1 <html devsite> 2 <head> 3 <title>Nexus - 2016 1 </title> 4 <meta name="project_path" value="/_project.yaml" /> 5 <meta name="book_path" value="/_book.yaml" /> 6 </head> 7 <body> 8 <!-- 9 Copyright 2017 The Android Open Source Project 10 11 Licensed under the Apache License, Version 2.0 (the "License"); 12 you may not use this file except in compliance with the License. 13 You may obtain a copy of the License at 14 15 http://www.apache.org/licenses/LICENSE-2.0 16 17 Unless required by applicable law or agreed to in writing, software 18 distributed under the License is distributed on an "AS IS" BASIS, 19 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20 See the License for the specific language governing permissions and 21 limitations under the License. 22 --> 23 24 25 26 <p><em>2016 3 7 | 2016 3 8 </em></p> 27 28 <p> Android (OTA) Nexus <a href="https://developers.google.com/android/nexus/images">Google Developers </a> Nexus 2016 3 1 LMY49H Android L Android M <a href="https://support.google.com/nexus/answer/4457705">Nexus </a></p> 29 30 <p> 2016 2 1 48 Android (AOSP) AOSP </p> 31 32 <p></p> 33 34 <p><a href="#mitigations"></a> <a href="/security/enhancements/index.html">Android </a> SafetyNet Android </p> 35 36 <h2 id="security_vulnerability_summary"></h2> 37 38 <p> CVE<a href="/security/overview/updates-resources.html#severity"></a></p> 39 <table> 40 <tr> 41 <th></th> 42 <th>CVE</th> 43 <th></th> 44 </tr> 45 <tr> 46 <td>Mediaserver </td> 47 <td>CVE-2016-0815<br>CVE-2016-0816</td> 48 <td></td> 49 </tr> 50 <tr> 51 <td>libvpx </td> 52 <td>CVE-2016-1621</td> 53 <td></td> 54 </tr> 55 <tr> 56 <td>Conscrypt </td> 57 <td>CVE-2016-0818</td> 58 <td></td> 59 </tr> 60 <tr> 61 <td>Qualcomm <br></td> 62 <td>CVE-2016-0819</td> 63 <td></td> 64 </tr> 65 <tr> 66 <td>MediaTek WLAN </td> 67 <td>CVE-2016-0820</td> 68 <td></td> 69 </tr> 70 <tr> 71 <td>Keyring </td> 72 <td>CVE-2016-0728</td> 73 <td></td> 74 </tr> 75 <tr> 76 <td></td> 77 <td>CVE-2016-0821</td> 78 <td></td> 79 </tr> 80 <tr> 81 <td>MediaTek </td> 82 <td>CVE-2016-0822</td> 83 <td></td> 84 </tr> 85 <tr> 86 <td></td> 87 <td>CVE-2016-0823</td> 88 <td></td> 89 </tr> 90 <tr> 91 <td>libstagefright </td> 92 <td>CVE-2016-0824</td> 93 <td></td> 94 </tr> 95 <tr> 96 <td>Widevine </td> 97 <td>CVE-2016-0825</td> 98 <td></td> 99 </tr> 100 <tr> 101 <td>Mediaserver </td> 102 <td>CVE-2016-0826<br>CVE-2016-0827</td> 103 <td></td> 104 </tr> 105 <tr> 106 <td>Mediaserver </td> 107 <td>CVE-2016-0828<br>CVE-2016-0829</td> 108 <td></td> 109 </tr> 110 <tr> 111 <td></td> 112 <td>CVE-2016-0830</td> 113 <td></td> 114 </tr> 115 <tr> 116 <td>Telephony </td> 117 <td>CVE-2016-0831</td> 118 <td></td> 119 </tr> 120 <tr> 121 <td></td> 122 <td>CVE-2016-0832</td> 123 <td></td> 124 </tr> 125 </table> 126 127 128 <h3 id="mitigations"></h3> 129 130 131 <p> <a href="/security/enhancements/index.html">Android </a> SafetyNet Android </p> 132 133 <ul> 134 <li> Android Android Android 135 <li>Android SafetyNet Google Play