1 <html devsite> 2 <head> 3 <title> Nexus 2015.</title> 4 <meta name="project_path" value="/_project.yaml" /> 5 <meta name="book_path" value="/_book.yaml" /> 6 </head> 7 <body> 8 <!-- 9 Copyright 2017 The Android Open Source Project 10 11 Licensed under the Apache License, Version 2.0 (the "License"); 12 you may not use this file except in compliance with the License. 13 You may obtain a copy of the License at 14 15 http://www.apache.org/licenses/LICENSE-2.0 16 17 Unless required by applicable law or agreed to in writing, software 18 distributed under the License is distributed on an "AS IS" BASIS, 19 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20 See the License for the specific language governing permissions and 21 limitations under the License. 22 --> 23 24 25 26 <p> 27 <em> 28 13 2015 29 </em> 30 </p> 31 <p> 32 Android 33 Nexus 34 35 Nexus 36 <a href="https://developers.google.com/android/nexus/images"> 37 38 </a> 39 . 40 LMY48I . 41 25 2015 . 42 </p> 43 <p> 44 45 (, 46 , 47 MMS). 48 </p> 49 <h2 id="security_vulnerability_summary" style="margin-bottom:0px"> 50 51 </h2> 52 <hr/> 53 <p> 54 , (CVE) 55 . 56 <a href="http://source.android.com/security/overview/updates-resources.html#severity"> 57 58 </a> 59 , 60 , 61 . 62 </p> 63 <table> 64 <tbody> 65 <tr> 66 <th> 67 68 </th> 69 <th> 70 CVE 71 </th> 72 <th> 73 74 </th> 75 </tr> 76 <tr> 77 <td> 78 79 MP4 80 </td> 81 <td> 82 CVE-2015-1538 83 </td> 84 <td> 85 86 </td> 87 </tr> 88 <tr> 89 <td> 90 91 ESDS 92 </td> 93 <td> 94 CVE-2015-1539 95 </td> 96 <td> 97 98 </td> 99 </tr> 100 <tr> 101 <td> 102 libstagefright 103 tx3g (MPEG4) 104 </td> 105 <td> 106 CVE-2015-3824 107 </td> 108 <td> 109 110 </td> 111 </tr> 112 <tr> 113 <td> 114 libstagefright 115 MPEG4 (covr) 116 </td> 117 <td> 118 CVE-2015-3827 119 </td> 120 <td> 121 122 </td> 123 </tr> 124 <tr> 125 <td> 126 libstagefright 127 3GPP, 6 128 </td> 129 <td> 130 CVE-2015-3828 131 </td> 132 <td> 133 134 </td> 135 </tr> 136 <tr> 137 <td> 138 libstagefright 139 MPEG4 (covr), 140 chunk_data_size SIZE_MAX 141 </td> 142 <td> 143 CVE-2015-3829 144 </td> 145 <td> 146 147 </td> 148 </tr> 149 <tr> 150 <td> 151 Parse_wave (Sonivox) 152 </td> 153 <td> 154 CVE-2015-3836 155 </td> 156 <td> 157 158 </td> 159 </tr> 160 <tr> 161 <td> 162 MPEG4Extractor.cpp (libstagefright) 163 </td> 164 <td> 165 CVE-2015-3832 166 </td> 167 <td> 168 169 </td> 170 </tr> 171 <tr> 172 <td> 173 BpMediaHTTPConnection 174 (mediaserver) 175 </td> 176 <td> 177 CVE-2015-3831 178 </td> 179 <td> 180 181 </td> 182 </tr> 183 <tr> 184 <td> 185 png_Read_IDAT_data (libpng) 186 </td> 187 <td> 188 CVE-2015-0973 189 </td> 190 <td> 191 192 </td> 193 </tr> 194 <tr> 195 <td> 196 memcpy() 197 p2p_add_device() (wpa_supplicant) 198 </td> 199 <td> 200 CVE-2015-1863 201 </td> 202 <td> 203 204 </td> 205 </tr> 206 <tr> 207 <td> 208 209 OpenSSLX509Certificate 210 </td> 211 <td> 212 