 577 . 578 </p> 579 <p> 580 API , 581 MMS 582 . 583 </p> 584 <p> 585 586 . 587 SELinux 588 3 589 . 590 </p> 591 <p> 592 593 . 2015 6 594 . 595 </p> 596 <table> 597 <tbody> 598 <tr> 599 <th> 600 CVE 601 </th> 602 <th> 603 AOSP 604 </th> 605 <th> 606 607 </th> 608 <th> 609 610 </th> 611 </tr> 612 <tr> 613 <td> 614 CVE-2015-3827 615 </td> 616 <td> 617 <a href="https://android.googlesource.com/platform/frameworks/av/+/f4a88c8ed4f8186b3d6e2852993e063fc33ff231"> 618 ANDROID-20923261 619 </a> 620 </td> 621 <td> 622 623 </td> 624 <td> 625 5.1 626 </td> 627 </tr> 628 </tbody> 629 </table> 630 <h3 id="integer_underflow_in_libstagefright_if_size_is_below_6_while_processing_3gpp_metadata"> 631 3GPP 6 libstagefright 632 633 </h3> 634 <p> 635 libstagefright 3GPP 636 637 . 638 </p> 639 <p> 640 API , 641 MMS 642 . 643 </p> 644 <p> 645 646 . 647 SELinux 648 3 649 . 650 651 . 2015 6 . 652 </p> 653 <table> 654 <tbody> 655 <tr> 656 <th> 657 CVE 658 </th> 659 <th> 660 AOSP 661 </th> 662 <th> 663 664 </th> 665 <th> 666 667 </th> 668 </tr> 669 <tr> 670 <td> 671 CVE-2015-3828 672 </td> 673 <td> 674 <a href="https://android.googlesource.com/platform/frameworks/av/+/f4f7e0c102819f039ebb1972b3dba1d3186bc1d1"> 675 ANDROID-20923261 676 </a> 677 </td> 678 <td> 679 680 </td> 681 <td> 682 5.0 683 </td> 684 </tr> 685 </tbody> 686 </table> 687 <h3 id="integer_overflow_in_libstagefright_processing_mpeg4_covr_atoms_when_chunk_data_size_is_size_max"> 688 chunk_data_size SIZE_MAX MPEG4 covr Atom 689 libstagefright 690 </h3> 691 <p> 692 libstagefright MPEG4 covr 693 694 . 695 </p> 696 <p> 697 API , 698 MMS 699 . 700 </p> 701 <p> 702 703 . 704 SELinux 705 3 706 . 707 708 . 2015 6 . 709 </p> 710 <table> 711 <tbody> 712 <tr> 713 <th> 714 CVE 715 </th> 716 <th> 717 AOSP 718 </th> 719 <th> 720 721 </th> 722 <th> 723 724 </th> 725 </tr> 726 <tr> 727 <td> 728 CVE-2015-3829 729 </td> 730 <td> 731 <a href="https://android.googlesource.com/platform/frameworks/av/+/2674a7218eaa3c87f2ee26d26da5b9170e10f859"> 732 ANDROID-20923261 733 </a> 734 </td> 735 <td> 736 737 </td> 738 <td> 739 5.0 740 </td> 741 </tr> 742 </tbody> 743 </table> 744 <h3 id="buffer_overflow_in_sonivox_parse_wave"> 745 Sonivox Parse_wave 746 </h3> 747 <p> 748 Sonivox XMF 749 750 . 751 </p> 752 <p> 753 API , 754 MMS 755 . 756 </p> 757 <p> 758 759 . 760 SELinux 761 3 762 . 763 764 . 2015 6 . 765 </p> 766 <table> 767 <tbody> 768 <tr> 769 <th> 770 CVE 771 </th> 772 <th> 773 AOSP 774 </th> 775 <th> 776 777 </th> 778 <th> 779 780 </th> 781 </tr> 782 <tr> 783 <td> 784 CVE-2015-3836 785 </td> 786 <td> 787 <a href="https://android.googlesource.com/platform/external/sonivox/+/e999f077f6ef59d20282f1e04786816a31fb8be6"> 788 ANDROID-21132860 789 </a> 790 </td> 791 <td> 792 793 </td> 794 <td> 795 5.1 796 </td> 797 </tr> 798 </tbody> 799 </table> 800 <h3 id="buffer_overflows_in_libstagefright_mpeg4extractor_cpp"> 801 libstagefright MPEG4Extractor.cpp 802 </h3> 803 <p> 804 libstagefright MP4 805 806 . 