Root Google Play Root 136 <li> Google Messenger mediaserver 137 </li></li></li></ul> 138 139 <h3 id="acknowledgements"></h3> 140 141 142 <p></p> 143 144 <ul> 145 <li> Google Chrome Abhishek AryaOliver Chang Martin BarbellaCVE-2016-0815<li> CENSUS S.A. Anestis Bechtsoudis (<a href="https://twitter.com/anestisb">@anestisb</a>)CVE-2016-0816CVE-2016-0824<li> Android Chad BrubakerCVE-2016-0818<li> Google Project Zero Mark BrandCVE-2016-0820<li> <a href="http://www.360safe.com"> 360</a> <a href="http://c0reteam.org">C0RE </a> Mingjian Zhou (<a href="https://twitter.com/Mingjian_Zhou">@Mingjian_Zhou</a>)Chiachih Wu (<a href="https://twitter.com/chiachih_wu">@chiachih_wu</a>) Xuxian JiangCVE-2016-0826<li> (Trend Micro) Peter Pi (<a href="https://twitter.com/heisecode">@heisecode</a>)CVE-2016-0827CVE-2016-0828CVE-2016-0829<li> Scott Bauer<a href="mailto:sbauer (a] eng.utah.edu">sbauer (a] eng.utah.edu</a><a href="mailto:sbauer (a] plzdonthack.me">sbauer (a] plzdonthack.me</a>CVE-2016-0822<li> (Trend Micro Inc.) (<a href="https://twitter.com/@wish_wu">@wish_wu</a>)CVE-2016-0819<li> Yongzheng Wu Tieyan LiCVE-2016-0831<li> Su Mon Kywe Yingjiu LiCVE-2016-0831<li> Android Zach Riggle (<a href="https://twitter.com/@ebeip90">@ebeip90</a>)CVE-2016-0821</li></li></li></li></li></li></li></li></li></li></li></ul> 146 147 <h2 id="security_vulnerability_details"></h2> 148 149 150 <p><a href="#security_vulnerability_summary"></a> CVE Bug Bug ID AOSP Bug Bug ID AOSP </p> 151 152 <h3 id="remote_code_execution_vulnerability_in_mediaserver">Mediaserver </h3> 153 154 155 <p> mediaserver mediaserver </p> 156 157 <p></p> 158 159 <p> mediaserver mediaserver </p> 160 <table> 161 <tr> 162 <th>CVE</th> 163 <th>Bug AOSP </th> 164 <th></th> 165 <th></th> 166 <th></th> 167 </tr> 168 <tr> 169 <td>CVE-2016-0815</td> 170 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/5403587a74aee2fb57076528c3927851531c8afb">ANDROID-26365349</a> 171 </td> 172 <td></td> 173 <td>4.4.45.0.25.1.16.06.0.1</td> 174 <td>Google </td> 175 </tr> 176 <tr> 177 <td>CVE-2016-0816</td> 178 <td><a href="https://android.googlesource.com/platform/external/libavc/+/4a524d3a8ae9aa20c36430008e6bd429443f8f1d">ANDROID-25928803</a> 179 </td> 180 <td></td> 181 <td>6.06.0.1</td> 182 <td>Google </td> 183 </tr> 184 </table> 185 186 187 <h3 id="remote_code_execution_vulnerabilities_in_libvpx">libvpx </h3> 188 189 190 <p> mediaserver mediaserver </p> 191 192 <p></p> 193 194 <p> mediaserver mediaserver </p> 195 <table> 196 <tr> 197 <th>CVE</th> 198 <th>Bug AOSP </th> 199 <th></th> 200 <th></th> 201 <th></th> 202 </tr> 203 <tr> 204 <td>CVE-2016-1621</td> 205 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/5a6788730acfc6fd8f4a6ef89d2c376572a26b55">ANDROID-23452792</a><a href="https://android.googlesource.com/platform/external/libvpx/+/04839626ed859623901ebd3a5fd483982186b59d">[2]</a><a href="https://android.googlesource.com/platform/external/libvpx/+/5a9753fca56f0eeb9f61e342b2fccffc364f9426">[3]</a> 