1 <html devsite> 2 <head> 3 <title>Nexus - 2015 8 </title> 4 <meta name="project_path" value="/_project.yaml" /> 5 <meta name="book_path" value="/_book.yaml" /> 6 </head> 7 <body> 8 <!-- 9 Copyright 2017 The Android Open Source Project 10 11 Licensed under the Apache License, Version 2.0 (the "License"); 12 you may not use this file except in compliance with the License. 13 You may obtain a copy of the License at 14 15 http://www.apache.org/licenses/LICENSE-2.0 16 17 Unless required by applicable law or agreed to in writing, software 18 distributed under the License is distributed on an "AS IS" BASIS, 19 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20 See the License for the specific language governing permissions and 21 limitations under the License. 22 --> 23 24 25 26 <p> 27 <em> 28 2015 8 13 29 </em> 30 </p> 31 <p> 32 Google Android 33 (OTA) 34 Nexus 35 Nexus 36 <a href="https://developers.google.com/android/nexus/images"> 37 Google 38 </a> 39 LMY48I 40 2015 6 25 41 </p> 42 <p> 43 44 45 46 </p> 47 <h2 id="security_vulnerability_summary" style="margin-bottom:0px"> 48 49 </h2> 50 <hr/> 51 <p> 52 (CVE) 53 54 <a href="http://source.android.com/security/overview/updates-resources.html#severity"> 55 56 </a> 57 58 </p> 59 <table> 60 <tbody> 61 <tr> 62 <th> 63 64 </th> 65 <th> 66 CVE 67 </th> 68 <th> 69 70 </th> 71 </tr> 72 <tr> 73 <td> 74 MP4 Atom 75 </td> 76 <td> 77 CVE-2015-1538 78 </td> 79 <td> 80 81 </td> 82 </tr> 83 <tr> 84 <td> 85 ESDS 86 </td> 87 <td> 88 CVE-2015-1539 89 </td> 90 <td> 91 92 </td> 93 </tr> 94 <tr> 95 <td> 96 MPEG4 tx3g Atom libstagefright 97 </td> 98 <td> 99 CVE-2015-3824 100 </td> 101 <td> 102 103 </td> 104 </tr> 105 <tr> 106 <td> 107 MPEG4 covr Atom libstagefright 108 </td> 109 <td> 110 CVE-2015-3827 111 </td> 112 <td> 113 114 </td> 115 </tr> 116 <tr> 117 <td> 118 3GPP 6 libstagefright 119 120 </td> 121 <td> 122 CVE-2015-3828 123 </td> 124 <td> 125 126 </td> 127 </tr> 128 <tr> 129 <td> 130 libstagefright MPEG4 covr Atom chunk_data_size SIZE_MAX 131 132 </td> 133 <td> 134 CVE-2015-3829 135 </td> 136 <td> 137 138 </td> 139 </tr> 140 <tr> 141 <td> 142 Sonivox Parse_wave 143 </td> 144 <td> 145 CVE-2015-3836 146 </td> 147 <td> 148 149 </td> 150 </tr> 151 <tr> 152 <td> 153 libstagefright MPEG4Extractor.cpp 154 </td> 155 <td> 156 CVE-2015-3832 157 </td> 158 <td> 159 160 </td> 161 </tr> 162 <tr> 163 <td> 164 BpMediaHTTPConnection 165 </td> 166 <td> 167 CVE-2015-3831 168 </td> 169 <td> 170 171 </td> 172 </tr> 173 <tr> 174 <td> 175 libpng png_Read_IDAT_data 176 </td> 177 <td> 178 CVE-2015-0973 179 </td> 180 <td> 181 182 </td> 183 </tr> 184 <tr> 185 <td> 186 wpa_supplicant p2p_add_device() memcpy() 187 </td> 188 <td> 189 CVE-2015-1863 190 </td> 191 <td> 192 193 </td> 194 </tr> 195 <tr> 196 <td> 197 OpenSSLX509Certificate 198 </td> 199 <td> 200 CVE-2015-3837 201 </td> 202 <td> 203 204 </td> 205 </tr> 206 <tr> 207 <td> 208 BnHDCP 209 </td> 210 <td> 211 CVE-2015-3834 212 </td> 213 <td> 214 215 </td> 216 </tr> 217 <tr> 218 <td> 219 libstagefright OMXNodeInstance::emptyBuffer 220 </td> 221 <td> 222 CVE-2015-3835 223 </td> 224 <td> 225 226 </td> 227 </tr> 228 <tr> 229 <td> 230 AudioPolicyManager::getInputForAttr() 231 </td> 232 <td> 233 CVE-2015-3842 234 </td> 235 <td> 236 237 </td> 238 </tr> 239 <tr> 240 <td> 241 SIM 242 </td> 243 <td> 244 CVE-2015-3843 245 </td> 246 <td> 247 248 </td> 249 </tr> 250 <tr> 251 <td> 252 253 </td> 254 <td> 255 CVE-2015-1536 256 </td> 257 <td> 258 259 </td> 260 </tr> 261 <tr> 262 <td> 263 AppWidgetServiceImpl IntentSender 264 </td> 265 <td> 266 CVE-2015-1541 267 </td> 268 <td> 269 270 </td> 271 </tr> 272 <tr> 273 <td> 274 getRecentTasks() 275 </td> 276 <td> 277 CVE-2015-3833 278 </td> 279 <td> 280 281 </td> 282 </tr> 283 <tr> 284 <td> 285 ActivityManagerService.getProcessRecordLocked() UID 286 287 </td> 288 <td> 289 CVE-2015-3844 290 </td> 291 <td> 292 293 </td> 294 </tr> 295 <tr> 296 <td> 297 3GPP libstagefright 298 </td> 299 <td> 300 CVE-2015-3826 301 </td> 302 <td> 303 304 </td> 305 </tr> 306 </tbody> 307 </table> 308 <h2 id="mitigations" style="margin-bottom:0px"> 309 310 </h2> 311 <hr/> 312 <p> 313 314 <a href="http://source.android.com/security/enhancements/index.html"> 315 Android 316 </a> 317 SafetyNet 318 Android 319 320 </p> 321 <ul> 322 <li> 323 Android 324 Android 325 Android 326 </li> 327 <li> 328 Android SafetyNet 329 330 Google Play Root 331 Google Play 332 Root 333 334 335 336 337 </li> 338 <li> 339 Google Hangouts Messenger 340 341 342 </li> 343 </ul> 344 <h2 id="acknowledgements" style="margin-bottom:0px"> 345 346 </h2> 347 <hr/> 348 <p> 349 350 </p> 351 <ul> 352 <li> 353 Joshua DrakeCVE-2015-1538CVE-2015-3826 354 </li> 355 <li> 356 Ben HawkesCVE-2015-3836 357 </li> 358 <li> 359 Alexandru BlandaCVE-2015-3832 360 </li> 361 <li> 362 Micha BednarskiCVE-2015-3831CVE-2015-3844CVE-2015-1541 363 </li> 364 <li> 365 Alex CopotCVE-2015-1536 366 </li> 367 <li> 368 Alex EubanksCVE-2015-0973 369 </li> 370 <li> 371 Roee Hay Or PelesCVE-2015-3837 372 </li> 373 <li> 374 Guang GongCVE-2015-3834 375 </li> 376 <li> 377 Gal BeniaminiCVE-2015-3835 378 </li> 379 <li> 380 Wish Wu*CVE-2015-3842 381 </li> 382 <li> 383 Artem ChaykinCVE-2015-3843 384 </li> 385 </ul> 386 <p> 387 *Wish 388 <a href="https://www.google.com/about/appsecurity/android-rewards/"> 389 Android 390 </a> 391 392 </p> 393 <h3 id="integer_overflows_during_mp4_atom_processing"> 394 MP4 Atom 395 </h3> 396 <p> 397 libstagefright MP4 Atom 398 399 400 </p> 401 <p> 402 API 403 404 405 </p> 406 <p> 