807 </p> 808 <p> 809 API , 810 MMS 811 . 812 </p> 813 <p> 814 815 . 816 SELinux 817 3 818 . 819 </p> 820 <p> 821 . 822 823 . 2015 6 824 . 825 </p> 826 <table> 827 <tbody> 828 <tr> 829 <th> 830 CVE 831 </th> 832 <th> 833 AOSP 834 </th> 835 <th> 836 837 </th> 838 <th> 839 840 </th> 841 </tr> 842 <tr> 843 <td> 844 CVE-2015-3832 845 </td> 846 <td> 847 <a href="https://android.googlesource.com/platform/frameworks/av/+/d48f0f145f8f0f4472bc0af668ac9a8bce44ba9b"> 848 ANDROID-19641538 849 </a> 850 </td> 851 <td> 852 853 </td> 854 <td> 855 5.1 856 </td> 857 </tr> 858 </tbody> 859 </table> 860 <h3 id="buffer_overflow_in_mediaserver_bpmediahttpconnection"> 861 BpMediaHTTPConnection 862 </h3> 863 <p> 864 BpMediaHTTPConnection 865 866 . 867 </p> 868 <p> 869 API , 870 . 871 </p> 872 <p> 873 874 . 875 SELinux 876 3 877 . 878 </p> 879 <table> 880 <tbody> 881 <tr> 882 <th> 883 CVE 884 </th> 885 <th> 886 AOSP 887 </th> 888 <th> 889 890 </th> 891 <th> 892 893 </th> 894 </tr> 895 <tr> 896 <td> 897 CVE-2015-3831 898 </td> 899 <td> 900 <a href="https://android.googlesource.com/platform/frameworks/av/+/51504928746edff6c94a1c498cf99c0a83bedaed"> 901 ANDROID-19400722 902 </a> 903 </td> 904 <td> 905 906 </td> 907 <td> 908 5.0 5.1 909 </td> 910 </tr> 911 </tbody> 912 </table> 913 <h3 id="vulnerability_in_libpng_overflow_in_png_read_idat_data"> 914 libpng : png_Read_IDAT_data 915 </h3> 916 <p> 917 libpng png_read_IDAT_data() IDAT 918 919 920 . 921 </p> 922 <p> 923 API , , 924 925 . 926 </p> 927 <p> 928 929 . 930 </p> 931 <table> 932 <tbody> 933 <tr> 934 <th> 935 CVE 936 </th> 937 <th> 938 AOSP 939 </th> 940 <th> 941 942 </th> 943 <th> 944 945 </th> 946 </tr> 947 <tr> 948 <td> 949 CVE-2015-0973 950 </td> 951 <td> 952 <a href="https://android.googlesource.com/platform/external/libpng/+/dd0ed46397a05ae69dc8c401f5711f0db0a964fa"> 953 ANDROID-19499430 954 </a> 955 </td> 956 <td> 957 958 </td> 959 <td> 960 5.1 961 </td> 962 </tr> 963 </tbody> 964 </table> 965 <h3 id="remotely_exploitable_memcpy_overflow_in_p2p_add_device_in_wpa_supplicant"> 966 wpa_supplicant p2p_add_device() memcpy() 967 </h3> 968 <p> 969 wpa_supplicant WLAN Direct 970 p2p_add_device() 971 . Android 'wifi' 972 . 973 </p> 974 <p> 975 976 . 977 </p> 978 <p> 979 - Android WLAN Direct . 980 </p> 981 <p> 982 - (Wi-Fi ) . 983 </p> 984 <p> 985 - wpa_supplicant 'wifi' 986 . 987 </p> 988 <p> 989 - Android 4.1 ASLR . 990 </p> 991 <p> 992 - Android 5.0 SELinux wpa_supplicant 993 . 994 </p> 995 <p> 996 997 . 'wifi' 3 998 ( ), 999 . 1000 </p> 1001 <table> 1002 <tbody> 1003 <tr> 1004 <th> 1005 CVE 1006 </th> 1007 <th> 1008 AOSP 1009 </th> 1010 <th> 1011 1012 </th> 1013 <th> 1014 1015 </th> 1016 </tr> 1017 <tr> 1018 <td> 1019 CVE-2015-1863 1020 </td> 1021 <td> 1022 <a href="https://android.googlesource.com/platform/external/wpa_supplicant_8/+/4cf0f2d0d869c35a9ec4432861d5efa8ead4279c"> 1023 ANDROID-20076874 1024 </a> 1025 </td> 1026 <td> 1027 1028 </td> 1029 <td> 1030 5.1 1031 </td> 1032 </tr> 1033 </tbody> 1034 </table> 1035 <h3 id="memory_corruption_in_opensslx509certificate_deserialization"> 1036 OpenSSLX509Certificate 1037 </h3> 1038 <p> 1039 , 1040 1041 1042 . 