206 </td> 207 <td></td> 208 <td>4.4.45.0.25.1.16.0</td> 209 <td>Google </td> 210 </tr> 211 </table> 212 213 214 <h3 id="elevation_of_privilege_in_conscrypt">Conscrypt </h3> 215 216 <p>Conscrypt (CA) </p> 217 218 <table> 219 <tr> 220 <th>CVE</th> 221 <th>Bug AOSP </th> 222 <th></th> 223 <th></th> 224 <th></th> 225 </tr> 226 <tr> 227 <td>CVE-2016-0818</td> 228 <td><a href="https://android.googlesource.com/platform/external/conscrypt/+/c4ab1b959280413fb11bf4fd7f6b4c2ba38bd779">ANDROID-26232830</a><a href="https://android.googlesource.com/platform/external/conscrypt/+/4c9f9c2201116acf790fca25af43995d29980ee0">[2]</a> 229 </td> 230 <td></td> 231 <td>4.4.45.0.25.1.16.06.0.1</td> 232 <td>Google </td> 233 </tr> 234 </table> 235 236 237 <h3 id="elevation_of_privilege_vulnerability_in_the_qualcomm_performance_component">Qualcomm </h3> 238 239 240 <p>Qualcomm </p> 241 <table> 242 <tr> 243 <th>CVE</th> 244 <th>Bug</th> 245 <th></th> 246 <th></th> 247 <th></th> 248 </tr> 249 <tr> 250 <td>CVE-2016-0819</td> 251 <td>ANDROID-25364034*</td> 252 <td></td> 253 <td>4.4.45.0.25.1.16.06.0.1</td> 254 <td>2015 10 29 </td> 255 </tr> 256 </table> 257 258 259 <p>* AOSP <a href="https://developers.google.com/android/nexus/drivers">Google Developers </a> Nexus </p> 260 261 <h3 id="elevation_of_privilege_vulnerability_in_mediatek_wi-fi_kernel_driver">MediaTek WLAN </h3> 262 263 264 <p>MediaTek WLAN </p> 265 <table> 266 <tr> 267 <th>CVE</th> 268 <th>Bug</th> 269 <th></th> 270 <th></th> 271 <th></th> 272 </tr> 273 <tr> 274 <td>CVE-2016-0820</td> 275 <td>ANDROID-26267358*</td> 276 <td></td> 277 <td>6.0.1</td> 278 <td>2015 12 18 </td> 279 </tr> 280 </table> 281 282 283 <p>* AOSP <a href="https://developers.google.com/android/nexus/drivers">Google Developers </a> Nexus </p> 284 285 <h3 id="elevation_of_privilege_vulnerability_in_kernel_keyring_component"> Keyring </h3> 286 287 288 <p> Keyring Android 5.0 SELinux </p> 289 290 <p><strong></strong>AOSP <a href="https://android.googlesource.com/kernel/common/+/8a8431507f8f5910db5ac85b72dbdc4ed8f6b308">4.1</a><a href="https://android.googlesource.com/kernel/common/+/ba8bb5774ca7b1acc314c98638cf678ce0beb19a">3.18</a><a href="https://android.googlesource.com/kernel/common/+/93faf7ad3d603c33b33e49318e81cf00f3a24a73">3.14</a> <a href="https://android.googlesource.com/kernel/common/+/9fc5f368bb89b65b591c4f800dfbcc7432e49de5">3.10</a></p> 291 <table> 292 <tr> 293 <th>CVE</th> 294 <th>Bug</th> 295 <th></th> 296 <th></th> 297 <th></th> 298 </tr> 299 <tr> 300 <td>CVE-2016-0728</td> 301 <td>ANDROID-26636379 </td> 302 <td></td> 303 <td>4.4.45.0.25.1.16.06.0.1</td> 304 <td>2016 1 11 </td> 305 </tr> 306 </table> 307 308 309 <h3 id="mitigation_bypass_vulnerability_in_the_kernel"></h3> 310 311 312 <p></p> 313 314 <p><strong></strong><a href="https://github.com/torvalds/linux/commit/8a5e5e02fc83aaf67053ab53b359af08c6c49aaf"> Linux Upstream</a> </p> 315 316 <table> 317 <tr> 318 <th>CVE</th> 319 <th>Bug</th> 320 <th></th> 321 <th></th> 