407 408 409 SELinux 410 ( 411 ) 412 413 2015 6 414 </p> 415 <table> 416 <tbody> 417 <tr> 418 <th> 419 CVE 420 </th> 421 <th> 422 ( AOSP ) 423 </th> 424 <th> 425 426 </th> 427 <th> 428 429 </th> 430 </tr> 431 <tr> 432 <td> 433 CVE-2015-1538 434 </td> 435 <td> 436 <a href="https://android.googlesource.com/platform/frameworks/av/+/cf1581c66c2ad8c5b1aaca2e43e350cf5974f46d"> 437 ANDROID-20139950 438 </a> 439 [ 440 <a href="https://android.googlesource.com/platform/frameworks/av/+/2434839bbd168469f80dd9a22f1328bc81046398"> 441 2 442 </a> 443 ] 444 </td> 445 <td> 446 447 </td> 448 <td> 449 5.1 450 </td> 451 </tr> 452 </tbody> 453 </table> 454 <h3 id="an_integer_underflow_in_esds_processing"> 455 ESDS 456 </h3> 457 <p> 458 libstagefright ESDS Atom 459 460 461 </p> 462 <p> 463 API 464 465 466 </p> 467 <p> 468 469 470 SELinux 471 ( 472 ) 473 474 2015 6 475 </p> 476 <table> 477 <tbody> 478 <tr> 479 <th> 480 CVE 481 </th> 482 <th> 483 ( AOSP ) 484 </th> 485 <th> 486 487 </th> 488 <th> 489 490 </th> 491 </tr> 492 <tr> 493 <td> 494 CVE-2015-1539 495 </td> 496 <td> 497 <a href="https://android.googlesource.com/platform/frameworks/av/+/5e751957ba692658b7f67eb03ae5ddb2cd3d970c"> 498 ANDROID-20139950 499 </a> 500 </td> 501 <td> 502 503 </td> 504 <td> 505 5.1 506 </td> 507 </tr> 508 </tbody> 509 </table> 510 <h3 id="integer_overflow_in_libstagefright_when_parsing_the_mpeg4_tx3g_atom"> 511 MPEG4 tx3g Atom libstagefright 512 </h3> 513 <p> 514 libstagefright MPEG4 tx3g 515 516 517 </p> 518 <p> 519 API 520 521 522 </p> 523 <p> 524 525 526 SELinux 527 ( 528 ) 529 </p> 530 <p> 531 532 533 2015 6 534 </p> 535 <table> 536 <tbody> 537 <tr> 538 <th> 539 CVE 540 </th> 541 <th> 542 ( AOSP ) 543 </th> 544 <th> 545 546 </th> 547 <th> 548 549 </th> 550 </tr> 551 <tr> 552 <td> 553 CVE-2015-3824 554 </td> 555 <td> 556 <a href="https://android.googlesource.com/platform/frameworks/av/+/463a6f807e187828442949d1924e143cf07778c6"> 557 ANDROID-20923261 558 </a> 559 </td> 560 <td> 561 562 </td> 563 <td> 564 5.1 565 </td> 566 </tr> 567 </tbody> 568 </table> 569 <h3 id="integer_underflow_in_libstagefright_when_processing_mpeg4_covr_atoms"> 570 MPEG4 covr Atom libstagefright 571 </h3> 572 <p> 573 libstagefright MPEG4 574 575 576 </p> 577 <p> 578 API 579 580 581 </p> 582 <p> 583 584 585 SELinux 586 ( 587 ) 588 </p> 589 <p> 590 591 592 2015 6 593 </p> 594 <table> 595 <tbody> 596 <tr> 597 <th> 598 CVE 599 </th> 600 <th> 601 ( AOSP ) 602 </th> 603 <th> 604 605 </th> 606 <th> 607 608 </th> 609 </tr> 610 <tr> 611 <td> 612 CVE-2015-3827 613 </td> 614 <td> 615 <a href="https://android.googlesource.com/platform/frameworks/av/+/f4a88c8ed4f8186b3d6e2852993e063fc33ff231"> 616 ANDROID-20923261 617 </a> 618 </td> 619 <td> 620 621 </td> 622 <td> 623 5.1 624 </td> 