1 <html devsite> 2 <head> 3 <title>Nexus - 2015 8 </title> 4 <meta name="project_path" value="/_project.yaml" /> 5 <meta name="book_path" value="/_book.yaml" /> 6 </head> 7 <body> 8 <!-- 9 Copyright 2017 The Android Open Source Project 10 11 Licensed under the Apache License, Version 2.0 (the "License"); 12 you may not use this file except in compliance with the License. 13 You may obtain a copy of the License at 14 15 http://www.apache.org/licenses/LICENSE-2.0 16 17 Unless required by applicable law or agreed to in writing, software 18 distributed under the License is distributed on an "AS IS" BASIS, 19 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20 See the License for the specific language governing permissions and 21 limitations under the License. 22 --> 23 24 25 26 <div id="jd-content"> 27 <div class="jd-descr" itemprop="articleBody"> 28 <!-- 29 Copyright 2015 The Android Open Source Project 30 31 Licensed under the Apache License, Version 2.0 (the "License"); 32 you may not use this file except in compliance with the License. 33 You may obtain a copy of the License at 34 35 http://www.apache.org/licenses/LICENSE-2.0 36 37 Unless required by applicable law or agreed to in writing, software 38 distributed under the License is distributed on an "AS IS" BASIS, 39 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 40 See the License for the specific language governing permissions and 41 limitations under the License. 42 --> 43 <p> 44 <em> 45 2015 8 13 46 </em> 47 </p> 48 <p> 49 Android (OTA) Nexus 50 <a href="https://developers.google.com/android/nexus/images"> 51 Google Developers 52 </a> 53 Nexus LMY48I 2015 6 25 54 </p> 55 <p> 56 57 </p> 58 <h2 id="security_vulnerability_summary" style="margin-bottom:0px"> 59 60 </h2> 61 <hr/> 62 <p> 63 CVE 64 <a href="http://source.android.com/security/overview/updates-resources.html#severity"> 65 66 </a> 67 68 </p> 69 <table> 70 <tbody> 71 <tr> 72 <th> 73 74 </th> 75 <th> 76 CVE 77 </th> 78 <th> 79 80 </th> 81 </tr> 82 <tr> 83 <td> 84 MP4 atom 85 </td> 86 <td> 87 CVE-2015-1538 88 </td> 89 <td> 90 91 </td> 92 </tr> 93 <tr> 94 <td> 95 ESDS 96 </td> 97 <td> 98 CVE-2015-1539 99 </td> 100 <td> 101 102 </td> 103 </tr> 104 <tr> 105 <td> 106 MPEG4 tx3g atom libstagefright 107 </td> 108 <td> 109 CVE-2015-3824 110 </td> 111 <td> 112 113 </td> 114 </tr> 115 <tr> 116 <td> 117 MPEG4 covr atom libstagefright 118 </td> 119 <td> 120 CVE-2015-3827 121 </td> 122 <td> 123 124 </td> 125 </tr> 126 <tr> 127 <td> 128 3GPP 6 libstagefright 129 </td> 130 <td> 131 CVE-2015-3828 132 </td> 133 <td> 134 135 </td> 136 </tr> 137 <tr> 138 <td> 139 MPEG4 covr atom chunk_data_size SIZE_MAX libstagefright 140 </td> 141 <td> 142 CVE-2015-3829 143 </td> 144 <td> 145 146 </td> 147 </tr> 148 <tr> 149 <td> 