CVE-2015-3837 213 </td> 214 <td> 215 216 </td> 217 </tr> 218 <tr> 219 <td> 220 BnHDCP (mediaserver) 221 </td> 222 <td> 223 CVE-2015-3834 224 </td> 225 <td> 226 227 </td> 228 </tr> 229 <tr> 230 <td> 231 OMXNodeInstance::emptyBuffer 232 (libstagefright) 233 </td> 234 <td> 235 CVE-2015-3835 236 </td> 237 <td> 238 239 </td> 240 </tr> 241 <tr> 242 <td> 243 AudioPolicyManager::getInputForAttr() 244 (mediaserver) 245 </td> 246 <td> 247 CVE-2015-3842 248 </td> 249 <td> 250 251 </td> 252 </tr> 253 <tr> 254 <td> 255 SIM- 256 </td> 257 <td> 258 CVE-2015-3843 259 </td> 260 <td> 261 262 </td> 263 </tr> 264 <tr> 265 <td> 266 Bitmap 267 </td> 268 <td> 269 CVE-2015-1536 270 </td> 271 <td> 272 273 </td> 274 </tr> 275 <tr> 276 <td> 277 AppWidgetServiceImpl IntentSender 278 279 </td> 280 <td> 281 CVE-2015-1541 282 </td> 283 <td> 284 285 </td> 286 </tr> 287 <tr> 288 <td> 289 290 getRecentTasks() 291 </td> 292 <td> 293 CVE-2015-3833 294 </td> 295 <td> 296 297 </td> 298 </tr> 299 <tr> 300 <td> 301 ActivityManagerService.getProcessRecordLocked() 302 303 UID- 304 </td> 305 <td> 306 CVE-2015-3844 307 </td> 308 <td> 309 310 </td> 311 </tr> 312 <tr> 313 <td> 314 libstagefright 315 3GPP 316 </td> 317 <td> 318 CVE-2015-3826 319 </td> 320 <td> 321 322 </td> 323 </tr> 324 </tbody> 325 </table> 326 <h2 id="mitigations" style="margin-bottom:0px"> 327 328 </h2> 329 <hr/> 330 <p> 331 , 332 <a href="http://source.android.com/security/enhancements/index.html"> 333 334 </a> 335 , 336 SafetyNet, Android. 337 </p> 338 <ul> 339 <li> 340 Android, 341 . 342 </li> 343 <li> 344 , Android, 345 SafetyNet. 346 . Google Play . 347 , 348 , " " . 349 - 350 . , 351 , , 352 . , 353 . 354 </li> 355 <li> 356 Google Hangouts Messenger. 357 , mediaserver, 358 . 359 </li> 360 </ul> 361 <h2 id="acknowledgements" style="margin-bottom:0px"> 362 363 </h2> 364 <hr/> 365 <p> 366 , : 367 </p> 368 <ul> 369 <li> 370 : CVE-2015-1538, CVE-2015-3826. 371 </li> 372 <li> 373 : CVE-2015-3836. 374 </li> 375 <li> 376 : CVE-2015-3832. 377 </li> 378 <li> 379 : CVE-2015-3831, CVE-2015-3844, CVE-2015-1541. 380 </li> 381 <li> 382 : CVE-2015-1536. 383 </li> 384 <li> 385 : CVE-2015-0973. 386 </li> 387 <li> 388 : CVE-2015-3837. 389 </li> 390 <li> 391 : CVE-2015-3834. 392 </li> 393 <li> 394 : CVE-2015-3835. 395 </li> 396 <li> 397 *: CVE-2015-3842. 398 </li> 399 <li> 400 : CVE-2015-3843. 401 </li> 402 </ul> 403 <p> 404 * 405 <a href="https://www.google.com/about/appsecurity/android-rewards/"> 406 Android Security Rewards 407 </a> 408 ! 409 </p> 410 <h3 id="integer_overflows_during_mp4_atom_processing"> 411 MP4 412 </h3> 413 <p> 414 MP4 libstagefright 415 , 416 mediaserver. 417 </p> 418 <p> 419 API. , 420 MMS- , 421 . 422 </p> 423 <p> 424 - 425 (mediaserver). 426 SELinux, - , 427 . 428 . , 429 . , 430 2015, . 