322 <th></th> 323 </tr> 324 <tr> 325 <td>CVE-2016-0821</td> 326 <td>ANDROID-26186802</td> 327 <td></td> 328 <td>6.0.1</td> 329 <td>Google </td> 330 </tr> 331 </table> 332 333 334 <h3 id="elevation_of_privilege_in_mediatek_connectivity_kernel_driver">MediaTek </h3> 335 336 337 <p>MediaTek Bug conn_launcher 338 </p> 339 <table> 340 <tr> 341 <th>CVE</th> 342 <th>Bug</th> 343 <th></th> 344 <th></th> 345 <th></th> 346 </tr> 347 <tr> 348 <td>CVE-2016-0822</td> 349 <td>ANDROID-25873324*</td> 350 <td></td> 351 <td>6.0.1</td> 352 <td>2015 11 24 </td> 353 </tr> 354 </table> 355 356 357 <p>* AOSP <a href="https://developers.google.com/android/nexus/drivers">Google Developers </a> Nexus </p> 358 359 <h3 id="information_disclosure_vulnerability_in_kernel"></h3> 360 361 362 <p> ASLR</p> 363 364 <p><strong></strong><a href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ab676b7d6fbf4b294bf198fb27ade5b0e865c7ce"> Linux Upstream</a> </p> 365 <table> 366 <tr> 367 <th>CVE</th> 368 <th>Bug</th> 369 <th></th> 370 <th></th> 371 <th></th> 372 </tr> 373 <tr> 374 <td>CVE-2016-0823</td> 375 <td>ANDROID-25739721*</td> 376 <td></td> 377 <td>6.0.1</td> 378 <td>Google </td> 379 </tr> 380 </table> 381 <p>* AOSP <a href="https://developers.google.com/android/nexus/drivers">Google Developers </a> Nexus </p> 382 383 <h3 id="information_disclosure_vulnerability_in_libstagefright">libstagefright </h3> 384 385 386 <p>libstagefright <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> </p> 387 <table> 388 <tr> 389 <th>CVE</th> 390 <th>Bug AOSP </th> 391 <th></th> 392 <th></th> 393 <th></th> 394 </tr> 395 <tr> 396 <td>CVE-2016-0824</td> 397 <td><a href="https://android.googlesource.com/platform/external/libmpeg2/+/ffab15eb80630dc799eb410855c93525b75233c3">ANDROID-25765591</a> 398 </td> 399 <td></td> 400 <td>6.06.0.1</td> 401 <td>2015 11 18 </td> 402 </tr> 403 </table> 404 405 406 <h3 id="information_disclosure_vulnerability_in_widevine">Widevine </h3> 407 408 409 <p>Widevine TrustZone <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> </p> 410 <table> 411 <tr> 412 <th>CVE</th> 413 <th>Bug</th> 414 <th></th> 415 <th></th> 416 <th></th> 417 </tr> 418 <tr> 419 <td>CVE-2016-0825</td> 420 <td>ANDROID-20860039*</td> 421 <td></td> 422 <td>6.0.1</td> 423 <td>Google </td> 424 </tr> 425 </table> 426 427 428 <p>* AOSP <a href="https://developers.google.com/android/nexus/drivers">Google Developers </a> Nexus </p> 429 430 <h3 id="elevation_of_privilege_vulnerability_in_mediaserver">Mediaserver </h3> 431 432 433 <p>Mediaserver <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> </p> 434 <table> 435 <tr> 436 <th>CVE</th> 437 <th>Bug AOSP </th> 438 <th></th> 439 <th></th> 440 <th></th> 441 </tr> 442 <tr> 443 <td>CVE-2016-0826</td> 444 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/c9ab2b0bb05a7e19fb057e79b36e232809d70122">ANDROID-26265403</a><a href="https://android.googlesource.com/platform/frameworks/av/+/899823966e78552bb6dfd7772403a4f91471d2b0">[2]</a> 