150 Sonivox Parse_wave 151 </td> 152 <td> 153 CVE-2015-3836 154 </td> 155 <td> 156 157 </td> 158 </tr> 159 <tr> 160 <td> 161 libstagefright MPEG4Extractor.cpp 162 </td> 163 <td> 164 CVE-2015-3832 165 </td> 166 <td> 167 168 </td> 169 </tr> 170 <tr> 171 <td> 172 mediaserver BpMediaHTTPConnection 173 </td> 174 <td> 175 CVE-2015-3831 176 </td> 177 <td> 178 179 </td> 180 </tr> 181 <tr> 182 <td> 183 libpng png_Read_IDAT_data 184 </td> 185 <td> 186 CVE-2015-0973 187 </td> 188 <td> 189 190 </td> 191 </tr> 192 <tr> 193 <td> 194 wpa_supplicant p2p_add_device() memcpy() 195 </td> 196 <td> 197 CVE-2015-1863 198 </td> 199 <td> 200 201 </td> 202 </tr> 203 <tr> 204 <td> 205 OpenSSLX509Certificate 206 </td> 207 <td> 208 CVE-2015-3837 209 </td> 210 <td> 211 212 </td> 213 </tr> 214 <tr> 215 <td> 216 mediaserver BnHDCP 217 </td> 218 <td> 219 CVE-2015-3834 220 </td> 221 <td> 222 223 </td> 224 </tr> 225 <tr> 226 <td> 227 libstagefright OMXNodeInstance::emptyBuffer 228 </td> 229 <td> 230 CVE-2015-3835 231 </td> 232 <td> 233 234 </td> 235 </tr> 236 <tr> 237 <td> 238 mediaserver AudioPolicyManager::getInputForAttr() 239 </td> 240 <td> 241 CVE-2015-3842 242 </td> 243 <td> 244 245 </td> 246 </tr> 247 <tr> 248 <td> 249 Telephony SIM 250 </td> 251 <td> 252 CVE-2015-3843 253 </td> 254 <td> 255 256 </td> 257 </tr> 258 <tr> 259 <td> 260 261 </td> 262 <td> 263 CVE-2015-1536 264 </td> 265 <td> 266 267 </td> 268 </tr> 269 <tr> 270 <td> 271 AppWidgetServiceImpl IntentSender 272 </td> 273 <td> 274 CVE-2015-1541 275 </td> 276 <td> 277 278 </td> 279 </tr> 280 <tr> 281 <td> 282 getRecentTasks() 283 </td> 284 <td> 285 CVE-2015-3833 286 </td> 287 <td> 288 289 </td> 290 </tr> 291 <tr> 292 <td> 293 ActivityManagerService.getProcessRecordLocked() UID 294 </td> 295 <td> 296 CVE-2015-3844 297 </td> 298 <td> 299 300 </td> 301 </tr> 302 <tr> 303 <td> 304 3GPP libstagefright 305 </td> 306 <td> 307 CVE-2015-3826 308 </td> 309 <td> 310 311 </td> 312 </tr> 313 </tbody> 314 </table> 315 <h2 id="mitigations" style="margin-bottom:0px"> 316 317 </h2> 318 <hr/> 319 <p> 320 321 <a href="http://source.android.com/security/enhancements/index.html"> 322 Android 323 </a> 324 SafetyNet Android 325 </p> 326 <ul> 327 <li> 328 Android Android Android 329 </li> 330 <li> 331 Android SafetyNet Google Play Root Google Play Root 332 </li> 333 <li> 334 Google Messenger mediaserver 335 </li> 336 </ul> 337 <h2 id="acknowledgements" style="margin-bottom:0px"> 338 339 </h2> 340 <hr/> 341 <p> 342 343 </p> 344 <ul> 345 <li> 346 Joshua DrakeCVE-2015-1538CVE-2015-3826 347 </li> 348 <li> 349 Ben HawkesCVE-2015-3836 350 </li> 351 <li> 352 Alexandru BlandaCVE-2015-3832 353 </li> 354 <li> 355 Alexandru BlandaCVE-2015-3832 356 </li> 357 <li> 358 Alex CopotCVE-2015-1536 359 </li> 360 <li> 361 Alex