431 </p> 432 <table> 433 <tbody> 434 <tr> 435 <th> 436 CVE 437 </th> 438 <th> 439 AOSP 440 </th> 441 <th> 442 443 </th> 444 <th> 445 446 </th> 447 </tr> 448 <tr> 449 <td> 450 CVE-2015-1538 451 </td> 452 <td> 453 <a href="https://android.googlesource.com/platform/frameworks/av/+/cf1581c66c2ad8c5b1aaca2e43e350cf5974f46d"> 454 ANDROID-20139950 455 </a> 456 [ 457 <a href="https://android.googlesource.com/platform/frameworks/av/+/2434839bbd168469f80dd9a22f1328bc81046398"> 458 2 459 </a> 460 ] 461 </td> 462 <td> 463 464 </td> 465 <td> 466 5.1 467 </td> 468 </tr> 469 </tbody> 470 </table> 471 <h3 id="an_integer_underflow_in_esds_processing"> 472 ESDS 473 </h3> 474 <p> 475 ESDS libstagefright 476 , 477 mediaserver. 478 </p> 479 <p> 480 API. , 481 MMS- , 482 . 483 </p> 484 <p> 485 - 486 (mediaserver). 487 SELinux, - , 488 . 489 . , 490 . , 491 2015, . 492 </p> 493 <table> 494 <tbody> 495 <tr> 496 <th> 497 CVE 498 </th> 499 <th> 500 AOSP 501 </th> 502 <th> 503 504 </th> 505 <th> 506 507 </th> 508 </tr> 509 <tr> 510 <td> 511 CVE-2015-1539 512 </td> 513 <td> 514 <a href="https://android.googlesource.com/platform/frameworks/av/+/5e751957ba692658b7f67eb03ae5ddb2cd3d970c"> 515 ANDROID-20139950 516 </a> 517 </td> 518 <td> 519 520 </td> 521 <td> 522 5.1 523 </td> 524 </tr> 525 </tbody> 526 </table> 527 <h3 id="integer_overflow_in_libstagefright_when_parsing_the_mpeg4_tx3g_atom"> 528 libstagefright 529 tx3g (MPEG4) 530 </h3> 531 <p> 532 tx3g (MPEG4) libstagefright 533 , 534 535 mediaserver. 536 </p> 537 <p> 538 API. , 539 MMS- , 540 . 541 </p> 542 <p> 543 - 544 (mediaserver). 545 SELinux, - , 546 . 547 . 548 </p> 549 <p> 550 , 551 . , 2015, 552 . 553 </p> 554 <table> 555 <tbody> 556 <tr> 557 <th> 558 CVE 559 </th> 560 <th> 561 AOSP 562 </th> 563 <th> 564 565 </th> 566 <th> 567 568 </th> 569 </tr> 570 <tr> 571 <td> 572 CVE-2015-3824 573 </td> 574 <td> 575 <a href="https://android.googlesource.com/platform/frameworks/av/+/463a6f807e187828442949d1924e143cf07778c6"> 576 ANDROID-20923261 577 </a> 578 </td> 579 <td> 580 581 </td> 582 <td> 583 5.1 584 </td> 585 </tr> 586 </tbody> 587 </table> 588 <h3 id="integer_underflow_in_libstagefright_when_processing_mpeg4_covr_atoms"> 589 libstagefright 590 MPEG4 (covr) 591 </h3> 592 <p> 593 MPEG4 libstagefright 594 , 595 mediaserver. 596 </p> 597 <p> 598 API. , 599 MMS- , 600 . 601 </p> 602 <p> 603 - 604 (mediaserver). 605 SELinux, - , 606 . 607 . 608 </p> 609 <p> 610 , 611 . , 2015, 612 . 613 </p> 614 <table> 615 <tbody> 616 <tr> 617 <th> 618 CVE 619 </th> 620 <th> 621 AOSP 622 </th> 623 <th> 624 625 </th> 626 <th> 627 628 </th> 629 </tr> 630 <tr> 631 <td> 632 CVE-2015-3827 633 </td> 634 <td> 635 <a href="https://android.googlesource.com/platform/frameworks/av/+/f4a88c8ed4f8186b3d6e2852993e063fc33ff231"> 636 ANDROID-20923261 637 </a> 638 </td> 639 <td> 640 641 </td> 642 <td> 643 5.1 644 </td> 645 </tr> 646 </tbody> 647 </table> 648 <h3 id="integer_underflow_in_libstagefright_if_size_is_below_6_while_processing_3gpp_metadata"> 649 libstagefright 650 3GPP, 6 651 </h3> 652 <p> 653 3GPP libstagefright 654 , 655 mediaserver. 