1 <html devsite> 2 <head> 3 <title>Nexus - 2016 1 </title> 4 <meta name="project_path" value="/_project.yaml" /> 5 <meta name="book_path" value="/_book.yaml" /> 6 </head> 7 <body> 8 <!-- 9 Copyright 2017 The Android Open Source Project 10 11 Licensed under the Apache License, Version 2.0 (the "License"); 12 you may not use this file except in compliance with the License. 13 You may obtain a copy of the License at 14 15 http://www.apache.org/licenses/LICENSE-2.0 16 17 Unless required by applicable law or agreed to in writing, software 18 distributed under the License is distributed on an "AS IS" BASIS, 19 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20 See the License for the specific language governing permissions and 21 limitations under the License. 22 --> 23 24 25 26 <p> 27 Google Android (OTA) 28 Nexus 29 Nexus 30 <a href="https://developers.google.com/android/nexus/images"> 31 Google 32 </a> 33 LMY49F 34 Android 6.0 ( 2016 1 1 ) 35 36 <a href="http://source.android.com/security/bulletin/2016-01-01.html#common_questions_and_answers"> 37 38 </a> 39 40 </p> 41 <p> 42 2015 12 7 43 44 Android (AOSP) 45 </p> 46 <p> 47 48 49 50 </p> 51 <p> 52 53 <a href="https://source.android.com/security/enhancements/"> 54 Android 55 </a> 56 ( SafetyNet) Android 57 <a href="http://source.android.com/security/bulletin/2016-01-01.html#mitigations"> 58 59 </a> 60 61 </p> 62 <h2 id="security_vulnerability_summary" style="margin-bottom:0px"> 63 64 </h2> 65 <hr/> 66 <p> 67 (CVE) 68 69 <a href="https://source.android.com/security/overview/updates-resources.html#severity"> 70 71 </a> 72 73 </p> 74 <table> 75 <tbody> 76 <tr> 77 <th> 78 79 </th> 80 <th> 81 CVE 82 </th> 83 <th> 84 85 </th> 86 </tr> 87 <tr> 88 <td> 89 90 </td> 91 <td> 92 CVE-2015-6636 93 </td> 94 <td> 95 96 </td> 97 </tr> 98 <tr> 99 <td> 100 misc-sd 101 </td> 102 <td> 103 CVE-2015-6637 104 </td> 105 <td> 106 107 </td> 108 </tr> 109 <tr> 110 <td> 111 Imagination Technologies 112 </td> 113 <td> 114 CVE-2015-6638 115 </td> 116 <td> 117 118 </td> 119 </tr> 120 <tr> 121 <td> 122 Trustzone 123 </td> 124 <td> 125 CVE-2015-6639<br /> 126 CVE-2015-6647 127 </td> 128 <td> 129 130 </td> 131 </tr> 132 <tr> 133 <td> 134 135 </td> 136 <td> 137 CVE-2015-6640 138 </td> 139 <td> 140 141 </td> 142 </tr> 143 <tr> 144 <td> 145 146 </td> 147 <td> 148 CVE-2015-6641 149 </td> 150 <td> 151 152 </td> 153 </tr> 154 <tr> 155 <td> 156 157 </td> 158 <td> 159 CVE-2015-6642 160 </td> 161 <td> 162 163 </td> 164 </tr> 165 <tr> 166 <td> 167 168 </td> 169 <td> 170 CVE-2015-6643 171 </td> 172 <td> 173 174 </td> 175 </tr> 176 <tr> 177 <td> 178 Wi-Fi 179 </td> 180 <td> 181 CVE-2015-5310 182 </td> 183 <td> 184 185 </td> 186 </tr> 187 <tr> 188 <td> 189 Bouncy Castle 190 </td> 191 <td> 192 CVE-2015-6644 193 </td> 194 <td> 195 196 </td> 197 </tr> 198 <tr> 199 <td> 200 SyncManager 201 </td> 202 <td> 203 CVE-2015-6645 204 </td> 205 <td> 206 207 </td> 208 </tr> 209 <tr> 210 <td> 211 Nexus 212 </td> 213 <td> 214 CVE-2015-6646 215 </td> 216 <td> 217 218 </td> 219 </tr> 220 </tbody> 221 </table> 222 <h2 id="mitigations" style="margin-bottom:0px"> 223 224 </h2> 225 <hr/> 226 <p> 227 228 <a href="https://source.android.com/security/enhancements/index.html"> 229 Android 230 </a> 231 SafetyNet 232 Android 233 234 </p> 235 <ul> 236 <li> 237 Android 238 Android 239 Android 240 </li> 241 <li> 242 Android SafetyNet 243 244 Google Play Root 245 Google Play 246 Root 247 248 249 250 251 </li> 252 <li> 253 Google Hangouts Messenger 254 255 </li> 256 </ul> 257 <h2 id="acknowledgements" style="margin-bottom:0px"> 258 259 </h2> 260 <hr/> 261 <p> 262 263 </p> 264 <ul> 265 <li> 266 Google Chrome Abhishek AryaOliver Chang Martin Barbella 267 CVE-2015-6636 268 </li> 269 <li> 270 ( 271 <a href="https://twitter.com/k33nteam"> @K33nTeam </a> 272 ) KEEN Sen Nie ( 273 <a href="https://twitter.com/@nforest_"> @nforest_ </a> 274 ) jfangCVE-2015-6637 275 </li> 276 <li> 277 Android Bionic Yabin CuiCVE-2015-6640 278 </li> 279 <li> 280 Google X Tom CraigCVE-2015-6641 281 </li> 282 <li> 283 Jann Horn ( 284 <a href="https://thejh.net/"> 285 https://thejh.net 286 </a> 287 )CVE-2015-6642 288 </li> 289 <li> 290 Jouni Malinen PGP EFC895FACVE-2015-5310 291 </li> 292 <li> 293 Google Quan NguyenCVE-2015-6644 294 </li> 295 <li> 296 Gal Beniamini ( 297 <a href="https://twitter.com/@laginimaineb"> @laginimaineb </a> 298 299 <a href="http://bits-please.blogspot.com/"> 300 http://bits-please.blogspot.com 301 </a> 302 )CVE-2015-6639 303 </li> 304 </ul> 305 <h2 id="security_vulnerability_details" style="margin-bottom:0px"> 306 307 </h2> 308 <hr/> 309 <p> 310 311 <a href="http://source.android.com/security/bulletin/2016-01-01.html#security_vulnerability_summary"> 312 313 </a> 314 315 316 CVE 317 AOSP 318 AOSP 319 320 </p> 321 <h3 id="remote_code_execution_vulnerability_in_mediaserver"> 322 323 </h3> 324 <p> 325 326 327 328 </p> 329 <p> 330 331 332 333 </p> 334 <p> 335 336 337 338 339 </p> 340 <table> 341 <tbody> 342 <tr> 343 <th> 344 CVE 345 </th> 346 <th> 347 ( AOSP ) 348 </th> 349 <th> 350 351 </th> 352 <th> 353 354 </th> 355 <th> 356 357 </th> 358 </tr> 359 <tr> 360 <td rowspan="2"> 361 CVE-2015-6636 362 </td> 363 <td> 364 <a href="https://android.googlesource.com/platform%2Fexternal%2Flibhevc/+/b9f7c2c45c6fe770b7daffb9a4e61522d1f12d51#"> 365 ANDROID-25070493 366 </a> 367 </td> 368 <td> 369 370 </td> 371 <td> 372 5.05.1.16.06.0.1 373 </td> 374 <td> 375 Google 376 </td> 377 </tr> 378 <tr> 379 <td> 380 <a href="https://android.googlesource.com/platform%2Fexternal%2Flibhevc/+/e8bfec1fa41eafa1fd8e05d0fdc53ea0f2379518"> 381 ANDROID-24686670 382 </a> 383 </td> 384 <td> 385 386 </td> 387 <td> 388 5.05.1.16.06.0.1 389 </td> 390 <td> 391 Google 392 </td> 393 </tr> 394 </tbody> 395 </table> 396 <h3 id="elevation_of_privilege_vulnerability_in_misc-sd_driver"> 