EubanksCVE-2015-0973 362 </li> 363 <li> 364 Roee Hay Or PelesCVE-2015-3837 365 </li> 366 <li> 367 CVE-2015-3834 368 </li> 369 <li> 370 Gal BeniaminiCVE-2015-3835 371 </li> 372 <li> 373 *CVE-2015-3842 374 </li> 375 <li> 376 Artem ChaykinCVE-2015-3843 377 </li> 378 </ul> 379 <p> 380 * 381 <a href="https://www.google.com/about/appsecurity/android-rewards/"> 382 Android 383 </a> 384 385 </p> 386 <h3 id="integer_overflows_during_mp4_atom_processing"> 387 MP4 atom 388 </h3> 389 <p> 390 MP4 atom libstagefright mediaserver 391 </p> 392 <p> 393 API 394 </p> 395 <p> 396 mediaserver SELinux 2015 6 397 </p> 398 <table> 399 <tbody> 400 <tr> 401 <th> 402 CVE 403 </th> 404 <th> 405 Bug AOSP 406 </th> 407 <th> 408 409 </th> 410 <th> 411 412 </th> 413 </tr> 414 <tr> 415 <td> 416 CVE-2015-1538 417 </td> 418 <td> 419 <a href="https://android.googlesource.com/platform/frameworks/av/+/cf1581c66c2ad8c5b1aaca2e43e350cf5974f46d"> 420 ANDROID-20139950 421 </a> 422 [ 423 <a href="https://android.googlesource.com/platform/frameworks/av/+/2434839bbd168469f80dd9a22f1328bc81046398"> 424 2 425 </a> 426 ] 427 </td> 428 <td> 429 430 </td> 431 <td> 432 5.1 433 </td> 434 </tr> 435 </tbody> 436 </table> 437 <h3 id="an_integer_underflow_in_esds_processing"> 438 ESDS 439 </h3> 440 <p> 441 ESDS atom libstagefright mediaserver 442 </p> 443 <p> 444 API 445 </p> 446 <p> 447 mediaserver SELinux 2015 6 448 </p> 449 <table> 450 <tbody> 451 <tr> 452 <th> 453 CVE 454 </th> 455 <th> 456 Bug AOSP 457 </th> 458 <th> 459 460 </th> 461 <th> 462 463 </th> 464 </tr> 465 <tr> 466 <td> 467 CVE-2015-1539 468 </td> 469 <td> 470 <a href="https://android.googlesource.com/platform/frameworks/av/+/5e751957ba692658b7f67eb03ae5ddb2cd3d970c"> 471 ANDROID-20139950 472 </a> 473 </td> 474 <td> 475 476 </td> 477 <td> 478 5.1 479 </td> 480 </tr> 481 </tbody> 482 </table> 483 <h3 id="integer_overflow_in_libstagefright_when_parsing_the_mpeg4_tx3g_atom"> 484 MPEG4 tx3g atom libstagefright 485 </h3> 486 <p> 487 MPEG4 tx3g libstagefright mediaserver 488 </p> 489 <p> 490 API 491 </p> 492 <p> 493 mediaserver SELinux 494 </p> 495 <p> 496 2015 6 497 </p> 498 <table> 499 <tbody> 500 <tr> 501 <th> 502 CVE 503 </th> 504 <th> 505 Bug AOSP 506 </th> 507 <th> 508 509 </th> 510 <th> 511 512 </th> 513 </tr> 514 <tr> 515 <td> 516 CVE-2015-3824 517 </td> 518 <td> 519 <a href="https://android.googlesource.com/platform/frameworks/av/+/463a6f807e187828442949d1924e143cf07778c6"> 520 ANDROID-20923261 521 </a> 522 </td> 523 <td> 524 525 </td> 526 <td> 527 5.1 528 </td> 529 </tr> 530 </tbody> 531 </table> 532 <h3 id="integer_underflow_in_libstagefright_when_processing_mpeg4_covr_atoms"> 533 MPEG4 covr atom libstagefright 534 </h3> 535 <p> 536 MPEG4 libstagefright mediaserver 537 </p> 538 <p> 539 API 540 </p> 541 <p> 542 