Docs: Create bulletins directory and add security bulletins
Bug: 25397867
Change-Id: I2e3e8ccdee39b8f9101922e68e58a170561c26e7
diff --git a/src/security/bulletin/2015-08-01.jd b/src/security/bulletin/2015-08-01.jd
new file mode 100644
index 0000000..396eb13
--- /dev/null
+++ b/src/security/bulletin/2015-08-01.jd
@@ -0,0 +1,880 @@
+page.title=Nexus Security Bulletin - August 2015
+@jd:body
+
+<!--
+ Copyright 2015 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<p><em>Published August 13, 2015</em></p>
+
+<p>We have released a security update to Nexus devices through an over-the-air
+(OTA) update as part of our Android Security Bulletin Monthly Release process.
+The Nexus firmware images have also been released to the <a href="https://developers.google.com/android/nexus/images">Google Developer site</a>. Builds LMY48I or later address these issues. Partners were notified about these
+issues on June 25, 2015 or earlier.</p>
+
+<p>The most severe of these issues is a Critical security vulnerability that could
+enable remote code execution on an affected device through multiple methods
+such as email, web browsing, and MMS when processing media files.</p>
+
+<h2 id=security_vulnerability_summary>Security Vulnerability Summary</h2>
+
+<p>The table below contains a list of security vulnerabilities, the Common
+Vulnerability and Exposures ID (CVE), and their assessed severity. The <a href="{@docRoot}security/overview/updates-resources.html#severity">severity assessment</a> is based on the effect that exploiting the vulnerability would have on an
+affected device, assuming the platform and service mitigations are disabled for
+development purposes or if successfully bypassed. </p>
+<table>
+ <tr>
+ <th>Issue </th>
+ <th>CVE</th>
+ <th>Severity</th>
+ </tr>
+ <tr>
+ <td>Integer overflows during MP4 atom processing</td>
+ <td>CVE-2015-1538</td>
+ <td>Critical</td>
+ </tr>
+ <tr>
+ <td>An integer underflow in ESDS processing</td>
+ <td>CVE-2015-1539</td>
+ <td>Critical</td>
+ </tr>
+ <tr>
+ <td>Integer overflow in libstagefright when parsing the MPEG4 tx3g atom</td>
+ <td>CVE-2015-3824</td>
+ <td>Critical</td>
+ </tr>
+ <tr>
+ <td>Integer underflow in libstagefright when processing MPEG4 covr atoms</td>
+ <td>CVE-2015-3827</td>
+ <td>Critical</td>
+ </tr>
+ <tr>
+ <td>Integer underflow in libstagefright if size is below 6 while processing 3GPP
+metadata</td>
+ <td>CVE-2015-3828</td>
+ <td>Critical</td>
+ </tr>
+ <tr>
+ <td>Integer overflow in libstagefright processing MPEG4 covr atoms when
+chunk_data_size is SIZE_MAX</td>
+ <td>CVE-2015-3829</td>
+ <td>Critical</td>
+ </tr>
+ <tr>
+ <td>Buffer overflow in Sonivox Parse_wave</td>
+ <td>CVE-2015-3836</td>
+ <td>Critical</td>
+ </tr>
+ <tr>
+ <td>Buffer overflows in libstagefright MPEG4Extractor.cpp</td>
+ <td>CVE-2015-3832</td>
+ <td>Critical</td>
+ </tr>
+ <tr>
+ <td>Buffer overflow in mediaserver BpMediaHTTPConnection</td>
+ <td>CVE-2015-3831</td>
+ <td>High</td>
+ </tr>
+ <tr>
+ <td>Vulnerability in libpng: Overflow in png_Read_IDAT_data</td>
+ <td>CVE-2015-0973</td>
+ <td>High</td>
+ </tr>
+ <tr>
+ <td>Remotely exploitable memcpy() overflow in p2p_add_device() in wpa_supplicant</td>
+ <td>CVE-2015-1863</td>
+ <td>High</td>
+ </tr>
+ <tr>
+ <td>Memory Corruption in OpenSSLX509Certificate Deserialization</td>
+ <td>CVE-2015-3837</td>
+ <td>High</td>
+ </tr>
+ <tr>
+ <td>Buffer overflow in mediaserver BnHDCP</td>
+ <td>CVE-2015-3834</td>
+ <td>High</td>
+ </tr>
+ <tr>
+ <td>Buffer overflow in libstagefright OMXNodeInstance::emptyBuffer</td>
+ <td>CVE-2015-3835</td>
+ <td>High</td>
+ </tr>
+ <tr>
+ <td>Heap overflow in mediaserver AudioPolicyManager::getInputForAttr()</td>
+ <td>CVE-2015-3842</td>
+ <td>High</td>
+ </tr>
+ <tr>
+ <td>Applications can intercept or emulate SIM commands to Telephony</td>
+ <td>CVE-2015-3843</td>
+ <td>High</td>
+ </tr>
+ <tr>
+ <td>Vulnerability in Bitmap unmarshalling</td>
+ <td>CVE-2015-1536</td>
+ <td>Moderate</td>
+ </tr>
+ <tr>
+ <td>AppWidgetServiceImpl can create IntentSender with system privileges</td>
+ <td>CVE-2015-1541</td>
+ <td>Moderate</td>
+ </tr>
+ <tr>
+ <td>Mitigation bypass of restrictions on getRecentTasks()</td>
+ <td>CVE-2015-3833</td>
+ <td>Moderate</td>
+ </tr>
+ <tr>
+ <td>ActivityManagerService.getProcessRecordLocked() may load a system UID
+application into the wrong process</td>
+ <td>CVE-2015-3844</td>
+ <td>Moderate</td>
+ </tr>
+ <tr>
+ <td>Unbounded buffer read in libstagefright while parsing 3GPP metadata</td>
+ <td>CVE-2015-3826</td>
+ <td>Low</td>
+ </tr>
+</table>
+
+
+<h2 id=mitigations>Mitigations</h2>
+
+
+<p>This is a summary of the mitigations provided by the <a href="{@docRoot}security/enhancements/index.html">Android security platform</a> and service protections such as SafetyNet. These capabilities reduce the
+likelihood that security vulnerabilities can be successfully exploited on
+Android.</p>
+
+<ul>
+ <li> Exploitation for many issues on Android is made more difficult by enhancements
+in newer versions of the Android platform. We encourage all users to update to
+the latest version of Android where possible.