397 misc-sd 398 </h3> 399 <p> 400 MediaTek misc-sd 401 402 403 (Re-flash) 404 405 </p> 406 <table> 407 <tbody> 408 <tr> 409 <th> 410 CVE 411 </th> 412 <th> 413 414 </th> 415 <th> 416 417 </th> 418 <th> 419 420 </th> 421 <th> 422 423 </th> 424 </tr> 425 <tr> 426 <td> 427 CVE-2015-6637 428 </td> 429 <td> 430 ANDROID-25307013* 431 </td> 432 <td> 433 434 </td> 435 <td> 436 4.4.45.05.1.16.06.0.1 437 </td> 438 <td> 439 2015 10 26 440 </td> 441 </tr> 442 </tbody> 443 </table> 444 <p> 445 * AOSP 446 447 <a href="https://developers.google.com/android/nexus/drivers"> 448 Google 449 </a> 450 Nexus 451 </p> 452 <h3 id="elevation_of_privilege_vulnerability_in_the_imagination_technologies_driver"> 453 Imagination Technologies 454 </h3> 455 <p> 456 Imagination Technologies 457 458 459 (Re-flash) 460 461 </p> 462 <table> 463 <tbody> 464 <tr> 465 <th> 466 CVE 467 </th> 468 <th> 469 470 </th> 471 <th> 472 473 </th> 474 <th> 475 476 </th> 477 <th> 478 479 </th> 480 </tr> 481 <tr> 482 <td> 483 CVE-2015-6638 484 </td> 485 <td> 486 ANDROID-24673908* 487 </td> 488 <td> 489 490 </td> 491 <td> 492 5.05.1.16.06.0.1 493 </td> 494 <td> 495 Google 496 </td> 497 </tr> 498 </tbody> 499 </table> 500 <p> 501 * AOSP 502 503 <a href="https://developers.google.com/android/nexus/drivers"> 504 Google 505 </a> 506 Nexus 507 </p> 508 <h3 id="elevation_of_privilege_vulnerabilities_in_trustzone"> 509 Trustzone 510 </h3> 511 <p> 512 Widevine QSEE TrustZone 513 QSEECOM 514 Trustzone 515 516 (Re-flash) 517 518 </p> 519 <table> 520 <tbody> 521 <tr> 522 <th> 523 CVE 524 </th> 525 <th> 526 527 </th> 528 <th> 529 530 </th> 531 <th> 532 533 </th> 534 <th> 535 536 </th> 537 </tr> 538 <tr> 539 <td> 540 CVE-2015-6639 541 </td> 542 <td> 543 ANDROID-24446875* 544 </td> 545 <td> 546 547 </td> 548 <td> 549 5.05.1.16.06.0.1 550 </td> 551 <td> 552 2015 9 23 553 </td> 554 </tr> 555 <tr> 556 <td> 557 CVE-2015-6647 558 </td> 559 <td> 560 ANDROID-24441554* 561 </td> 562 <td> 563 564 </td> 565 <td> 566 5.05.1.16.06.0.1 567 </td> 568 <td> 569 2015 9 27 570 </td> 571 </tr> 572 </tbody> 573 </table> 574 <p> 575 * AOSP 576 577 <a href="https://developers.google.com/android/nexus/drivers"> 578 Google 579 </a> 580 Nexus 581 </p> 582 <h3 id="elevation_of_privilege_vulnerability_in_kernel"> 583 584 </h3> 585 <p> 586 587 588 589 (Re-flash) 590 591 </p> 592 <table> 593 <tbody> 594 <tr> 595 <th> 596 CVE 597 </th> 598 <th> 599 ( AOSP ) 600 </th> 601 <th> 602 603 </th> 604 <th> 605 606 </th> 607 <th> 608 609 </th> 610 </tr> 611 <tr> 612 <td> 613 CVE-2015-6640 614 </td> 615 <td> 616 <a href="https://android.googlesource.com/kernel%2Fcommon/+/69bfe2d957d903521d32324190c2754cb073be15"> 617 ANDROID-20017123 618 </a> 619 </td> 620 <td> 621 622 </td> 623 <td> 624 4.4.45.05.1.16.0 625 </td> 626 <td> 627 Google 628 </td> 629 </tr> 630 </tbody> 631 </table> 632 <h3 id="elevation_of_privilege_vulnerability_in_bluetooth"> 