625 </tr> 626 </tbody> 627 </table> 628 <h3 id="integer_underflow_in_libstagefright_if_size_is_below_6_while_processing_3gpp_metadata"> 629 3GPP 6 libstagefright 630 631 </h3> 632 <p> 633 libstagefright 3GPP 634 635 636 </p> 637 <p> 638 API 639 640 641 </p> 642 <p> 643 644 645 SELinux 646 ( 647 ) 648 649 2015 6 650 </p> 651 <table> 652 <tbody> 653 <tr> 654 <th> 655 CVE 656 </th> 657 <th> 658 ( AOSP ) 659 </th> 660 <th> 661 662 </th> 663 <th> 664 665 </th> 666 </tr> 667 <tr> 668 <td> 669 CVE-2015-3828 670 </td> 671 <td> 672 <a href="https://android.googlesource.com/platform/frameworks/av/+/f4f7e0c102819f039ebb1972b3dba1d3186bc1d1"> 673 ANDROID-20923261 674 </a> 675 </td> 676 <td> 677 678 </td> 679 <td> 680 5.0 681 </td> 682 </tr> 683 </tbody> 684 </table> 685 <h3 id="integer_overflow_in_libstagefright_processing_mpeg4_covr_atoms_when_chunk_data_size_is_size_max"> 686 libstagefright MPEG4 covr Atom chunk_data_size SIZE_MAX 687 688 </h3> 689 <p> 690 libstagefright MPEG4 covr 691 692 693 </p> 694 <p> 695 API 696 697 698 </p> 699 <p> 700 701 702 SELinux 703 ( 704 ) 705 706 2015 6 707 </p> 708 <table> 709 <tbody> 710 <tr> 711 <th> 712 CVE 713 </th> 714 <th> 715 ( AOSP ) 716 </th> 717 <th> 718 719 </th> 720 <th> 721 722 </th> 723 </tr> 724 <tr> 725 <td> 726 CVE-2015-3829 727 </td> 728 <td> 729 <a href="https://android.googlesource.com/platform/frameworks/av/+/2674a7218eaa3c87f2ee26d26da5b9170e10f859"> 730 ANDROID-20923261 731 </a> 732 </td> 733 <td> 734 735 </td> 736 <td> 737 5.0 738 </td> 739 </tr> 740 </tbody> 741 </table> 742 <h3 id="buffer_overflow_in_sonivox_parse_wave"> 743 Sonivox Parse_wave 744 </h3> 745 <p> 746 Sonivox XMF 747 748 749 </p> 750 <p> 751 API 752 753 754 </p> 755 <p> 756 757 758 SELinux 759 ( 760 ) 761 762 2015 6 763 </p> 764 <table> 765 <tbody> 766 <tr> 767 <th> 768 CVE 769 </th> 770 <th> 771 ( AOSP ) 772 </th> 773 <th> 774 775 </th> 776 <th> 777 778 </th> 779 </tr> 780 <tr> 781 <td> 782 CVE-2015-3836 783 </td> 784 <td> 785 <a href="https://android.googlesource.com/platform/external/sonivox/+/e999f077f6ef59d20282f1e04786816a31fb8be6"> 786 ANDROID-21132860 787 </a> 788 </td> 789 <td> 790 791 </td> 792 <td> 793 5.1 794 </td> 795 </tr> 796 </tbody> 797 </table> 798 <h3 id="buffer_overflows_in_libstagefright_mpeg4extractor_cpp"> 799 libstagefright MPEG4Extractor.cpp 800 </h3> 801 <p> 802 Sonivox MP4 803 804 805 </p> 806 <p> 807 API 808 809 810 </p> 811 <p> 812 813 814 SELinux 815 ( 816 ) 817 </p> 818 <p> 819 () 820 821 822 2015 6 823 </p> 824 <table> 825 <tbody> 826 <tr> 827 <th> 828 CVE 829 </th> 830 <th> 831 ( AOSP ) 832 </th> 833 <th> 834 835 </th> 836 <th> 837 838 </th> 839 </tr> 840 <tr> 841 <td> 842 CVE-2015-3832 843 </td> 844 <td> 845 <a