1043 </p> 1044 <p> 1045 3 1046 . 1047 </p> 1048 <table> 1049 <tbody> 1050 <tr> 1051 <th> 1052 CVE 1053 </th> 1054 <th> 1055 AOSP 1056 </th> 1057 <th> 1058 1059 </th> 1060 <th> 1061 1062 </th> 1063 </tr> 1064 <tr> 1065 <td> 1066 CVE-2015-3837 1067 </td> 1068 <td> 1069 <a href="https://android.googlesource.com/platform/external/conscrypt/+/edf7055461e2d7fa18de5196dca80896a56e3540"> 1070 ANDROID-21437603 1071 </a> 1072 </td> 1073 <td> 1074 1075 </td> 1076 <td> 1077 5.1 1078 </td> 1079 </tr> 1080 </tbody> 1081 </table> 1082 <h3 id="buffer_overflow_in_mediaserver_bnhdcp"> 1083 BnHDCP 1084 </h3> 1085 <p> 1086 libstagefright 1087 () 1088 . 1089 </p> 1090 <p> 1091 3 1092 . 1093 SELinux 1094 3 1095 . 1096 </p> 1097 <p> 1098 1099 . 2015 6 1100 . 1101 </p> 1102 <table> 1103 <tbody> 1104 <tr> 1105 <th> 1106 CVE 1107 </th> 1108 <th> 1109 AOSP 1110 </th> 1111 <th> 1112 1113 </th> 1114 <th> 1115 1116 </th> 1117 </tr> 1118 <tr> 1119 <td> 1120 CVE-2015-3834 1121 </td> 1122 <td> 1123 <a href="https://android.googlesource.com/platform/frameworks/av/+/c82e31a7039a03dca7b37c65b7890ba5c1e18ced"> 1124 ANDROID-20222489 1125 </a> 1126 </td> 1127 <td> 1128 1129 </td> 1130 <td> 1131 5.1 1132 </td> 1133 </tr> 1134 </tbody> 1135 </table> 1136 <h3 id="buffer_overflow_in_libstagefright_omxnodeinstance_emptybuffer"> 1137 libstagefright OMXNodeInstance::emptyBuffer 1138 </h3> 1139 <p> 1140 libstagefright 1141 1142 . 1143 </p> 1144 <p> 1145 3 1146 . 1147 SELinux 1148 3 1149 . 1150 </p> 1151 <p> 1152 1153 . 2015 6 1154 . 1155 </p> 1156 <table> 1157 <tbody> 1158 <tr> 1159 <th> 1160 CVE 1161 </th> 1162 <th> 1163 AOSP 1164 </th> 1165 <th> 1166 1167 </th> 1168 <th> 1169 1170 </th> 1171 </tr> 1172 <tr> 1173 <td> 1174 CVE-2015-3835 1175 </td> 1176 <td> 1177 <a href="https://android.googlesource.com/platform/frameworks/av/+/086d84f45ab7b64d1a7ed7ac8ba5833664a6a5ab"> 1178 ANDROID-20634516 1179 </a> 1180 [ 1181 <a href="https://android.googlesource.com/platform/frameworks/av/+/3cb1b6944e776863aea316e25fdc16d7f9962902"> 1182 2 1183 </a> 1184 ] 1185 </td> 1186 <td> 1187 1188 </td> 1189 <td> 1190 5.1 1191 </td> 1192 </tr> 1193 </tbody> 1194 </table> 1195 <h3 id="heap_overflow_in_mediaserver_audiopolicymanager_getinputforattr"> 1196 AudioPolicyManager::getInputForAttr() 1197 </h3> 1198 <p> 1199 1200 . 1201 </p> 1202 <p> 1203 API , 1204 . 1205 </p> 1206 <p> 1207 1208 . 1209 SELinux 1210 3 1211 . 