+ <li> The Android Security team is actively monitoring for abuse with Verify Apps and
+SafetyNet which will warn about potentially harmful applications about to be
+installed. Device rooting tools are prohibited within Google Play. To protect
+users who install applications from outside of Google Play, Verify Apps is
+enabled by default and will warn users about known rooting applications. Verify
+Apps attempts to identify and block installation of known malicious
+applications that exploit a privilege escalation vulnerability. If such an
+application has already been installed, Verify Apps will notify the user and
+attempt to remove any such applications.
+ <li> As appropriate, Google has updated the Hangouts and Messenger applications so
+that media is not automatically passed to vulnerable processes (such as
+mediaserver.)
+</ul>
+
+<h2 id=acknowledgements>Acknowledgements</h2>
+
+
+<p>We would like to thank these researchers for their contributions:</p>
+
+<ul>
+ <li> Joshua Drake: CVE-2015-1538, CVE-2015-3826
+ <li> Ben Hawkes: CVE-2015-3836
+ <li> Alexandru Blanda: CVE-2015-3832
+ <li> MichaĆ Bednarski: CVE-2015-3831, CVE-2015-3844, CVE-2015-1541
+ <li> Alex Copot: CVE-2015-1536
+ <li> Alex Eubanks: CVE-2015-0973
+ <li> Roee Hay and Or Peles: CVE-2015-3837
+ <li> Guang Gong: CVE-2015-3834
+ <li> Gal Beniamini: CVE-2015-3835
+ <li> Wish Wu*: CVE-2015-3842
+ <li> Artem Chaykin: CVE-2015-3843
+</ul>
+
+<p>*Wish is also our very first <a href="https://www.google.com/about/appsecurity/android-rewards/">Android Security Rewards</a> recipient!</p>
+
+<h3 id=integer_overflows_during_mp4_atom_processing>Integer overflows during MP4 atom processing</h3>
+
+
+<p>There are several potential integer overflows in libstagefright that could
+occur during MP4 atom processing, leading to memory corruption and potentially
+remote code execution as the mediaserver process.</p>
+
+<p>The affected functionality is provided as an application API and there are
+multiple applications that allow it to be reached with remote content, most
+notably MMS and browser playback of media.</p>
+
+<p>This issue is rated as a Critical severity due to the possibility of remote
+code execution as the privileged mediaserver service. While mediaserver is
+guarded with SELinux, it does have access to audio and video streams as well as
+access to privileged kernel driver device nodes on many devices that 3rd party
+apps cannot normally access. Note that under our previous severity rating
+guidelines, this was rated as a High severity vulnerability and was reported to
+partners as such. Under our new guidelines, published in June 2015, it is a
+Critical severity issue.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-1538</td>
+ <td><a href="https://android.googlesource.com/platform/frameworks/av/+/cf1581c66c2ad8c5b1aaca2e43e350cf5974f46d">ANDROID-20139950</a> [<a href="https://android.googlesource.com/platform/frameworks/av/+/2434839bbd168469f80dd9a22f1328bc81046398">2</a>]</td>
+ <td>Critical</td>
+ <td>5.1 and below</td>
+ </tr>
+</table>
+
+<h3 id=an_integer_underflow_in_esds_processing>An integer underflow in ESDS processing</h3>
+
+
+<p>There is a potential integer underflow in libstagefright that could occur
+during ESDS atom processing, leading to memory corruption and potentially
+remote code execution as the mediaserver process.</p>
+
+<p>The affected functionality is provided as an application API and there are
+multiple applications that allow it to be reached with remote content, most
+notably MMS and browser playback of media.</p>
+
+<p>This issue is rated as a Critical severity due to the possibility of remote
+code execution as the privileged mediaserver service. While mediaserver is
+guarded with SELinux, it does have access to audio and video streams as well as
+access to privileged kernel driver device nodes on many devices that 3rd party
+apps cannot normally access. Note that under our previous severity rating
+guidelines, this was rated as a High severity vulnerability and was reported to
+partners as such. Under our new guidelines, published in June 2015, it is a
+Critical severity issue.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-1539</td>
+ <td><a href="https://android.googlesource.com/platform/frameworks/av/+/5e751957ba692658b7f67eb03ae5ddb2cd3d970c">ANDROID-20139950</a></td>
+ <td>Critical</td>
+ <td>5.1 and below</td>
+ </tr>
+</table>
+
+
+<h3 id=integer_overflow_in_libstagefright_when_parsing_the_mpeg4_tx3g_atom>Integer overflow in libstagefright when parsing the MPEG4 tx3g atom</h3>
+
+
+<p>There is a potential integer overflow in libstagefright that could occur during
+MPEG4 tx3g data processing, leading to memory corruption and potentially remote