445 </td> 446 <td></td> 447 <td>4.4.45.0.25.1.16.06.0.1</td> 448 <td>2015 12 17 </td> 449 </tr> 450 <tr> 451 <td>CVE-2016-0827</td> 452 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/9e29523b9537983b4c4b205ff868d0b3bca0383b">ANDROID-26347509</a></td> 453 <td></td> 454 <td>4.4.45.0.25.1.16.06.0.1</td> 455 <td>2015 12 28 </td> 456 </tr> 457 </table> 458 459 460 <h3 id="information_disclosure_vulnerability_in_mediaserver">Mediaserver </h3> 461 462 463 <p>mediaserver <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> </p> 464 <table> 465 <tr> 466 <th>CVE</th> 467 <th>Bug AOSP </th> 468 <th></th> 469 <th></th> 470 <th></th> 471 </tr> 472 <tr> 473 <td>CVE-2016-0828</td> 474 <td><a href="https://android.googlesource.com/platform/frameworks/native/+/dded8fdbb700d6cc498debc69a780915bc34d755">ANDROID-26338113</a> 475 </td> 476 <td></td> 477 <td>5.0.25.1.16.06.0.1</td> 478 <td>2015 12 27 </td> 479 </tr> 480 <tr> 481 <td>CVE-2016-0829</td> 482 <td><a href="https://android.googlesource.com/platform/frameworks/native/+/d06421fd37fbb7fd07002e6738fac3a223cb1a62">ANDROID-26338109</a></td> 483 <td></td> 484 <td>4.4.45.0.25.1.16.06.0.1</td> 485 <td>2015 12 27 </td> 486 </tr> 487 </table> 488 489 490 <h3 id="remote_denial_of_service_vulnerability_in_bluetooth"></h3> 491 492 493 <p></p> 494 <table> 495 <tr> 496 <th>CVE</th> 497 <th>Bug AOSP </th> 498 <th></th> 499 <th></th> 500 <th></th> 501 </tr> 502 <tr> 503 <td>CVE-2016-0830</td> 504 <td><a href="https://android.googlesource.com/platform/system/bt/+/d77f1999ecece56c1cbb333f4ddc26f0b5bac2c5">ANDROID-26071376</a></td> 505 <td></td> 506 <td>6.06.0.1</td> 507 <td>Google </td> 508 </tr> 509 </table> 510 511 512 <h3 id="information_disclosure_vulnerability_in_telephony">Telephony </h3> 513 514 515 <p>Telephony </p> 516 <table> 517 <tr> 518 <th>CVE</th> 519 <th>Bug AOSP </th> 520 <th></th> 521 <th></th> 522 <th></th> 523 </tr> 524 <tr> 525 <td>CVE-2016-0831</td> 526 <td><a href="https://android.googlesource.com/platform/frameworks/opt/telephony/+/79eecef63f3ea99688333c19e22813f54d4a31b1">ANDROID-25778215</a></td> 527 <td></td> 528 <td>5.0.25.1.16.06.0.1</td> 529 <td>2015 11 16 </td> 530 </tr> 531 </table> 532 533 534 <h3 id="elevation_of_privilege_vulnerability_in_setup_wizard"></h3> 535 536 537 <p></p> 538 <table> 539 <tr> 540 <th>CVE</th> 541 <th>Bug</th> 542 <th></th> 543 <th></th> 544 <th></th> 545 </tr> 546 <tr> 547 <td>CVE-2016-0832</td> 548 <td>ANDROID-25955042*</td> 549 <td></td> 550 <td>5.1.16.06.0.1</td> 551 <td>Google </td> 552 </tr> 553 </table> 554 555 556 <p>* </p> 557 558 <h2 id="common_questions_and_answers"></h2> 559 560 561 <p></p> 562 563 <p><strong>1. </strong></p> 564 565 <p> 2016 3 1 LMY49H Android L Android 6.0 <a href="https://support.google.com/nexus/answer/4457705">Nexus </a> [ro.build.version.security_patch]:[2016-03-01]</p> 566 567 <h2 id="revisions"></h2> 568 569 570 <ul> 571 <li>2016 3 7 572 <li>2016 3 8 AOSP 573 </li></li></ul> 574 575 </body> 576 </html> 577