1212 </p> 1213 <table> 1214 <tbody> 1215 <tr> 1216 <th> 1217 CVE 1218 </th> 1219 <th> 1220 AOSP 1221 </th> 1222 <th> 1223 1224 </th> 1225 <th> 1226 1227 </th> 1228 </tr> 1229 <tr> 1230 <td> 1231 CVE-2015-3842 1232 </td> 1233 <td> 1234 <a href="https://android.googlesource.com/platform/frameworks/av/+/aeea52da00d210587fb3ed895de3d5f2e0264c88"> 1235 ANDROID-21953516 1236 </a> 1237 </td> 1238 <td> 1239 1240 </td> 1241 <td> 1242 5.1 1243 </td> 1244 </tr> 1245 </tbody> 1246 </table> 1247 <h3 id="applications_can_intercept_or_emulate_sim_commands_to_telephony"> 1248 SIM 1249 </h3> 1250 <p> 1251 SIM (STK) Android 1252 STK SIM 1253 . 1254 </p> 1255 <p> 1256 '' ' ' 1257 1258 . 1259 </p> 1260 <table> 1261 <tbody> 1262 <tr> 1263 <th> 1264 CVE 1265 </th> 1266 <th> 1267 AOSP 1268 </th> 1269 <th> 1270 1271 </th> 1272 <th> 1273 1274 </th> 1275 </tr> 1276 <tr> 1277 <td> 1278 CVE-2015-3843 1279 </td> 1280 <td> 1281 <a href="https://android.googlesource.com/platform/frameworks/opt/telephony/+/b48581401259439dc5ef6dcf8b0f303e4cbefbe9"> 1282 ANDROID-21697171 1283 </a> 1284 [ 1285 <a href="https://android.googlesource.com/platform/packages/apps/Stk/+/1d8e00160c07ae308e5b460214eb2a425b93ccf7"> 1286 2 1287 </a> 1288 , 1289 <a href="https://android.googlesource.com/platform/frameworks/base/+/a5e904e7eb3aaec532de83ca52e24af18e0496b4"> 1290 3 1291 </a> 1292 , 1293 <a href="https://android.googlesource.com/platform/packages/services/Telephony/+/fcb1d13c320dd1a6350bc7af3166929b4d54a456"> 1294 4 1295 </a> 1296 ] 1297 </td> 1298 <td> 1299 1300 </td> 1301 <td> 1302 5.1 1303 </td> 1304 </tr> 1305 </tbody> 1306 </table> 1307 <h3 id="vulnerability_in_bitmap_unmarshalling"> 1308 Bitmap 1309 </h3> 1310 <p> 1311 Bitmap_createFromParcel() system_server 1312 system_server . 1313 </p> 1314 <p> 1315 system_server 1316 . 1317 , 1318 1319 1320 ( ) 1321 . 1322 </p> 1323 <table> 1324 <tbody> 1325 <tr> 1326 <th> 1327 CVE 1328 </th> 1329 <th> 1330 AOSP 1331 </th> 1332 <th> 1333 1334 </th> 1335 <th> 1336 1337 </th> 1338 </tr> 1339 <tr> 1340 <td> 1341 CVE-2015-1536 1342 </td> 1343 <td> 1344 <a href="https://android.googlesource.com/platform/frameworks/base/+/d44e5bde18a41beda39d49189bef7f2ba7c8f3cb"> 1345 ANDROID-19666945 1346 </a> 1347 </td> 1348 <td> 1349 1350 </td> 1351 <td> 1352 5.1 1353 </td> 1354 </tr> 1355 </tbody> 1356 </table> 1357 <h3 id="appwidgetserviceimpl_can_create_intentsender_with_system_privileges"> 1358 AppWidgetServiceImpl IntentSender 1359 </h3> 1360 <p> 1361 AppWidgetServiceImpl 1362 FLAG_GRANT_READ/WRITE_URI_PERMISSION 1363 URI . 1364 READ_CONTACTS . 1365 </p> 1366 <p> 1367 '' 1368 1369 . 1370 </p> 1371 <table> 1372 <tbody> 1373 <tr> 1374 <th> 1375 CVE 1376 </th> 1377 <th> 1378 AOSP 1379 </th> 1380 <th> 1381 1382 </th> 1383 <th> 1384 1385 </th> 1386 </tr> 1387 <tr> 1388 <td> 1389 CVE-2015-1541 1390 </td> 1391 <td> 1392 <a href="https://android.googlesource.com/platform/frameworks/base/+/0b98d304c467184602b4c6bce76fda0b0274bc07"> 1393 ANDROID-19618745 1394 </a> 1395 </td> 1396 <td> 1397 1398 </td> 1399 <td> 1400 5.1 1401 </td> 1402 </tr> 1403 </tbody> 1404 </table> 1405 <h3 id="mitigation_bypass_of_restrictions_on_getrecenttasks"> 1406 getRecentTasks() 1407 </h3> 1408 <p> 1409 1410 Android 5.0 getRecentTasks() . 