href="https://android.googlesource.com/platform/frameworks/av/+/d48f0f145f8f0f4472bc0af668ac9a8bce44ba9b"> 846 ANDROID-19641538 847 </a> 848 </td> 849 <td> 850 851 </td> 852 <td> 853 5.1 854 </td> 855 </tr> 856 </tbody> 857 </table> 858 <h3 id="buffer_overflow_in_mediaserver_bpmediahttpconnection"> 859 BpMediaHTTPConnection 860 </h3> 861 <p> 862 BpMediaHTTPConnection 863 864 865 </p> 866 <p> 867 API 868 869 </p> 870 <p> 871 872 873 SELinux 874 ( 875 ) 876 </p> 877 <table> 878 <tbody> 879 <tr> 880 <th> 881 CVE 882 </th> 883 <th> 884 ( AOSP ) 885 </th> 886 <th> 887 888 </th> 889 <th> 890 891 </th> 892 </tr> 893 <tr> 894 <td> 895 CVE-2015-3831 896 </td> 897 <td> 898 <a href="https://android.googlesource.com/platform/frameworks/av/+/51504928746edff6c94a1c498cf99c0a83bedaed"> 899 ANDROID-19400722 900 </a> 901 </td> 902 <td> 903 904 </td> 905 <td> 906 5.0 5.1 907 </td> 908 </tr> 909 </tbody> 910 </table> 911 <h3 id="vulnerability_in_libpng_overflow_in_png_read_idat_data"> 912 libpng png_Read_IDAT_data 913 </h3> 914 <p> 915 libpng png_read_IDAT_data() IDAT 916 917 918 919 </p> 920 <p> 921 API 922 923 924 </p> 925 <p> 926 927 928 </p> 929 <table> 930 <tbody> 931 <tr> 932 <th> 933 CVE 934 </th> 935 <th> 936 ( AOSP ) 937 </th> 938 <th> 939 940 </th> 941 <th> 942 943 </th> 944 </tr> 945 <tr> 946 <td> 947 CVE-2015-0973 948 </td> 949 <td> 950 <a href="https://android.googlesource.com/platform/external/libpng/+/dd0ed46397a05ae69dc8c401f5711f0db0a964fa"> 951 ANDROID-19499430 952 </a> 953 </td> 954 <td> 955 956 </td> 957 <td> 958 5.1 959 </td> 960 </tr> 961 </tbody> 962 </table> 963 <h3 id="remotely_exploitable_memcpy_overflow_in_p2p_add_device_in_wpa_supplicant"> 964 wpa_supplicant p2p_add_device() memcpy() 965 </h3> 966 <p> 967 wpa_supplicant WLAN Direct p2p_add_device() 968 Android Wifi 969 970 </p> 971 <p> 972 973 </p> 974 <p> 975 - Android WLAN Direct 976 </p> 977 <p> 978 - ( WiFi ) 979 </p> 980 <p> 981 - wpa_supplicant Wifi 982 983 </p> 984 <p> 985 - Android 4.1 (ASLR) 986 987 </p> 988 <p> 989 - Android 5.0 SELinux wpa_supplicant 990 991 </p> 992 <p> 993 Wifi 994 995 996 </p> 997 <table> 998 <tbody> 999 <tr> 1000 <th> 1001 CVE 1002 </th> 1003 <th> 1004 ( AOSP ) 1005 </th> 1006 <th> 1007 1008 </th> 1009 <th> 1010 1011 </th> 1012 </tr> 1013 <tr> 1014 <td> 1015 CVE-2015-1863 1016 </td> 1017 <td> 1018 <a href="https://android.googlesource.com/platform/external/wpa_supplicant_8/+/4cf0f2d0d869c35a9ec4432861d5efa8ead4279c"> 1019 ANDROID-20076874 1020 </a> 1021 </td> 1022 <td> 1023 1024 </td> 1025 <td> 1026 5.1 1027 </td> 1028 </tr> 1029 </tbody> 1030 </table> 1031 <h3 id="memory_corruption_in_opensslx509certificate_deserialization"> 1032 OpenSSLX509Certificate 1033 </h3> 1034 <p> 1035 (Intent) 1036 1037 1038 </p> 1039 <p> 1040 1041 1042 </p> 1043 <table> 1044 <tbody> 1045 <tr> 1046 <th> 1047 CVE 1048 </th> 1049 <th> 1050 ( AOSP ) 1051 </th> 1052 <th> 1053 1054 </th> 1055 <th> 1056 1057 </th> 1058 </tr> 1059 <tr> 1060 <td> 1061 CVE-2015-3837 1062 </td> 1063 <td> 1064 <a href="https://android.googlesource.com/platform/external/conscrypt/+/edf7055461e2d7fa18de5196dca80896a56e3540"> 1065 ANDROID-21437603 1066 </a> 1067 </td> 1068 <td> 1069 1070 </td> 1071 <td> 1072 5.1 1073 </td> 1074 </tr> 1075 </tbody> 1076 </table> 1077 <h3 id="buffer_overflow_in_mediaserver_bnhdcp"> 1078 BnHDCP 1079 </h3> 1080 <p> 1081 libstagefright 1082 () 1083 1084 </p> 1085 <p> 1086 1087 1088 SELinux 1089 ( 1090 ) 1091 </p> 1092 <p> 1093 1094 1095 2015 6 1096 </p> 1097 <table> 1098 <tbody> 1099 <tr> 1100 <th> 1101 CVE 1102 </th> 1103 <th> 1104 ( AOSP ) 1105 </th> 1106 <th> 1107 1108 </th> 1109 <th> 1110 1111 </th> 1112 </tr> 1113 <tr> 1114 <td> 1115 CVE-2015-3834 1116 </td> 1117 <td> 1118 <a href="https://android.googlesource.com/platform/frameworks/av/+/c82e31a7039a03dca7b37c65b7890ba5c1e18ced"> 1119 ANDROID-20222489 1120 </a> 1121 </td> 1122 <td> 1123 1124 </td> 1125 <td> 1126 5.1 1127 </td> 1128 </tr> 1129 </tbody> 1130 </table> 1131 <h3 id="buffer_overflow_in_libstagefright_omxnodeinstance_emptybuffer"> 1132 libstagefright OMXNodeInstance::emptyBuffer 1133 </h3> 1134 <p> 1135 libstagefright 1136 1137 1138 </p> 1139 <p> 1140 1141 1142 SELinux 1143 ( 1144 ) 1145 </p> 1146 <p> 1147 1148 1149 2015 6 1150 </p> 1151 <table> 1152 <tbody> 1153 <tr> 1154 <th> 1155 CVE 1156 </th> 1157 <th> 1158 ( AOSP ) 1159 </th> 1160 <th> 1161 1162 </th> 1163 <th> 1164 1165 </th> 1166 </tr> 1167 <tr> 1168 <td> 1169 CVE-2015-3835 1170 </td> 1171 <td> 1172 <a href="https://android.googlesource.com/platform/frameworks/av/+/086d84f45ab7b64d1a7ed7ac8ba5833664a6a5ab"> 1173 ANDROID-20634516 1174 </a> 1175 [ 1176 <a href="https://android.googlesource.com/platform/frameworks/av/+/3cb1b6944e776863aea316e25fdc16d7f9962902"> 1177 2 1178 </a> 1179 ] 1180 </td> 1181 <td> 1182 1183 </td> 1184 <td> 1185 5.1 1186 </td> 1187 </tr> 1188 </tbody> 1189 </table> 1190 <h3 id="heap_overflow_in_mediaserver_audiopolicymanager_getinputforattr"> 1191 AudioPolicyManager::getInputForAttr() 1192 </h3> 1193 <p> 1194 1195 1196 </p> 1197 <p> 1198 API 1199 1200 </p> 1201 <p> 1202 1203 1204 SELinux 1205 ( 1206 ) 1207 </p> 1208 <table> 1209 <tbody> 1210 <tr> 1211 <th> 1212 CVE 1213 </th> 1214 <th> 1215 ( AOSP ) 1216 </th> 1217 <th> 1218 1219 </th> 1220 <th> 1221 1222 </th> 1223 </tr> 1224 <tr> 1225 <td> 1226 CVE-2015-3842 1227 </td> 1228 <td> 1229 <a href="https://android.googlesource.com/platform/frameworks/av/+/aeea52da00d210587fb3ed895de3d5f2e0264c88"> 1230 ANDROID-21953516 1231 </a> 1232 </td> 1233 <td> 1234 1235 </td> 1236 <td> 1237 5.1 