+code execution as the mediaserver process.</p>
+
+<p>The affected functionality is provided as an application API and there are
+multiple applications that allow it to be reached with remote content, most
+notably MMS and browser playback of media.</p>
+
+<p>This issue is rated as a Critical severity due to the possibility of remote
+code execution as the privileged mediaserver service. While mediaserver is
+guarded with SELinux, it does have access to audio and video streams as well as
+access to privileged kernel driver device nodes on many devices that 3rd party
+apps cannot normally access.</p>
+
+<p>Note that under our previous severity rating guidelines, this was rated as a
+High severity vulnerability and was reported to partners as such. Under our new
+guidelines, published in June 2015, it is a Critical severity issue.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-3824</td>
+ <td><a href="https://android.googlesource.com/platform/frameworks/av/+/463a6f807e187828442949d1924e143cf07778c6">ANDROID-20923261</a> </td>
+ <td>Critical</td>
+ <td>5.1 and below</td>
+ </tr>
+</table>
+
+
+<h3 id=integer_underflow_in_libstagefright_when_processing_mpeg4_covr_atoms>Integer underflow in libstagefright when processing MPEG4 covr atoms</h3>
+
+
+<p>There is a potential integer underflow in libstagefright that could occur
+during MPEG4 data processing, leading to memory corruption and potentially
+remote code execution as the mediaserver process.</p>
+
+<p>The affected functionality is provided as an application API and there are
+multiple applications that allow it to be reached with remote content, most
+notably MMS and browser playback of media.</p>
+
+<p>This issue is rated as a Critical severity due to the possibility of remote
+code execution as the privileged mediaserver service. While mediaserver is
+guarded with SELinux, it does have access to audio and video streams as well as
+access to privileged kernel driver device nodes on many devices that 3rd party
+apps cannot normally access.</p>
+
+<p>Note that under our previous severity rating guidelines, this was rated as a
+High severity vulnerability and was reported to partners as such. Under our new
+guidelines, published in June 2015, it is a Critical severity issue.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-3827</td>
+ <td><a href="https://android.googlesource.com/platform/frameworks/av/+/f4a88c8ed4f8186b3d6e2852993e063fc33ff231">ANDROID-20923261</a></td>
+ <td>Critical</td>
+ <td>5.1 and below</td>
+ </tr>
+</table>
+
+
+<h3 id=integer_underflow_in_libstagefright_if_size_is_below_6_while_processing_3gpp_metadata>Integer underflow in libstagefright if size is below 6 while processing 3GPP
+metadata</h3>
+
+
+<p>There is a potential integer underflow in libstagefright that could occur
+during 3GPP data processing, leading to memory corruption and potentially
+remote code execution as the mediaserver process.</p>
+
+<p>The affected functionality is provided as an application API and there are
+multiple applications that allow it to be reached with remote content, most
+notably MMS and browser playback of media.</p>
+
+<p>This issue is rated as a Critical severity due to the possibility of remote
+code execution as the privileged mediaserver service. While mediaserver is
+guarded with SELinux, it does have access to audio and video streams as well as
+access to privileged kernel driver device nodes on many devices that 3rd party
+apps cannot normally access. Note that under our previous severity rating
+guidelines, this was rated as a High severity vulnerability and was reported to
+partners as such. Under our new guidelines, published in June 2015, it is a
+Critical severity issue.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-3828</td>
+ <td><a href="https://android.googlesource.com/platform/frameworks/av/+/f4f7e0c102819f039ebb1972b3dba1d3186bc1d1">ANDROID-20923261</a></td>
+ <td>Critical</td>
+ <td>5.0 and above</td>
+ </tr>
+</table>
+
+
+<h3 id=integer_overflow_in_libstagefright_processing_mpeg4_covr_atoms_when_chunk_data_size_is_size_max>Integer overflow in libstagefright processing MPEG4 covr atoms when
+chunk_data_size is SIZE_MAX</h3>
+
+
+<p>There is a potential integer overflow in libstagefright that could occur during
+ MPEG4 covr data processing, leading to memory corruption and potentially
+remote code execution as the mediaserver process.</p>
+
+<p>The affected functionality is provided as an application API and there are
+multiple applications that allow it to be reached with remote content, most
+notably MMS and browser playback of media.</p>
+
+<p>This issue is rated as a Critical severity due to the possibility of remote