656 </p> 657 <p> 658 API. , 659 MMS- , 660 . 661 </p> 662 <p> 663 - 664 (mediaserver). 665 SELinux, - , 666 . 667 . , 668 . , 669 2015, . 670 </p> 671 <table> 672 <tbody> 673 <tr> 674 <th> 675 CVE 676 </th> 677 <th> 678 AOSP 679 </th> 680 <th> 681 682 </th> 683 <th> 684 685 </th> 686 </tr> 687 <tr> 688 <td> 689 CVE-2015-3828 690 </td> 691 <td> 692 <a href="https://android.googlesource.com/platform/frameworks/av/+/f4f7e0c102819f039ebb1972b3dba1d3186bc1d1"> 693 ANDROID-20923261 694 </a> 695 </td> 696 <td> 697 698 </td> 699 <td> 700 5.0 701 </td> 702 </tr> 703 </tbody> 704 </table> 705 <h3 id="integer_overflow_in_libstagefright_processing_mpeg4_covr_atoms_when_chunk_data_size_is_size_max"> 706 libstagefright 707 MPEG4 (covr), chunk_data_size SIZE_MAX 708 </h3> 709 <p> 710 covr (MPEG4) libstagefright 711 , 712 713 mediaserver. 714 </p> 715 <p> 716 API. , 717 MMS- , 718 . 719 </p> 720 <p> 721 - 722 (mediaserver). 723 SELinux, - , 724 . 725 . , 726 . , 727 2015, . 728 </p> 729 <table> 730 <tbody> 731 <tr> 732 <th> 733 CVE 734 </th> 735 <th> 736 AOSP 737 </th> 738 <th> 739 740 </th> 741 <th> 742 743 </th> 744 </tr> 745 <tr> 746 <td> 747 CVE-2015-3829 748 </td> 749 <td> 750 <a href="https://android.googlesource.com/platform/frameworks/av/+/2674a7218eaa3c87f2ee26d26da5b9170e10f859"> 751 ANDROID-20923261 752 </a> 753 </td> 754 <td> 755 756 </td> 757 <td> 758 5.0 759 </td> 760 </tr> 761 </tbody> 762 </table> 763 <h3 id="buffer_overflow_in_sonivox_parse_wave"> 764 Parse_wave (Sonivox) 765 </h3> 766 <p> 767 XMF Sonivox , 768 769 mediaserver. 770 </p> 771 <p> 772 API. , 773 MMS- , 774 . 775 </p> 776 <p> 777 - 778 (mediaserver). 779 SELinux, - , 780 . 781 . , 782 . , 783 2015, . 784 </p> 785 <table> 786 <tbody> 787 <tr> 788 <th> 789 CVE 790 </th> 791 <th> 792 AOSP 793 </th> 794 <th> 795 796 </th> 797 <th> 798 799 </th> 800 </tr> 801 <tr> 802 <td> 803 CVE-2015-3836 804 </td> 805 <td> 806 <a href="https://android.googlesource.com/platform/external/sonivox/+/e999f077f6ef59d20282f1e04786816a31fb8be6"> 807 ANDROID-21132860 808 </a> 809 </td> 810 <td> 811 812 </td> 813 <td> 814 5.1 815 </td> 816 </tr> 817 </tbody> 818 </table> 819 <h3 id="buffer_overflows_in_libstagefright_mpeg4extractor_cpp"> 820 MPEG4Extractor.cpp (libstagefright) 821 </h3> 822 <p> 823 MP4 libstagefright , 824 825 mediaserver. 826 </p> 827 <p> 828 API. , 829 MMS- , 830 . 831 </p> 832 <p> 833 - 834 (mediaserver). 835 SELinux, - , 836 . 837 . 838 </p> 839 <p> 840 , . 841 842 , 843 . , 2015, 844 . 