1238 </td> 1239 </tr> 1240 </tbody> 1241 </table> 1242 <h3 id="applications_can_intercept_or_emulate_sim_commands_to_telephony"> 1243 SIM 1244 </h3> 1245 <p> 1246 SIM (STK) 1247 Android STK SIM 1248 1249 </p> 1250 <p> 1251 1252 1253 1254 </p> 1255 <table> 1256 <tbody> 1257 <tr> 1258 <th> 1259 CVE 1260 </th> 1261 <th> 1262 ( AOSP ) 1263 </th> 1264 <th> 1265 1266 </th> 1267 <th> 1268 1269 </th> 1270 </tr> 1271 <tr> 1272 <td> 1273 CVE-2015-3843 1274 </td> 1275 <td> 1276 <a href="https://android.googlesource.com/platform/frameworks/opt/telephony/+/b48581401259439dc5ef6dcf8b0f303e4cbefbe9"> 1277 ANDROID-21697171 1278 </a> 1279 [ 1280 <a href="https://android.googlesource.com/platform/packages/apps/Stk/+/1d8e00160c07ae308e5b460214eb2a425b93ccf7"> 1281 2 1282 </a> 1283 , 1284 <a href="https://android.googlesource.com/platform/frameworks/base/+/a5e904e7eb3aaec532de83ca52e24af18e0496b4"> 1285 3 1286 </a> 1287 , 1288 <a href="https://android.googlesource.com/platform/packages/services/Telephony/+/fcb1d13c320dd1a6350bc7af3166929b4d54a456"> 1289 4 1290 </a> 1291 ] 1292 </td> 1293 <td> 1294 1295 </td> 1296 <td> 1297 5.1 1298 </td> 1299 </tr> 1300 </tbody> 1301 </table> 1302 <h3 id="vulnerability_in_bitmap_unmarshalling"> 1303 1304 </h3> 1305 <p> 1306 Bitmap_createFromParcel() 1307 system_server system_server 1308 </p> 1309 <p> 1310 system_server 1311 1312 1313 1314 1315 () 1316 1317 </p> 1318 <table> 1319 <tbody> 1320 <tr> 1321 <th> 1322 CVE 1323 </th> 1324 <th> 1325 ( AOSP ) 1326 </th> 1327 <th> 1328 1329 </th> 1330 <th> 1331 1332 </th> 1333 </tr> 1334 <tr> 1335 <td> 1336 CVE-2015-1536 1337 </td> 1338 <td> 1339 <a href="https://android.googlesource.com/platform/frameworks/base/+/d44e5bde18a41beda39d49189bef7f2ba7c8f3cb"> 1340 ANDROID-19666945 1341 </a> 1342 </td> 1343 <td> 1344 1345 </td> 1346 <td> 1347 5.1 1348 </td> 1349 </tr> 1350 </tbody> 1351 </table> 1352 <h3 id="appwidgetserviceimpl_can_create_intentsender_with_system_privileges"> 1353 AppWidgetServiceImpl IntentSender 1354 </h3> 1355 <p> 1356 AppWidgetServiceImpl 1357 FLAG_GRANT_READ/WRITE_URI_PERMISSION 1358 URI 1359 READ_CONTACTS 1360 </p> 1361 <p> 1362 1363 1364 1365 </p> 1366 <table> 1367 <tbody> 1368 <tr> 1369 <th> 1370 CVE 1371 </th> 1372 <th> 1373 ( AOSP ) 1374 </th> 1375 <th> 1376 1377 </th> 1378 <th> 1379 1380 </th> 1381 </tr> 1382 <tr> 1383 <td> 1384 CVE-2015-1541 1385 </td> 1386 <td> 1387 <a href="https://android.googlesource.com/platform/frameworks/base/+/0b98d304c467184602b4c6bce76fda0b0274bc07"> 1388 ANDROID-19618745 1389 </a> 1390 </td> 1391 <td> 1392 1393 </td> 1394 <td> 1395 5.1 1396 </td> 1397 </tr> 1398 </tbody> 1399 </table> 1400 <h3 id="mitigation_bypass_of_restrictions_on_getrecenttasks"> 1401 getRecentTasks() 1402 </h3> 1403 <p> 