+code execution as the privileged mediaserver service. While mediaserver is
+guarded with SELinux, it does have access to audio and video streams as well as
+access to privileged kernel driver device nodes on many devices that 3rd party
+apps cannot normally access. Note that under our previous severity rating
+guidelines, this was rated as a High severity vulnerability and was reported to
+partners as such. Under our new guidelines, published in June 2015, it is a
+Critical severity issue.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-3829</td>
+ <td><a href="https://android.googlesource.com/platform/frameworks/av/+/2674a7218eaa3c87f2ee26d26da5b9170e10f859">ANDROID-20923261</a></td>
+ <td>Critical</td>
+ <td>5.0 and above</td>
+ </tr>
+</table>
+
+
+<h3 id=buffer_overflow_in_sonivox_parse_wave>Buffer overflow in Sonivox Parse_wave</h3>
+
+
+<p>There is a potential buffer overflow in Sonivox that could occur during XMF
+data processing, leading to memory corruption and potentially remote code
+execution as the mediaserver process.</p>
+
+<p>The affected functionality is provided as an application API and there are
+multiple applications that allow it to be reached with remote content, most
+notably MMS and browser playback of media.</p>
+
+<p>This issue is rated as a Critical severity due to the possibility of remote
+code execution as the privileged mediaserver service. While mediaserver is
+guarded with SELinux, it does have access to audio and video streams as well as
+access to privileged kernel driver device nodes on many devices that 3rd party
+apps cannot normally access. Note that under our previous severity rating
+guidelines, this was rated as a High severity vulnerability and was reported to
+partners as such. Under our new guidelines, published in June 2015, it is a
+Critical severity issue.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-3836</td>
+ <td><a href="https://android.googlesource.com/platform/external/sonivox/+/e999f077f6ef59d20282f1e04786816a31fb8be6">ANDROID-21132860</a></td>
+ <td>Critical</td>
+ <td>5.1 and below</td>
+ </tr>
+</table>
+
+
+<h3 id=buffer_overflows_in_libstagefright_mpeg4extractor_cpp>Buffer overflows in libstagefright MPEG4Extractor.cpp</h3>
+
+
+<p>There are several buffer overflows in libstagefright that could occur during
+MP4 processing, leading to memory corruption and potentially remote code
+execution as the mediaserver process.</p>
+
+<p>The affected functionality is provided as an application API and there are
+multiple applications that allow it to be reached with remote content, most
+notably MMS and browser playback of media.</p>
+
+<p>This issue is rated as a Critical severity due to the possibility of remote
+code execution as the privileged mediaserver service. While mediaserver is
+guarded with SELinux, it does have access to audio and video streams as well as
+access to privileged kernel driver device nodes on many devices that 3rd party
+apps cannot normally access.</p>
+
+<p>Initially this issue was reported as a local exploit (not remotely accessible).
+Note that under our previous severity rating guidelines, this was rated as a
+Moderate severity vulnerability and was reported to partners as such. Under our
+new guidelines, published in June 2015, it is a Critical severity issue.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-3832</td>
+ <td><a href="https://android.googlesource.com/platform/frameworks/av/+/d48f0f145f8f0f4472bc0af668ac9a8bce44ba9b">ANDROID-19641538</a></td>
+ <td>Critical</td>
+ <td>5.1 and below</td>
+ </tr>
+</table>
+
+
+<h3 id=buffer_overflow_in_mediaserver_bpmediahttpconnection>Buffer overflow in mediaserver BpMediaHTTPConnection</h3>
+
+
+<p>There is is a potential buffer overflow in BpMediaHTTPConnection when
+processing data provided by another application, leading to memory corruption
+and potentially code execution as the mediaserver process.</p>
+
+<p>The affected functionality is provided as an application API. We don’t believe
+the issue is remotely exploitable.</p>
+
+<p>This issue is rated as a High severity due to the possibility of code execution
+as the privileged mediaserver service, from a local application. While
+mediaserver is guarded with SELinux, it does have access to audio and video
+streams as well as access to privileged kernel driver device nodes on many
+devices that 3rd party apps cannot normally access.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-3831</td>
+ <td><a href="https://android.googlesource.com/platform/frameworks/av/+/51504928746edff6c94a1c498cf99c0a83bedaed">ANDROID-19400722</a></td>
+ <td>High</td>
+ <td>5.0 and 5.1</td>
+ </tr>
+</table>
+
+