845 </p> 846 <table> 847 <tbody> 848 <tr> 849 <th> 850 CVE 851 </th> 852 <th> 853 AOSP 854 </th> 855 <th> 856 857 </th> 858 <th> 859 860 </th> 861 </tr> 862 <tr> 863 <td> 864 CVE-2015-3832 865 </td> 866 <td> 867 <a href="https://android.googlesource.com/platform/frameworks/av/+/d48f0f145f8f0f4472bc0af668ac9a8bce44ba9b"> 868 ANDROID-19641538 869 </a> 870 </td> 871 <td> 872 873 </td> 874 <td> 875 5.1 876 </td> 877 </tr> 878 </tbody> 879 </table> 880 <h3 id="buffer_overflow_in_mediaserver_bpmediahttpconnection"> 881 BpMediaHTTPConnection (mediaserver) 882 </h3> 883 <p> 884 , , 885 BpMediaHTTPConnection . 886 887 mediaserver. 888 </p> 889 <p> 890 API. , 891 . 892 </p> 893 <p> 894 - 895 (mediaserver) , 896 . mediaserver SELinux, 897 - , 898 . . 899 </p> 900 <table> 901 <tbody> 902 <tr> 903 <th> 904 CVE 905 </th> 906 <th> 907 AOSP 908 </th> 909 <th> 910 911 </th> 912 <th> 913 914 </th> 915 </tr> 916 <tr> 917 <td> 918 CVE-2015-3831 919 </td> 920 <td> 921 <a href="https://android.googlesource.com/platform/frameworks/av/+/51504928746edff6c94a1c498cf99c0a83bedaed"> 922 ANDROID-19400722 923 </a> 924 </td> 925 <td> 926 927 </td> 928 <td> 929 5.0 5.1 930 </td> 931 </tr> 932 </tbody> 933 </table> 934 <h3 id="vulnerability_in_libpng_overflow_in_png_read_idat_data"> 935 png_Read_IDAT_data (libpng) 936 </h3> 937 <p> 938 IDAT png_read_IDAT_data() libpng 939 , 940 , 941 . 942 </p> 943 <p> 944 API. , , 945 , 946 . 947 </p> 948 <p> 949 - 950 951 . 952 </p> 953 <table> 954 <tbody> 955 <tr> 956 <th> 957 CVE 958 </th> 959 <th> 960 AOSP 961 </th> 962 <th> 963 964 </th> 965 <th> 966 967 </th> 968 </tr> 969 <tr> 970 <td> 971 CVE-2015-0973 972 </td> 973 <td> 974 <a href="https://android.googlesource.com/platform/external/libpng/+/dd0ed46397a05ae69dc8c401f5711f0db0a964fa"> 975 ANDROID-19499430 976 </a> 977 </td> 978 <td> 979 980 </td> 981 <td> 982 5.1 983 </td> 984 </tr> 985 </tbody> 986 </table> 987 <h3 id="remotely_exploitable_memcpy_overflow_in_p2p_add_device_in_wpa_supplicant"> 988 memcpy() 989 p2p_add_device() (wpa_supplicant) 990 </h3> 991 <p> 992 wpa_supplicant WLAN Direct, 993 - p2p_add_device(). 994 wifi. 995 </p> 996 <p> 997 : 998 </p> 999 <p> 1000 WLAN Direct 1001 Android. 1002 </p> 1003 <p> 1004 , 1005 Wi-Fi. 1006 </p> 1007 <p> 1008 wpa_supplicant wifi 1009 ( ). 1010 </p> 1011 <p> 1012 ASLR 1013 Android4.1 . 1014 </p> 1015 <p> 1016 wpa_supplicant SELinux 1017 Android5.0 . 1018 </p> 1019 <p> 1020 - 1021 . wifi , 1022 , , : 1023 , . 1024 </p> 1025 <table> 1026 <tbody> 1027 <tr> 1028 <th> 1029 CVE 1030 </th> 1031 <th> 1032 AOSP 1033 </th> 1034 <th> 1035 1036 </th> 1037 <th> 1038 1039 </th> 1040 </tr> 1041 <tr> 1042 <td> 1043 CVE-2015-1863 1044 </td> 1045 <td> 1046 <a href="https://android.googlesource.com/platform/external/wpa_supplicant_8/+/4cf0f2d0d869c35a9ec4432861d5efa8ead4279c"> 1047 ANDROID-20076874 1048 </a> 1049 </td> 1050 <td> 1051 1052 </td> 1053 <td> 1054 5.1 1055 </td> 1056 </tr> 1057 </tbody> 1058 </table> 1059 <h3 id="memory_corruption_in_opensslx509certificate_deserialization"> 1060 1061 OpenSSLX509Certificate 1062 </h3> 1063 <p> 1064 , , 1065 . , 1066 , 1067 . 1068 </p> 1069 <p> 1070 , 1071 , . 