mediaserver SELinux 543 </p> 544 <p> 545 2015 6 546 </p> 547 <table> 548 <tbody> 549 <tr> 550 <th> 551 CVE 552 </th> 553 <th> 554 Bug AOSP 555 </th> 556 <th> 557 558 </th> 559 <th> 560 561 </th> 562 </tr> 563 <tr> 564 <td> 565 CVE-2015-3827 566 </td> 567 <td> 568 <a href="https://android.googlesource.com/platform/frameworks/av/+/f4a88c8ed4f8186b3d6e2852993e063fc33ff231"> 569 ANDROID-20923261 570 </a> 571 </td> 572 <td> 573 574 </td> 575 <td> 576 5.1 577 </td> 578 </tr> 579 </tbody> 580 </table> 581 <h3 id="integer_underflow_in_libstagefright_if_size_is_below_6_while_processing_3gpp_metadata"> 582 3GPP 6 libstagefright 583 </h3> 584 <p> 585 3GPP libstagefright mediaserver 586 </p> 587 <p> 588 API 589 </p> 590 <p> 591 mediaserver SELinux 2015 6 592 </p> 593 <table> 594 <tbody> 595 <tr> 596 <th> 597 CVE 598 </th> 599 <th> 600 Bug AOSP 601 </th> 602 <th> 603 604 </th> 605 <th> 606 607 </th> 608 </tr> 609 <tr> 610 <td> 611 CVE-2015-3828 612 </td> 613 <td> 614 <a href="https://android.googlesource.com/platform/frameworks/av/+/f4f7e0c102819f039ebb1972b3dba1d3186bc1d1"> 615 ANDROID-20923261 616 </a> 617 </td> 618 <td> 619 620 </td> 621 <td> 622 5.0 623 </td> 624 </tr> 625 </tbody> 626 </table> 627 <h3 id="integer_overflow_in_libstagefright_processing_mpeg4_covr_atoms_when_chunk_data_size_is_size_max"> 628 MPEG4 covr atom chunk_data_size SIZE_MAX libstagefright 629 </h3> 630 <p> 631 MPEG4 covr libstagefright mediaserver 632 </p> 633 <p> 634 API 635 </p> 636 <p> 637 mediaserver SELinux 2015 6 638 </p> 639 <table> 640 <tbody> 641 <tr> 642 <th> 643 CVE 644 </th> 645 <th> 646 Bug AOSP 647 </th> 648 <th> 649 650 </th> 651 <th> 652 653 </th> 654 </tr> 655 <tr> 656 <td> 657 CVE-2015-3829 658 </td> 659 <td> 660 <a href="https://android.googlesource.com/platform/frameworks/av/+/2674a7218eaa3c87f2ee26d26da5b9170e10f859"> 661 ANDROID-20923261 662 </a> 663 </td> 664 <td> 665 666 </td> 667 <td> 668 5.0 669 </td> 670 </tr> 671 </tbody> 672 </table> 673 <h3 id="buffer_overflow_in_sonivox_parse_wave"> 674 Sonivox Parse_wave 675 </h3> 676 <p> 677 XMF Sonivox mediaserver 678 </p> 679 <p> 680 API 681 </p> 682 <p> 683 mediaserver SELinux 2015 6 684 </p> 685 <table> 686 <tbody> 687 <tr> 688 <th> 689 CVE 690 </th> 691 <th> 692 Bug AOSP 693 </th> 694 <th> 695 696 </th> 697 <th> 698 699 </th> 700 </tr> 701 <tr> 702 <td> 703 CVE-2015-3836 704 </td> 705 <td> 706 <a href="https://android.googlesource.com/platform/external/sonivox/+/e999f077f6ef59d20282f1e04786816a31fb8be6"> 707 ANDROID-21132860 708 </a> 709 </td> 710 <td> 711 712 </td> 713 <td> 714 5.1 715 </td> 716 </tr> 717 </tbody> 718 </table> 719 <h3 id="buffer_overflows_in_libstagefright_mpeg4extractor_cpp"> 720 libstagefright MPEG4Extractor.cpp 721 </h3> 722 <p> 723 MP4 libstagefright mediaserver 