+<h3 id=vulnerability_in_libpng_overflow_in_png_read_idat_data>Vulnerability in libpng: Overflow in png_Read_IDAT_data</h3>
+
+
+<p>There is a potential buffer overflow that could occur in reading IDAT data
+within the png_read_IDAT_data() function in libpng, leading to memory
+corruption and potentially remote code execution within an application using
+this method.</p>
+
+<p>The affected functionality is provided as an application API. There may be
+applications that allow it to be reached with remote content, most notably
+messaging applications and browsers.</p>
+
+<p>This issue is rated as a High severity due to the possibility of remote code
+execution as an unprivileged application.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-0973</td>
+ <td><a href="https://android.googlesource.com/platform/external/libpng/+/dd0ed46397a05ae69dc8c401f5711f0db0a964fa">ANDROID-19499430</a></td>
+ <td>High</td>
+ <td>5.1 and below</td>
+ </tr>
+</table>
+
+
+<h3 id=remotely_exploitable_memcpy_overflow_in_p2p_add_device_in_wpa_supplicant>Remotely exploitable memcpy() overflow in p2p_add_device() in wpa_supplicant</h3>
+
+
+<p>When wpa_supplicant is operating in WLAN Direct mode, it's vulnerable to
+potential remote code execution due to an overflow in the p2p_add_device()
+method. Successful exploitation could result in code execution as the 'wifi'
+user in Android.</p>
+
+<p>There are several mitigations that can effect successful exploitation of this
+issue:</p>
+
+<p>- WLAN Direct is not enabled by default on most Android devices</p>
+
+<p>- Exploitation requires an attacker to be locally proximate (within WiFi range)</p>
+
+<p>- The wpa_supplicant process runs as the 'wifi' user which has limited access
+to the system</p>
+
+<p>- Remote exploitation is mitigated by ASLR on Android 4.1 and later devices.</p>
+
+<p>- The wpa_supplicant process is tightly constrained by SELinux policy on
+Android 5.0 and greater</p>
+
+<p>This issue is rated as High severity due to the possibility of remote code
+execution. While the 'wifi' service does have capabilities that are not
+normally accessible to 3rd party apps which could rate this as Critical, we
+believe the limited capabilities and level of mitigation warrant decreasing the
+severity to High.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-1863</td>
+ <td><a href="https://android.googlesource.com/platform/external/wpa_supplicant_8/+/4cf0f2d0d869c35a9ec4432861d5efa8ead4279c">ANDROID-20076874</a></td>
+ <td>High</td>
+ <td>5.1 and below</td>
+ </tr>
+</table>
+
+
+<h3 id=memory_corruption_in_opensslx509certificate_deserialization>Memory Corruption in OpenSSLX509Certificate Deserialization</h3>
+
+
+<p>A malicious local application can send an Intent which, when deserialized by
+the receiving application, can decrement a value at an arbitrary memory
+address, leading to memory corruption and potentially code execution within the
+receiving application.</p>
+
+<p>This issue is rated as High severity because it can be used to gain privileges
+not accessible to a third-party application.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-3837</td>
+ <td><a href="https://android.googlesource.com/platform/external/conscrypt/+/edf7055461e2d7fa18de5196dca80896a56e3540">ANDROID-21437603</a></td>
+ <td>High</td>
+ <td>5.1 and below</td>
+ </tr>
+</table>
+
+
+<h3 id=buffer_overflow_in_mediaserver_bnhdcp>Buffer overflow in mediaserver BnHDCP</h3>
+
+
+<p>There is is a potential integer overflow in libstagefright when processing data
+provided by another application, leading to memory (heap) corruption and
+potentially code execution as the mediaserver process.</p>
+
+<p>This issue is rated as High severity because it can be used to gain privileges
+not accessible to a third-party application. While mediaserver is guarded with
+SELinux, it does have access to audio and video streams as well as access to
+privileged kernel driver device nodes on many devices that 3rd party apps
+cannot normally access.</p>
+
+<p>Note that under our previous severity rating guidelines, this was rated as a
+Moderate severity vulnerability and was reported to partners as such. Under our
+new guidelines, published in June 2015, it is a High severity vulnerability.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-3834</td>
+ <td><a href="https://android.googlesource.com/platform/frameworks/av/+/c82e31a7039a03dca7b37c65b7890ba5c1e18ced">ANDROID-20222489</a></td>
+ <td>High</td>
+ <td>5.1 and below</td>
+ </tr>
+</table>
+
+
+<h3 id=buffer_overflow_in_libstagefright_omxnodeinstance_emptybuffer>Buffer overflow in libstagefright OMXNodeInstance::emptyBuffer</h3>
+
+
+<p>There is is a potential buffer overflow in libstagefright when processing data