1072 </p> 1073 <table> 1074 <tbody> 1075 <tr> 1076 <th> 1077 CVE 1078 </th> 1079 <th> 1080 AOSP 1081 </th> 1082 <th> 1083 1084 </th> 1085 <th> 1086 1087 </th> 1088 </tr> 1089 <tr> 1090 <td> 1091 CVE-2015-3837 1092 </td> 1093 <td> 1094 <a href="https://android.googlesource.com/platform/external/conscrypt/+/edf7055461e2d7fa18de5196dca80896a56e3540"> 1095 ANDROID-21437603 1096 </a> 1097 </td> 1098 <td> 1099 1100 </td> 1101 <td> 1102 5.1 1103 </td> 1104 </tr> 1105 </tbody> 1106 </table> 1107 <h3 id="buffer_overflow_in_mediaserver_bnhdcp"> 1108 BnHDCP (mediaserver) 1109 </h3> 1110 <p> 1111 , , libstagefright 1112 . 1113 mediaserver. 1114 </p> 1115 <p> 1116 , 1117 , . mediaserver 1118 SELinux, - , 1119 . 1120 . 1121 </p> 1122 <p> 1123 , 1124 . , 2015, 1125 . 1126 </p> 1127 <table> 1128 <tbody> 1129 <tr> 1130 <th> 1131 CVE 1132 </th> 1133 <th> 1134 AOSP 1135 </th> 1136 <th> 1137 1138 </th> 1139 <th> 1140 1141 </th> 1142 </tr> 1143 <tr> 1144 <td> 1145 CVE-2015-3834 1146 </td> 1147 <td> 1148 <a href="https://android.googlesource.com/platform/frameworks/av/+/c82e31a7039a03dca7b37c65b7890ba5c1e18ced"> 1149 ANDROID-20222489 1150 </a> 1151 </td> 1152 <td> 1153 1154 </td> 1155 <td> 1156 5.1 1157 </td> 1158 </tr> 1159 </tbody> 1160 </table> 1161 <h3 id="buffer_overflow_in_libstagefright_omxnodeinstance_emptybuffer"> 1162 OMXNodeInstance::emptyBuffer (libstagefright) 1163 </h3> 1164 <p> 1165 , , libstagefright 1166 . 1167 mediaserver. 1168 </p> 1169 <p> 1170 , 1171 , . mediaserver 1172 SELinux, - , 1173 . 1174 . 1175 </p> 1176 <p> 1177 , 1178 . , 2015, 1179 . 1180 </p> 1181 <table> 1182 <tbody> 1183 <tr> 1184 <th> 1185 CVE 1186 </th> 1187 <th> 1188 AOSP 1189 </th> 1190 <th> 1191 1192 </th> 1193 <th> 1194 1195 </th> 1196 </tr> 1197 <tr> 1198 <td> 1199 CVE-2015-3835 1200 </td> 1201 <td> 1202 <a href="https://android.googlesource.com/platform/frameworks/av/+/086d84f45ab7b64d1a7ed7ac8ba5833664a6a5ab"> 1203 ANDROID-20634516 1204 </a> 1205 [ 1206 <a href="https://android.googlesource.com/platform/frameworks/av/+/3cb1b6944e776863aea316e25fdc16d7f9962902"> 1207 2 1208 </a> 1209 ] 1210 </td> 1211 <td> 1212 1213 </td> 1214 <td> 1215 5.1 1216 </td> 1217 </tr> 1218 </tbody> 1219 </table> 1220 <h3 id="heap_overflow_in_mediaserver_audiopolicymanager_getinputforattr"> 1221 AudioPolicyManager::getInputForAttr() (mediaserver) 1222 </h3> 1223 <p> 1224 audio policy mediaserver , 1225 , mediaserver. 1226 </p> 1227 <p> 1228 API. , 1229 . 1230 </p> 1231 <p> 1232 - 1233 (mediaserver) , 1234 . mediaserver SELinux, 1235 - , 1236 . . 1237 </p> 1238 <table> 1239 <tbody> 1240 <tr> 1241 <th> 1242 CVE 1243 </th> 1244 <th> 1245 AOSP 1246 </th> 1247 <th> 1248 1249 </th> 1250 <th> 1251 1252 </th> 1253 </tr> 1254 <tr> 1255 <td> 1256 CVE-2015-3842 1257 </td> 1258 <td> 1259 <a href="https://android.googlesource.com/platform/frameworks/av/+/aeea52da00d210587fb3ed895de3d5f2e0264c88"> 1260 ANDROID-21953516 1261 </a> 1262 </td> 1263 <td> 1264 1265 </td> 1266 <td> 1267 5.1 1268 </td> 1269 </tr> 1270 </tbody> 1271 </table> 1272 <h3 id="applications_can_intercept_or_emulate_sim_commands_to_telephony"> 1273 SIM- 1274 </h3> 1275 <p> 1276 SIM Toolkit 1277 SIM- Telephony. 