633 634 </h3> 635 <p> 636 637 () 638 639 640 <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel"> 641 642 </a> 643 ( 644 ) 645 </p> 646 <table> 647 <tbody> 648 <tr> 649 <th> 650 CVE 651 </th> 652 <th> 653 ( AOSP ) 654 </th> 655 <th> 656 657 </th> 658 <th> 659 660 </th> 661 <th> 662 663 </th> 664 </tr> 665 <tr> 666 <td> 667 CVE-2015-6641 668 </td> 669 <td> 670 <a href="https://android.googlesource.com/platform%2Fpackages%2Fapps%2FSettings/+/98f11fd1a4752beed56b5fe7a4097ec0ae0c74b3"> 671 ANDROID-23607427 672 </a> 673 [ 674 <a href="https://android.googlesource.com/platform%2Fframeworks%2Fbase/+/ccbe7383e63d7d23bac6bccc8e4094fe474645ec"> 675 2 676 </a> 677 ] 678 </td> 679 <td> 680 681 </td> 682 <td> 683 6.06.0.1 684 </td> 685 <td> 686 Google 687 </td> 688 </tr> 689 </tbody> 690 </table> 691 <h3 id="information_disclosure_vulnerability_in_kernel"> 692 693 </h3> 694 <p> 695 696 697 698 ( 699 <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel"> 700 Signature 701 </a> 702 703 <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel"> 704 SignatureOrSystem 705 </a> 706 ) 707 </p> 708 <table> 709 <tbody> 710 <tr> 711 <th> 712 CVE 713 </th> 714 <th> 715 716 </th> 717 <th> 718 719 </th> 720 <th> 721 722 </th> 723 <th> 724 725 </th> 726 </tr> 727 <tr> 728 <td> 729 CVE-2015-6642 730 </td> 731 <td> 732 ANDROID-24157888* 733 </td> 734 <td> 735 736 </td> 737 <td> 738 4.4.45.05.1.16.0 739 </td> 740 <td> 741 2015 9 12 742 </td> 743 </tr> 744 </tbody> 745 </table> 746 <p> 747 * AOSP 748 749 <a href="https://developers.google.com/android/nexus/drivers"> 750 Google 751 </a> 752 Nexus 753 754 </p> 755 <h3 id="elevation_of_privilege_vulnerability_in_setup_wizard"> 756 757 </h3> 758 <p> 759 760 761 762 763 764 </p> 765 <table> 766 <tbody> 767 <tr> 768 <th> 769 CVE 770 </th> 771 <th> 772 ( AOSP ) 773 </th> 774 <th> 775 776 </th> 777 <th> 778 779 </th> 780 <th> 781 782 </th> 783 </tr> 784 <tr> 785 <td> 786 CVE-2015-6643 787 </td> 788 <td> 789 <a href="https://android.googlesource.com/platform/packages/apps/Settings/+/665ac7bc29396fd5af2ecfdfda2b9de7a507daa0"> 790 ANDROID-25290269 791 </a> 792 [ 793 <a href="https://android.googlesource.com/platform/packages/apps/Settings/+/a7ff2e955d2509ed28deeef984347e093794f92b"> 794 2 795 </a> 796 ] 797 </td> 798 <td> 799 800 </td> 801 <td> 802 5.1.16.06.0.1 803 </td> 804 <td> 805 Google 806 </td> 807 </tr> 808 </tbody> 809 </table> 810 <h3 id="elevation_of_privilege_vulnerability_in_wi-fi"> 811 Wi-Fi 812 </h3> 813 <p> 814 Wi-Fi 815 Wi-Fi 816 817 818 <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel"> 819 820 </a> 821 () 822 823 </p> 824 <table> 825 <tbody> 826 <tr> 827 <th> 828 CVE 829 </th> 830 <th> 831 ( AOSP ) 832 </th> 833 <th> 834 835 </th> 836 <th> 837 838 </th> 839 <th> 840 841 </th> 842 </tr> 843 <tr> 844 <td> 845 CVE-2015-5310 846 </td> 847 <td> 848 <a