+provided by another application, leading to memory corruption and potentially
+code execution as the mediaserver process.</p>
+
+<p>This issue is rated as High severity because it can be used to gain privileges
+not accessible to a third-party application. While mediaserver is guarded with
+SELinux, it does have access to audio and video streams as well as access to
+privileged kernel driver device nodes on many devices that 3rd party apps
+cannot normally access.</p>
+
+<p>Note that under our previous severity rating guidelines, this was rated as a
+Moderate severity vulnerability and was reported to partners as such. Under our
+new guidelines, published in June 2015, it is a High severity vulnerability.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-3835</td>
+ <td><a href="https://android.googlesource.com/platform/frameworks/av/+/086d84f45ab7b64d1a7ed7ac8ba5833664a6a5ab">ANDROID-20634516</a> [<a href="https://android.googlesource.com/platform/frameworks/av/+/3cb1b6944e776863aea316e25fdc16d7f9962902">2</a>]</td>
+ <td>High</td>
+ <td>5.1 and below</td>
+ </tr>
+</table>
+
+
+<h3 id=heap_overflow_in_mediaserver_audiopolicymanager_getinputforattr>Heap overflow in mediaserver AudioPolicyManager::getInputForAttr()</h3>
+
+
+<p>There is a heap overflow in mediaserver's Audio Policy Service that could allow
+a local application to execute arbitrary code in mediaserver's process.</p>
+
+<p>The affected functionality is provided as an application API. We don’t
+believe the issue is remotely exploitable.</p>
+
+<p>This issue is rated as a High severity due to the possibility of code execution
+as the privileged mediaserver service, from a local application. While
+mediaserver is guarded with SELinux, it does have access to audio and video
+streams as well as access to privileged kernel driver device nodes on many
+devices that 3rd party apps cannot normally access.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-3842</td>
+ <td><a href="https://android.googlesource.com/platform/frameworks/av/+/aeea52da00d210587fb3ed895de3d5f2e0264c88">ANDROID-21953516</a></td>
+ <td>High</td>
+ <td>5.1 and below</td>
+ </tr>
+</table>
+
+
+<h3 id=applications_can_intercept_or_emulate_sim_commands_to_telephony>Applications can intercept or emulate SIM commands to Telephony</h3>
+
+
+<p>There is a vulnerability in the SIM Toolkit (STK) framework that could allow
+apps to intercept or emulate certain STK SIM commands to Android's Telephony
+subsystem.</p>
+
+<p>This issue is rated at a High severity because it could allow an unprivileged
+app to access capabilities or data normally protected by a "signature" or
+"system" level permission.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-3843</td>
+ <td><a href="https://android.googlesource.com/platform/frameworks/opt/telephony/+/b48581401259439dc5ef6dcf8b0f303e4cbefbe9">ANDROID-21697171</a> [<a href="https://android.googlesource.com/platform/packages/apps/Stk/+/1d8e00160c07ae308e5b460214eb2a425b93ccf7">2</a>, <a href="https://android.googlesource.com/platform/frameworks/base/+/a5e904e7eb3aaec532de83ca52e24af18e0496b4">3</a>, <a href="https://android.googlesource.com/platform/packages/services/Telephony/+/fcb1d13c320dd1a6350bc7af3166929b4d54a456">4</a>]</td>
+ <td>High</td>
+ <td>5.1 and below</td>
+ </tr>
+</table>
+
+
+<h3 id=vulnerability_in_bitmap_unmarshalling>Vulnerability in Bitmap unmarshalling</h3>
+
+
+<p>An integer overflow in Bitmap_createFromParcel() could allow an app to either
+crash the system_server process or read memory data from system_server.</p>
+
+<p>This issue is rated as Moderate severity due to the possibility of leaking
+sensitive data from the system_server process to an unprivileged local process.
+While this type of vulnerability would normally be rated as High severity, the
+severity has been reduced because the data that is leaked in a successful
+attack cannot be controlled by the attacking process and the consequence of an
+unsuccessful attack is to render the device temporarily unusable (requiring a
+reboot).</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-1536</td>
+ <td><a href="https://android.googlesource.com/platform/frameworks/base/+/d44e5bde18a41beda39d49189bef7f2ba7c8f3cb">ANDROID-19666945</a></td>
+ <td>Moderate</td>
+ <td>5.1 and below</td>
+ </tr>
+</table>
+
+
+<h3 id=appwidgetserviceimpl_can_create_intentsender_with_system_privileges>AppWidgetServiceImpl can create IntentSender with system privileges</h3>
+
+
+<p>There is a vulnerability in AppWidgetServiceImpl in the Settings app that
+allows an app to grant itself a URI permission by specifying
+FLAG_GRANT_READ/WRITE_URI_PERMISSION. For example, this could be exploited to