1278 </p> 1279 <p> 1280 . 1281 , 1282 signature () system (). 1283 </p> 1284 <table> 1285 <tbody> 1286 <tr> 1287 <th> 1288 CVE 1289 </th> 1290 <th> 1291 AOSP 1292 </th> 1293 <th> 1294 1295 </th> 1296 <th> 1297 1298 </th> 1299 </tr> 1300 <tr> 1301 <td> 1302 CVE-2015-3843 1303 </td> 1304 <td> 1305 <a href="https://android.googlesource.com/platform/frameworks/opt/telephony/+/b48581401259439dc5ef6dcf8b0f303e4cbefbe9"> 1306 ANDROID-21697171 1307 </a> 1308 [ 1309 <a href="https://android.googlesource.com/platform/packages/apps/Stk/+/1d8e00160c07ae308e5b460214eb2a425b93ccf7"> 1310 2 1311 </a> 1312 , 1313 <a href="https://android.googlesource.com/platform/frameworks/base/+/a5e904e7eb3aaec532de83ca52e24af18e0496b4"> 1314 3 1315 </a> 1316 , 1317 <a href="https://android.googlesource.com/platform/packages/services/Telephony/+/fcb1d13c320dd1a6350bc7af3166929b4d54a456"> 1318 4 1319 </a> 1320 ] 1321 </td> 1322 <td> 1323 1324 </td> 1325 <td> 1326 5.1 1327 </td> 1328 </tr> 1329 </tbody> 1330 </table> 1331 <h3 id="vulnerability_in_bitmap_unmarshalling"> 1332 Bitmap 1333 </h3> 1334 <p> 1335 Bitmap_createFromParcel() 1336 system_server, 1337 system_server. 1338 </p> 1339 <p> 1340 - 1341 system_server 1342 . 1343 1344 , 1345 . 1346 . . 1347 </p> 1348 <table> 1349 <tbody> 1350 <tr> 1351 <th> 1352 CVE 1353 </th> 1354 <th> 1355 AOSP 1356 </th> 1357 <th> 1358 1359 </th> 1360 <th> 1361 1362 </th> 1363 </tr> 1364 <tr> 1365 <td> 1366 CVE-2015-1536 1367 </td> 1368 <td> 1369 <a href="https://android.googlesource.com/platform/frameworks/base/+/d44e5bde18a41beda39d49189bef7f2ba7c8f3cb"> 1370 ANDROID-19666945 1371 </a> 1372 </td> 1373 <td> 1374 1375 </td> 1376 <td> 1377 5.1 1378 </td> 1379 </tr> 1380 </tbody> 1381 </table> 1382 <h3 id="appwidgetserviceimpl_can_create_intentsender_with_system_privileges"> 1383 AppWidgetServiceImpl IntentSender 1384 1385 </h3> 1386 <p> 1387 AppWidgetServiceImpl 1388 URI, 1389 FLAG_GRANT_READ/WRITE_URI_PERMISSION. , 1390 READ_CONTACTS. 1391 </p> 1392 <p> 1393 . 1394 , 1395 dangerous (). 1396 </p> 1397 <table> 1398 <tbody> 1399 <tr> 1400 <th> 1401 CVE 1402 </th> 1403 <th> 1404 AOSP 1405 </th> 1406 <th> 1407 1408 </th> 1409 <th> 1410 1411 </th> 1412 </tr> 1413 <tr> 1414 <td> 1415 CVE-2015-1541 1416 </td> 1417 <td> 1418 <a href="https://android.googlesource.com/platform/frameworks/base/+/0b98d304c467184602b4c6bce76fda0b0274bc07"> 1419 ANDROID-19618745 1420 </a> 1421 </td> 1422 <td> 1423 1424 </td> 1425 <td> 1426 5.1 1427 </td> 1428 </tr> 1429 </tbody> 1430 </table> 1431 <h3 id="mitigation_bypass_of_restrictions_on_getrecenttasks"> 1432 getRecentTasks() 1433 </h3> 1434 <p> 1435 1436 getRecentTasks(), Android5.0. 