1404 1405 Android 5.0 getRecentTasks() 1406 </p> 1407 <p> 1408 1409 1410 1411 </p> 1412 <p> 1413 1414 <a href="http://stackoverflow.com/questions/24625936/getrunningtasks-doesnt-work-in-android-l"> 1415 http://stackoverflow.com/questions/24625936/getrunningtasks-doesnt-work-in-android-l 1416 </a> 1417 </p> 1418 <table> 1419 <tbody> 1420 <tr> 1421 <th> 1422 CVE 1423 </th> 1424 <th> 1425 ( AOSP ) 1426 </th> 1427 <th> 1428 1429 </th> 1430 <th> 1431 1432 </th> 1433 </tr> 1434 <tr> 1435 <td> 1436 CVE-2015-3833 1437 </td> 1438 <td> 1439 <a href="https://android.googlesource.com/platform/frameworks/base/+/aaa0fee0d7a8da347a0c47cef5249c70efee209e"> 1440 ANDROID-20034603 1441 </a> 1442 </td> 1443 <td> 1444 1445 </td> 1446 <td> 1447 5.0 5.1 1448 </td> 1449 </tr> 1450 </tbody> 1451 </table> 1452 <h3 id="activitymanagerservice_getprocessrecordlocked_may_load_a_system_uid_application_into_the_wrong_process"> 1453 ActivityManagerService.getProcessRecordLocked() UID 1454 1455 </h3> 1456 <p> 1457 ActivityManager getProcessRecordLocked() 1458 1459 ActivityManager 1460 1461 </p> 1462 <p> 1463 1464 1465 1466 </p> 1467 <p> 1468 1469 1470 1471 </p> 1472 <table> 1473 <tbody> 1474 <tr> 1475 <th> 1476 CVE 1477 </th> 1478 <th> 1479 ( AOSP ) 1480 </th> 1481 <th> 1482 1483 </th> 1484 <th> 1485 1486 </th> 1487 </tr> 1488 <tr> 1489 <td> 1490 CVE-2015-3844 1491 </td> 1492 <td> 1493 <a href="https://android.googlesource.com/platform/frameworks/base/+/e3cde784e3d99966f313fe00dcecf191f6a44a31"> 1494 ANDROID-21669445 1495 </a> 1496 </td> 1497 <td> 1498 1499 </td> 1500 <td> 1501 5.1 1502 </td> 1503 </tr> 1504 </tbody> 1505 </table> 1506 <h3 id="unbounded_buffer_read_in_libstagefright_while_parsing_3gpp_metadata"> 1507 3GPP libstagefright 1508 </h3> 1509 <p> 1510 3GPP 1511 1512 </p> 1513 <p> 1514 1515 1516 1517 </p> 1518 <table> 1519 <tbody> 1520 <tr> 1521 <th> 1522 CVE 1523 </th> 1524 <th> 1525 ( AOSP ) 1526 </th> 1527 <th> 1528 1529 </th> 1530 <th> 1531 1532 </th> 1533 </tr> 1534 <tr> 1535 <td> 1536 CVE-2015-3826 1537 </td> 1538 <td> 1539 <a href="https://android.googlesource.com/platform/frameworks/av/+/f4f7e0c102819f039ebb1972b3dba1d3186bc1d1"> 1540 ANDROID-20923261 1541 </a> 1542 </td> 1543 <td> 1544 1545 </td> 1546 <td> 1547 5.0 5.1 1548 </td> 1549 </tr> 1550 </tbody> 1551 </table> 1552 <h2 id="revisions" style="margin-bottom:0px"> 1553 1554 </h2> 1555 <hr/> 1556 <ul> 1557 <li> 1558 2015 8 13 1559 </li> 1560 </ul> 1561 </div> 1562 <div class="content-footer-sac" itemscope="" itemtype="http://schema.org/SiteNavigationElement"> 1563 <div class="layout-content-col col-9" style="padding-top:4px"> 1564 </div> 1565 <div class="paging-links layout-content-col col-4"> 1566 </div> 1567 </div> 1568 </div> 1569 1570 </body> 1571 </html> 1572