+read contact data without the READ_CONTACTS permission.</p>
+
+<p>This is rated as a Moderate severity vulnerability because it can allow a local
+app to access data normally protected by permissions with a "dangerous"
+protection level.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-1541 </td>
+ <td><a href="https://android.googlesource.com/platform/frameworks/base/+/0b98d304c467184602b4c6bce76fda0b0274bc07">ANDROID-19618745</a></td>
+ <td>Moderate</td>
+ <td>5.1 </td>
+ </tr>
+</table>
+
+
+<h3 id=mitigation_bypass_of_restrictions_on_getrecenttasks>Mitigation bypass of restrictions on getRecentTasks()</h3>
+
+
+<p>A local application can reliably determine the foreground application,
+circumventing the getRecentTasks() restriction introduced in Android 5.0.</p>
+
+<p>This is rated as a moderate severity vulnerability because it can allow a local
+app to access data normally protected by permissions with a "dangerous"
+protection level.</p>
+
+<p>We believe this vulnerability was first described publicly at:<a href="http://stackoverflow.com/questions/24625936/getrunningtasks-doesnt-work-in-android-l">http://stackoverflow.com/questions/24625936/getrunningtasks-doesnt-work-in-android-l</a></p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-3833 </td>
+ <td><a href="https://android.googlesource.com/platform/frameworks/base/+/aaa0fee0d7a8da347a0c47cef5249c70efee209e">ANDROID-20034603</a></td>
+ <td>Moderate</td>
+ <td>5.0 and 5.1 </td>
+ </tr>
+</table>
+
+
+<h3 id=activitymanagerservice_getprocessrecordlocked_may_load_a_system_uid_application_into_the_wrong_process>ActivityManagerService.getProcessRecordLocked() may load a system UID
+application into the wrong process</h3>
+
+
+<p>ActivityManager's getProcessRecordLocked() method doesn't properly verify that
+an application's process name matches the corresponding package name. In some
+cases, this can allow ActivityManager to load the wrong process for certain
+tasks.</p>
+
+<p>The implications are that an app can prevent Settings from being loaded or
+inject parameters for Settings fragments. We don't believe that this
+vulnerability can be used to execute arbitrary code as the "system" user.</p>
+
+<p>While the ability to access capabilities normally only accessible to "system"
+would be rated as a High severity, we rated this one as a Moderate due to the
+limited level of access granted by the vulnerability.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-3844 </td>
+ <td><a href="https://android.googlesource.com/platform/frameworks/base/+/e3cde784e3d99966f313fe00dcecf191f6a44a31">ANDROID-21669445</a></td>
+ <td>Moderate</td>
+ <td>5.1 and below</td>
+ </tr>
+</table>
+
+
+<h3 id=unbounded_buffer_read_in_libstagefright_while_parsing_3gpp_metadata>Unbounded buffer read in libstagefright while parsing 3GPP metadata</h3>
+
+
+<p>An integer underflow during parsing of 3GPP data can result in a read operation
+overrunning a buffer, causing mediaserver to crash.</p>
+
+<p>This issue was originally rated as a High severity and was reported to partners
+as such, but after further investigation it has been downgraded to Low severity
+as the impact is limited to crashing mediaserver.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-3826</td>
+ <td><a href="https://android.googlesource.com/platform/frameworks/av/+/f4f7e0c102819f039ebb1972b3dba1d3186bc1d1">ANDROID-20923261</a></td>
+ <td>Low</td>
+ <td>5.0 and 5.1</td>
+ </tr>
+</table>
+
+
+<h2 id=revisions>Revisions</h2>
+
+
+<ul>
+ <li> August 13, 2015: Originally Published
diff --git a/src/security/bulletin/2015-09-01.jd b/src/security/bulletin/2015-09-01.jd
new file mode 100644
index 0000000..930d5ea
--- /dev/null
+++ b/src/security/bulletin/2015-09-01.jd
@@ -0,0 +1,384 @@
+page.title=Nexus Security Bulletin - September 2015
+@jd:body
+
+<!--
+ Copyright 2015 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<div id="qv-wrapper">
+ <div id="qv">
+ <h2>In this document</h2>
+ <ol id="auto-toc">
+ </ol>
+ </div>
+</div>
+
+<p><em>Published September 9, 2015</em></p>
+
+<p>We have released a security update to Nexus devices through an over-the-air
+(OTA) update as part of our Android Security Bulletin Monthly Release process
+(Build LMY48M). The updates for Nexus devices and source code patches for these
+issues have also been released to the Android Open Source Project (AOSP) source
+repository. The most severe of these issues is a Critical security
+vulnerability that could enable remote code execution on an affected device.</p>
+
+<p>The Nexus firmware images have also been released to the <a href="https://developers.google.com/android/nexus/images">Google Developer site</a>.