1411 </p> 1412 <p> 1413 '' 1414 1415 . 1416 </p> 1417 <p> 1418 . 1419 <a href="http://stackoverflow.com/questions/24625936/getrunningtasks-doesnt-work-in-android-l"> 1420 http://stackoverflow.com/questions/24625936/getrunningtasks-doesnt-work-in-android-l 1421 </a> 1422 </p> 1423 <table> 1424 <tbody> 1425 <tr> 1426 <th> 1427 CVE 1428 </th> 1429 <th> 1430 AOSP 1431 </th> 1432 <th> 1433 1434 </th> 1435 <th> 1436 1437 </th> 1438 </tr> 1439 <tr> 1440 <td> 1441 CVE-2015-3833 1442 </td> 1443 <td> 1444 <a href="https://android.googlesource.com/platform/frameworks/base/+/aaa0fee0d7a8da347a0c47cef5249c70efee209e"> 1445 ANDROID-20034603 1446 </a> 1447 </td> 1448 <td> 1449 1450 </td> 1451 <td> 1452 5.0 5.1 1453 </td> 1454 </tr> 1455 </tbody> 1456 </table> 1457 <h3 id="activitymanagerservice_getprocessrecordlocked_may_load_a_system_uid_application_into_the_wrong_process"> 1458 ActivityManagerService.getProcessRecordLocked() 1459 UID 1460 </h3> 1461 <p> 1462 ActivityManager getProcessRecordLocked() 1463 . 1464 ActivityManager 1465 . 1466 </p> 1467 <p> 1468 , 1469 . 1470 '' . 1471 </p> 1472 <p> 1473 '' 1474 , 1475 . 1476 </p> 1477 <table> 1478 <tbody> 1479 <tr> 1480 <th> 1481 CVE 1482 </th> 1483 <th> 1484 AOSP 1485 </th> 1486 <th> 1487 1488 </th> 1489 <th> 1490 1491 </th> 1492 </tr> 1493 <tr> 1494 <td> 1495 CVE-2015-3844 1496 </td> 1497 <td> 1498 <a href="https://android.googlesource.com/platform/frameworks/base/+/e3cde784e3d99966f313fe00dcecf191f6a44a31"> 1499 ANDROID-21669445 1500 </a> 1501 </td> 1502 <td> 1503 1504 </td> 1505 <td> 1506 5.1 1507 </td> 1508 </tr> 1509 </tbody> 1510 </table> 1511 <h3 id="unbounded_buffer_read_in_libstagefright_while_parsing_3gpp_metadata"> 1512 3GPP libstagefright 1513 </h3> 1514 <p> 1515 3GPP 1516 . 1517 </p> 1518 <p> 1519 1520 , 1521 . 1522 </p> 1523 <table> 1524 <tbody> 1525 <tr> 1526 <th> 1527 CVE 1528 </th> 1529 <th> 1530 AOSP 1531 </th> 1532 <th> 1533 1534 </th> 1535 <th> 1536 1537 </th> 1538 </tr> 1539 <tr> 1540 <td> 1541 CVE-2015-3826 1542 </td> 1543 <td> 1544 <a href="https://android.googlesource.com/platform/frameworks/av/+/f4f7e0c102819f039ebb1972b3dba1d3186bc1d1"> 1545 ANDROID-20923261 1546 </a> 1547 </td> 1548 <td> 1549 1550 </td> 1551 <td> 1552 5.0 5.1 1553 </td> 1554 </tr> 1555 </tbody> 1556 </table> 1557 <h2 id="revisions" style="margin-bottom:0px"> 1558 1559 </h2> 1560 <hr/> 1561 <ul> 1562 <li> 1563 2015 8 13: 1564 </li> 1565 </ul> 1566 </div> 1567 <div class="content-footer-sac" itemscope="" itemtype="http://schema.org/SiteNavigationElement"> 1568 <div class="layout-content-col col-9" style="padding-top:4px"> 1569 </div> 1570 <div class="paging-links layout-content-col col-4"> 1571 </div> 1572 </div> 1573 </div> 1574 1575 </body> 1576 </html> 1577