724 </p> 725 <p> 726 API 727 </p> 728 <p> 729 mediaserver SELinux 730 </p> 731 <p> 732 2015 6 733 </p> 734 <table> 735 <tbody> 736 <tr> 737 <th> 738 CVE 739 </th> 740 <th> 741 Bug AOSP 742 </th> 743 <th> 744 745 </th> 746 <th> 747 748 </th> 749 </tr> 750 <tr> 751 <td> 752 CVE-2015-3832 753 </td> 754 <td> 755 <a href="https://android.googlesource.com/platform/frameworks/av/+/d48f0f145f8f0f4472bc0af668ac9a8bce44ba9b"> 756 ANDROID-19641538 757 </a> 758 </td> 759 <td> 760 761 </td> 762 <td> 763 5.1 764 </td> 765 </tr> 766 </tbody> 767 </table> 768 <h3 id="buffer_overflow_in_mediaserver_bpmediahttpconnection"> 769 mediaserver BpMediaHTTPConnection 770 </h3> 771 <p> 772 BpMediaHTTPConnection mediaserver 773 </p> 774 <p> 775 API 776 </p> 777 <p> 778 mediaserver mediaserver SELinux 779 </p> 780 <table> 781 <tbody> 782 <tr> 783 <th> 784 CVE 785 </th> 786 <th> 787 Bug AOSP 788 </th> 789 <th> 790 791 </th> 792 <th> 793 794 </th> 795 </tr> 796 <tr> 797 <td> 798 CVE-2015-3831 799 </td> 800 <td> 801 <a href="https://android.googlesource.com/platform/frameworks/av/+/51504928746edff6c94a1c498cf99c0a83bedaed"> 802 ANDROID-19400722 803 </a> 804 </td> 805 <td> 806 807 </td> 808 <td> 809 5.0 5.1 810 </td> 811 </tr> 812 </tbody> 813 </table> 814 <h3 id="vulnerability_in_libpng_overflow_in_png_read_idat_data"> 815 libpng png_Read_IDAT_data 816 </h3> 817 <p> 818 libpng png_read_IDAT_data() IDAT 819 </p> 820 <p> 821 API 822 </p> 823 <p> 824 825 </p> 826 <table> 827 <tbody> 828 <tr> 829 <th> 830 CVE 831 </th> 832 <th> 833 Bug AOSP 834 </th> 835 <th> 836 837 </th> 838 <th> 839 840 </th> 841 </tr> 842 <tr> 843 <td> 844 CVE-2015-0973 845 </td> 846 <td> 847 <a href="https://android.googlesource.com/platform/external/libpng/+/dd0ed46397a05ae69dc8c401f5711f0db0a964fa"> 848 ANDROID-19499430 849 </a> 850 </td> 851 <td> 852 853 </td> 854 <td> 855 5.1 856 </td> 857 </tr> 858 </tbody> 859 </table> 860 <h3 id="remotely_exploitable_memcpy_overflow_in_p2p_add_device_in_wpa_supplicant"> 861 wpa_supplicant p2p_add_device() memcpy() 862 </h3> 863 <p> 864 wpa_supplicant WLAN Direct p2p_add_device() Android WLAN 865 </p> 866 <p> 867 868 </p> 869 <p> 870 - WLAN Direct Android 871 </p> 872 <p> 873 - WLAN 874 </p> 875 <p> 876 - wpa_supplicant WLAN 877 </p> 878 <p> 879 - Android 4.1 ASLR 880 </p> 881 <p> 882 - wpa_supplicant Android 5.0 SELinux 883 </p> 884 <p> 885 WLAN 886 </p> 887 <table> 888 <tbody> 889 <tr> 890 <th> 891 CVE 892 </th> 893 <th> 894 Bug AOSP 895 </th> 896 <th> 897 898 </th> 899 <th> 900 901 </th> 902 </tr> 903 <tr> 904 <td> 905 CVE-2015-1863 906 </td> 907 <td> 908 <a href="https://android.googlesource.com/platform/external/wpa_supplicant_8/+/4cf0f2d0d869c35a9ec4432861d5efa8ead4279c"> 909 ANDROID-20076874 910 </a> 911 </td> 912 <td> 913 914 </td> 