href="https://android.googlesource.com/platform%2Fexternal%2Fwpa_supplicant_8/+/1e9857b5f1dd84ac5a0ada0150b1b9c87d44d99d"> 849 ANDROID-25266660 850 </a> 851 </td> 852 <td> 853 854 </td> 855 <td> 856 4.4.45.05.1.16.06.0.1 857 </td> 858 <td> 859 2015 10 25 860 </td> 861 </tr> 862 </tbody> 863 </table> 864 <h3 id="information_disclosure_vulnerability_in_bouncy_castle"> 865 Bouncy Castle 866 </h3> 867 <p> 868 Bouncy Castle 869 870 871 <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel"> 872 873 </a> 874 875 </p> 876 <table> 877 <tbody> 878 <tr> 879 <th> 880 CVE 881 </th> 882 <th> 883 ( AOSP ) 884 </th> 885 <th> 886 887 </th> 888 <th> 889 890 </th> 891 <th> 892 893 </th> 894 </tr> 895 <tr> 896 <td> 897 CVE-2015-6644 898 </td> 899 <td> 900 <a href="https://android.googlesource.com/platform/external/bouncycastle/+/3e128c5fea3a0ca2d372aa09c4fd4bb0eadfbd3f"> 901 ANDROID-24106146 902 </a> 903 </td> 904 <td> 905 906 </td> 907 <td> 908 4.4.45.05.1.16.06.0.1 909 </td> 910 <td> 911 Google 912 </td> 913 </tr> 914 </tbody> 915 </table> 916 <h3 id="denial_of_service_vulnerability_in_syncmanager"> 917 SyncManager 918 </h3> 919 <p> 920 SyncManager 921 922 923 924 </p> 925 <table> 926 <tbody> 927 <tr> 928 <th> 929 CVE 930 </th> 931 <th> 932 ( AOSP ) 933 </th> 934 <th> 935 936 </th> 937 <th> 938 939 </th> 940 <th> 941 942 </th> 943 </tr> 944 <tr> 945 <td> 946 CVE-2015-6645 947 </td> 948 <td> 949 <a href="https://android.googlesource.com/platform%2Fframeworks%2Fbase/+/c0f39c1ece72a05c796f7ba30b7a2b5b580d5025"> 950 ANDROID-23591205 951 </a> 952 </td> 953 <td> 954 955 </td> 956 <td> 957 4.4.45.05.1.16.0 958 </td> 959 <td> 960 Google 961 </td> 962 </tr> 963 </tbody> 964 </table> 965 <h3 id="attack_surface_reduction_for_nexus_kernels"> 966 Nexus 967 </h3> 968 <p> 969 Android SysV IPC 970 971 System V 972 IPC Android 973 974 CVE-2015-7613 975 </p> 976 <table> 977 <tbody> 978 <tr> 979 <th> 980 CVE 981 </th> 982 <th> 983 984 </th> 985 <th> 986 987 </th> 988 <th> 989 990 </th> 991 <th> 992 993 </th> 994 </tr> 995 <tr> 996 <td> 997 CVE-2015-6646 998 </td> 999 <td> 1000 ANDROID-22300191* 1001 </td> 1002 <td> 1003 1004 </td> 1005 <td> 1006 6.0 1007 </td> 1008 <td> 1009 Google 1010 </td> 1011 </tr> 1012 </tbody> 1013 </table> 1014 <p> 1015 * AOSP 1016 1017 <a href="https://developers.google.com/android/nexus/drivers"> 1018 Google 1019 </a> 1020 Nexus 1021 1022 </p> 1023 <h3 id="common_questions_and_answers"> 1024 1025 </h3> 1026 <p> 1027 1028 1029 </p> 1030 <p> 1031 <strong> 1032 1. 1033 </strong> 1034 </p> 1035 <p> 1036 LMY49F Android 6.0 1037 ( 2016 1 1 ) 1038 1039 <a href="https://support.google.com/nexus/answer/4457705"> 1040 Nexus 1041 </a> 1042 1043 1044 [ro.build.version.security_patch]:[2016-01-01] 1045 </p> 1046 <h2 id="revisions" style="margin-bottom:0px"> 1047 1048 </h2> 1049 <hr/> 1050 <ul> 1051 <li> 1052 2016 1 4 1053 </li> 1054 <li> 1055 2016 1 6 AOSP 1056 </li> 1057 </ul> 1058 1059 </body> 1060 </html> 1061