1437 </p> 1438 <p> 1439 . 1440 , 1441 dangerous (). 1442 </p> 1443 <p> 1444 , : 1445 <a href="http://stackoverflow.com/questions/24625936/getrunningtasks-doesnt-work-in-android-l"> 1446 http://stackoverflow.com/questions/24625936/getrunningtasks-doesnt-work-in-android-l 1447 </a> 1448 </p> 1449 <table> 1450 <tbody> 1451 <tr> 1452 <th> 1453 CVE 1454 </th> 1455 <th> 1456 AOSP 1457 </th> 1458 <th> 1459 1460 </th> 1461 <th> 1462 1463 </th> 1464 </tr> 1465 <tr> 1466 <td> 1467 CVE-2015-3833 1468 </td> 1469 <td> 1470 <a href="https://android.googlesource.com/platform/frameworks/base/+/aaa0fee0d7a8da347a0c47cef5249c70efee209e"> 1471 ANDROID-20034603 1472 </a> 1473 </td> 1474 <td> 1475 1476 </td> 1477 <td> 1478 5.0 5.1 1479 </td> 1480 </tr> 1481 </tbody> 1482 </table> 1483 <h3 id="activitymanagerservice_getprocessrecordlocked_may_load_a_system_uid_application_into_the_wrong_process"> 1484 ActivityManagerService.getProcessRecordLocked() 1485 UID- 1486 </h3> 1487 <p> 1488 getProcessRecordLocked() ActivityManager 1489 , . 1490 , ActivityManager 1491 . 1492 </p> 1493 <p> 1494 1495 . , 1496 system. 1497 </p> 1498 <p> 1499 , 1500 system, . 1501 , . 1502 </p> 1503 <table> 1504 <tbody> 1505 <tr> 1506 <th> 1507 CVE 1508 </th> 1509 <th> 1510 AOSP 1511 </th> 1512 <th> 1513 1514 </th> 1515 <th> 1516 1517 </th> 1518 </tr> 1519 <tr> 1520 <td> 1521 CVE-2015-3844 1522 </td> 1523 <td> 1524 <a href="https://android.googlesource.com/platform/frameworks/base/+/e3cde784e3d99966f313fe00dcecf191f6a44a31"> 1525 ANDROID-21669445 1526 </a> 1527 </td> 1528 <td> 1529 1530 </td> 1531 <td> 1532 5.1 1533 </td> 1534 </tr> 1535 </tbody> 1536 </table> 1537 <h3 id="unbounded_buffer_read_in_libstagefright_while_parsing_3gpp_metadata"> 1538 libstagefright 1539 3GPP 1540 </h3> 1541 <p> 1542 3GPP 1543 , 1544 mediaserver. 1545 </p> 1546 <p> 1547 . 1548 , 1549 mediaserver, . 1550 </p> 1551 <table> 1552 <tbody> 1553 <tr> 1554 <th> 1555 CVE 1556 </th> 1557 <th> 1558 AOSP 1559 </th> 1560 <th> 1561 1562 </th> 1563 <th> 1564 1565 </th> 1566 </tr> 1567 <tr> 1568 <td> 1569 CVE-2015-3826 1570 </td> 1571 <td> 1572 <a href="https://android.googlesource.com/platform/frameworks/av/+/f4f7e0c102819f039ebb1972b3dba1d3186bc1d1"> 1573 ANDROID-20923261 1574 </a> 1575 </td> 1576 <td> 1577 1578 </td> 1579 <td> 1580 5.0 5.1 1581 </td> 1582 </tr> 1583 </tbody> 1584 </table> 1585 <h2 id="revisions" style="margin-bottom:0px"> 1586 1587 </h2> 1588 <hr/> 1589 <ul> 1590 <li> 1591 13 2015: 1592 </li> 1593 </ul> 1594 </div> 1595 <div class="content-footer-sac" itemscope="" itemtype="http://schema.org/SiteNavigationElement"> 1596 <div class="layout-content-col col-9" style="padding-top:4px"> 1597 </div> 1598 <div class="paging-links layout-content-col col-4"> 1599 </div> 1600 </div> 1601 </div> 1602 1603 </body> 1604 </html> 1605