915 <td> 916 5.1 917 </td> 918 </tr> 919 </tbody> 920 </table> 921 <h3 id="memory_corruption_in_opensslx509certificate_deserialization"> 922 OpenSSLX509Certificate 923 </h3> 924 <p> 925 Intent Intent 926 </p> 927 <p> 928 929 </p> 930 <table> 931 <tbody> 932 <tr> 933 <th> 934 CVE 935 </th> 936 <th> 937 Bug AOSP 938 </th> 939 <th> 940 941 </th> 942 <th> 943 944 </th> 945 </tr> 946 <tr> 947 <td> 948 CVE-2015-3837 949 </td> 950 <td> 951 <a href="https://android.googlesource.com/platform/external/conscrypt/+/edf7055461e2d7fa18de5196dca80896a56e3540"> 952 ANDROID-21437603 953 </a> 954 </td> 955 <td> 956 957 </td> 958 <td> 959 5.1 960 </td> 961 </tr> 962 </tbody> 963 </table> 964 <h3 id="buffer_overflow_in_mediaserver_bnhdcp"> 965 mediaserver BnHDCP 966 </h3> 967 <p> 968 libstagefright mediaserver 969 </p> 970 <p> 971 mediaserver SELinux 972 </p> 973 <p> 974 2015 6 975 </p> 976 <table> 977 <tbody> 978 <tr> 979 <th> 980 CVE 981 </th> 982 <th> 983 Bug AOSP 984 </th> 985 <th> 986 987 </th> 988 <th> 989 990 </th> 991 </tr> 992 <tr> 993 <td> 994 CVE-2015-3834 995 </td> 996 <td> 997 <a href="https://android.googlesource.com/platform/frameworks/av/+/c82e31a7039a03dca7b37c65b7890ba5c1e18ced"> 998 ANDROID-20222489 999 </a> 1000 </td> 1001 <td> 1002 1003 </td> 1004 <td> 1005 5.1 1006 </td> 1007 </tr> 1008 </tbody> 1009 </table> 1010 <h3 id="buffer_overflow_in_libstagefright_omxnodeinstance_emptybuffer"> 1011 libstagefright OMXNodeInstance::emptyBuffer 1012 </h3> 1013 <p> 1014 libstagefright mediaserver 1015 </p> 1016 <p> 1017 mediaserver SELinux 1018 </p> 1019 <p> 1020 2015 6 1021 </p> 1022 <table> 1023 <tbody> 1024 <tr> 1025 <th> 1026 CVE 1027 </th> 1028 <th> 1029 Bug AOSP 1030 </th> 1031 <th> 1032 1033 </th> 1034 <th> 1035 1036 </th> 1037 </tr> 1038 <tr> 1039 <td> 1040 CVE-2015-3835 1041 </td> 1042 <td> 1043 <a href="https://android.googlesource.com/platform/frameworks/av/+/086d84f45ab7b64d1a7ed7ac8ba5833664a6a5ab"> 1044 ANDROID-20634516 1045 </a> 1046 [ 1047 <a href="https://android.googlesource.com/platform/frameworks/av/+/3cb1b6944e776863aea316e25fdc16d7f9962902"> 1048 2 1049 </a> 1050 ] 1051 </td> 1052 <td> 1053 1054 </td> 1055 <td> 1056 5.1 1057 </td> 1058 </tr> 1059 </tbody> 1060 </table> 1061 <h3 id="heap_overflow_in_mediaserver_audiopolicymanager_getinputforattr"> 1062 mediaserver AudioPolicyManager::getInputForAttr() 1063 </h3> 1064 <p> 1065 mediaserver mediaserver 1066 </p> 1067 <p> 1068 API 1069 </p> 1070 <p> 1071 mediaserver mediaserver SELinux 1072 </p> 1073 <table> 1074 <tbody> 1075 <tr> 1076 <th> 1077 CVE 1078 </th> 1079 <th> 1080 Bug AOSP 1081 </th> 1082 <th> 1083 1084 </th> 1085 <th> 1086 1087 </th> 1088 </tr> 1089 <tr> 1090 <td> 1091 CVE-2015-3842 1092 </td> 1093 <td> 1094 <a href="https://android.googlesource.com/platform/frameworks/av/+/aeea52da00d210587fb3ed895de3d5f2e0264c88"> 1095 ANDROID-21953516 1096 </a> 1097 </td> 1098 <td> 1099 1100 </td> 1101 <td> 1102 5.1 1103 </td> 1104 </tr> 1105 </tbody> 1106 </table> 1107 <h3 id="applications_can_intercept_or_emulate_sim_commands_to_telephony"> 1108 Telephony SIM 1109 </h3> 1110 <p> 1111 SIM (STK) Android Telephony STK SIM 1112 </p> 1113 <p> 1114 1115 </p> 1116 <table> 1117 <tbody> 1118 <tr> 1119 <th> 1120 CVE 1121 </th> 1122 <th> 1123 Bug AOSP 1124 </th> 1125 <th> 1126 1127 </th> 1128 <th> 1129 1130 </th> 1131 </tr> 1132 <tr> 1133 <td> 1134 CVE-2015-3843 1135 </td> 1136 <td> 1137 <a href="https://android.googlesource.com/platform/frameworks/opt/telephony/+/b48581401259439dc5ef6dcf8b0f303e4cbefbe9"> 1138 ANDROID-21697171 1139 </a> 1140 [ 1141 <a href="https://android.googlesource.com/platform/packages/apps/Stk/+/1d8e00160c07ae308e5b460214eb2a425b93ccf7"> 1142 2 1143 </a> 1144 1145 <a href="https://android.googlesource.com/platform/frameworks/base/+/a5e904e7eb3aaec532de83ca52e24af18e0496b4"> 1146 3 1147 </a> 1148 1149 <a href="https://android.googlesource.com/platform/packages/services/Telephony/+/fcb1d13c320dd1a6350bc7af3166929b4d54a456"> 1150 4 1151 </a> 1152 ] 1153 </td> 1154 <td> 1155 1156 </td> 1157 <td> 1158 5.1 1159 </td> 1160 </tr> 1161 </tbody> 1162 </table> 1163 <h3 id="vulnerability_in_bitmap_unmarshalling"> 1164 1165 </h3> 1166 <p> 1167 Bitmap_createFromParcel system_server system_server 1168 </p> 1169 <p> 1170 system_server 1171 </p> 1172 <table> 1173 <tbody> 1174 <tr> 1175 <th> 1176 CVE 1177 </th> 1178 <th> 1179 Bug AOSP 1180 </th> 1181 <th> 1182 1183 </th> 1184 <th> 1185 1186 </th> 1187 </tr> 1188 <tr> 1189 <td> 1190 CVE-2015-1536 1191 </td> 1192 <td> 1193 <a href="https://android.googlesource.com/platform/frameworks/base/+/d44e5bde18a41beda39d49189bef7f2ba7c8f3cb"> 1194 ANDROID-19666945 1195 </a> 1196 </td> 1197 <td> 1198 1199 </td> 1200 <td> 1201 5.1 1202 </td> 1203 </tr> 1204 </tbody> 1205 </table> 1206 <h3 id="appwidgetserviceimpl_can_create_intentsender_with_system_privileges"> 1207 AppWidgetServiceImpl IntentSender 1208 </h3> 1209 <p> 1210 AppWidgetServiceImpl FLAG_GRANT_READ/WRITE_URI_PERMISSION URI READ_CONTACTS 1211 </p> 1212 <p> 1213 1214 </p> 1215 <table> 1216 <tbody> 1217 <tr> 1218 <th> 1219 CVE 1220 </th> 1221 <th> 1222 Bug AOSP 1223 </th> 1224 <th> 1225 1226 </th> 1227 <th> 1228 1229 </th> 1230 </tr> 1231 <tr> 1232 <td> 1233 CVE-2015-1541 1234 </td> 1235 <td> 1236 <a href="https://android.googlesource.com/platform/frameworks/base/+/0b98d304c467184602b4c6bce76fda0b0274bc07"> 1237 ANDROID-19618745 1238 </a> 1239 </td> 1240 <td> 1241 1242 </td> 1243 <td> 1244 5.1 1245 </td> 1246 </tr> 1247 </tbody> 1248 </table> 1249 <h3 id="mitigation_bypass_of_restrictions_on_getrecenttasks"> 1250 getRecentTasks() 1251 </h3> 1252 <p> 1253 Android 5.0 getRecentTasks() 1254 </p> 1255 <p> 1256 1257 </p> 1258 <p> 1259 1260 <a href="http://stackoverflow.com/questions/24625936/getrunningtasks-doesnt-work-in-android-l"> 1261 http://stackoverflow.com/questions/24625936/getrunningtasks-doesnt-work-in-android-l 1262 </a> 1263 </p> 1264 <table> 1265 <tbody> 1266 <tr> 1267 <th> 1268 CVE 1269 </th> 1270 <th> 1271 Bug AOSP 1272 </th> 1273 <th> 1274 1275 </th> 1276 <th> 1277 1278 </th> 1279 </tr> 1280 <tr> 1281 <td> 1282 CVE-2015-3833 1283 </td> 1284 <td> 1285 <a href="https://android.googlesource.com/platform/frameworks/base/+/aaa0fee0d7a8da347a0c47cef5249c70efee209e"> 1286 ANDROID-20034603 1287 </a> 1288 </td> 1289 <td> 1290 1291 </td> 1292 <td> 1293 5.0 5.1 1294 </td> 1295 </tr> 1296 </tbody> 1297 </table> 1298 <h3 id="activitymanagerservice_getprocessrecordlocked_may_load_a_system_uid_application_into_the_wrong_process"> 1299 ActivityManagerService.getProcessRecordLocked() UID 1300 </h3> 1301 <p> 1302 ActivityManager getProcessRecordLocked() ActivityManager 1303 </p> 1304 <p> 1305 1306 </p> 1307 <p> 1308 1309 </p> 1310 <table> 1311 <tbody> 1312 <tr> 1313 <th> 1314 CVE 1315 </th> 1316 <th> 1317 Bug AOSP 1318 </th> 1319 <th> 1320 1321 </th> 1322 <th> 1323 1324 </th> 1325 </tr> 1326 <tr> 1327 <td> 1328 CVE-2015-3844 1329 </td> 1330 <td> 1331 <a href="https://android.googlesource.com/platform/frameworks/base/+/e3cde784e3d99966f313fe00dcecf191f6a44a31"> 1332 ANDROID-21669445 1333 </a> 1334 </td> 1335 <td> 1336 1337 </td> 1338 <td> 1339 5.1 1340 </td> 1341 </tr> 1342 </tbody> 1343 </table> 1344 <h3 id="unbounded_buffer_read_in_libstagefright_while_parsing_3gpp_metadata"> 1345 3GPP libstagefright 1346 </h3> 1347 <p> 1348 3GPP mediaserver 1349 </p> 1350 <p> 1351 mediaserver 1352 </p> 1353 <table> 1354 <tbody> 1355 <tr> 1356 <th> 1357 CVE 1358 </th> 1359 <th> 1360 Bug AOSP 1361 </th> 1362 <th> 1363 1364 </th> 1365 <th> 1366 1367 </th> 1368 </tr> 1369 <tr> 1370 <td> 1371 CVE-2015-3826 1372 </td> 1373 <td> 1374 <a href="https://android.googlesource.com/platform/frameworks/av/+/f4f7e0c102819f039ebb1972b3dba1d3186bc1d1"> 1375 ANDROID-20923261 1376 </a> 1377 </td> 1378 <td> 1379 1380 </td> 1381 <td> 1382 5.0 5.1 1383 </td> 1384 </tr> 1385 </tbody> 1386 </table> 1387 <h2 id="revisions" style="margin-bottom:0px"> 1388 1389 </h2> 1390 <hr/> 1391 <ul> 1392 <li> 1393 2015 8 13 1394 </li> 1395 </ul> 1396 </div> 1397 <div class="content-footer-sac" itemscope="" itemtype="http://schema.org/SiteNavigationElement"> 1398 <div class="layout-content-col col-9" style="padding-top:4px"> 1399 </div> 1400 <div class="paging-links layout-content-col col-4"> 1401 </div> 1402 </div> 1403 </div> 1404 1405 </body> 1406 </html> 1407