+Builds LMY48M or later address these issues. Partners were notified about
+these issues on August 13, 2015 or earlier.</p>
+
+<p>We have not detected customer exploitation of the newly reported issues. The
+exception is the existing issue (CVE-2015-3636). Refer to the <a href="#mitigations">Mitigations</a> section for details on the
+<a href="{@docRoot}security/enhancements/index.html">Android security platform protections,</a> and service protections such as SafetyNet, which reduce the likelihood that
+security vulnerabilities can be successfully exploited on Android.</p>
+
+<p>Please note that both Critical security updates (CVE-2015-3864 and
+CVE-2015-3686) address already disclosed vulnerabilities. There are no newly
+disclosed Critical security vulnerabilities in this update. We encourage all
+customers to accept these updates to their devices.</p>
+
+<h2 id=security_vulnerability_summary>Security vulnerability summary</h2>
+
+
+<p>The table below contains a list of security vulnerabilities, the Common
+Vulnerability and Exposures ID (CVE), and their assessed severity. The <a href="{@docRoot}security/overview/updates-resources.html#severity">severity assessment</a> is based on the effect that exploiting the vulnerability would have on an
+affected device, assuming the platform and service mitigations are disabled for
+development purposes or if successfully bypassed.</p>
+<table>
+ <tr>
+ <th>Issue</th>
+ <th>CVE</th>
+ <th>Severity</th>
+ </tr>
+ <tr>
+ <td>Remote Code Execution Vulnerability in Mediaserver</td>
+ <td>CVE-2015-3864 </td>
+ <td>Critical</td>
+ </tr>
+ <tr>
+ <td>Elevation of Privilege Vulnerability in Kernel</td>
+ <td>CVE-2015-3636</td>
+ <td>Critical</td>
+ </tr>
+ <tr>
+ <td>Elevation of Privilege Vulnerability in Binder</td>
+ <td>CVE-2015-3845<br />
+ CVE-2015-1528</td>
+ <td>High</td>
+ </tr>
+ <tr>
+ <td>Elevation of Privilege Vulnerability in Keystore </td>
+ <td>CVE-2015-3863</td>
+ <td>High</td>
+ </tr>
+ <tr>
+ <td>Elevation of Privilege Vulnerability in Region</td>
+ <td>CVE-2015-3849</td>
+ <td>High</td>
+ </tr>
+ <tr>
+ <td>Elevation of Privilege vulnerability in SMS enables notification bypass.</td>
+ <td>CVE-2015-3858</td>
+ <td>High</td>
+ </tr>
+ <tr>
+ <td>Elevation of Privilege Vulnerability in Lockscreen</td>
+ <td>CVE-2015-3860</td>
+ <td>Moderate</td>
+ </tr>
+ <tr>
+ <td>Denial of Service Vulnerability in Mediaserver </td>
+ <td>CVE-2015-3861</td>
+ <td>Low</td>
+ </tr>
+</table>
+
+
+<h2 id=mitigations>Mitigations</h2>
+
+
+<p>This is a summary of the mitigations provided by the <a href="{@docRoot}security/enhancements">Android security platform</a> and service protections such as SafetyNet. These capabilities reduce the
+likelihood that security vulnerabilities can be successfully exploited on
+Android.</p>
+
+<ul>
+ <li> Exploitation for many issues on Android is made more difficult by enhancements
+in newer versions of the Android platform. We encourage all users to update to
+the latest version of Android where possible.
+ <li> The Android Security team is actively monitoring for abuse with Verify Apps and
+SafetyNet which will warn about potentially harmful applications about to be
+installed. Device rooting tools are prohibited within Google Play. To protect
+users who install applications from outside of Google Play, Verify Apps is
+enabled by default and will warn users about known rooting applications. Verify
+Apps attempts to identify and block installation of known malicious
+applications that exploit a privilege escalation vulnerability. If such an
+application has already been installed, Verify Apps will notify the user and
+attempt to remove any such applications.
+ <li> As appropriate, Google Hangouts and Messenger applications do not automatically
+pass media to processes such as mediaserver.
+</ul>
+
+<h2 id=acknowledgements>Acknowledgements</h2>
+
+
+<p>We would like to thank these researchers for their contributions:</p>
+
+<ul>
+ <li> Jordan Gruskovnjak of Exodus Intelligence (@jgrusko): CVE-2015-3864
+ <li> MichaĆ Bednarski: CVE-2015-3845
+ <li> Guang Gong of Qihoo 360 Technology Co. Ltd (@oldfresher): CVE-2015-1528
+ <li> Brennan Lautner: CVE-2015-3863
+ <li> jgor (@indiecom): CVE-2015-3860
+ <li> Wish Wu of Trend Micro Inc. (@wish_wu): CVE-2015-3861
+</ul>
+
+<h2 id=security_vulnerability_details>Security Vulnerability Details</h2>
+
+
+<p>In the sections below, we provide details for each of the security
+vulnerabilities listed in the <a href="#security_vulnerability_summary">Security Vulnerability Summary</a> above. There is a description of the issue, a severity rationale, and a table
+with the CVE, associated bug, severity, affected versions, and date reported.
+Where available, we’ve linked the AOSP commit that addressed the issue to the
+bug ID. When multiple changes relate to a single bug, additional AOSP
+references are linked to numbers following the bug ID.</p>
+
+<h3 id=remote_code_execution_vulnerability_in_mediaserver>Remote Code Execution Vulnerability in Mediaserver</h3>
+
+
+<p>During media file and data processing of a specially crafted file,
+vulnerabilities in mediaserver could allow an attacker to cause memory
+corruption and remote code execution as the mediaserver process.</p>
+
+<p>The affected functionality is provided as a core part of the operating system
+and there are multiple applications that allow it to be reached with remote
+content, most notably MMS and browser playback of media.</p>
+
+<p>This issue is rated as a Critical severity due to the possibility of remote
+code execution within the context of the mediaserver service. The mediaserver
+service has access to audio and video streams as well as access to privileges
+that third-party apps cannot normally access.</p>
+
+<p>This issue is related to the already reported CVE-2015-3824 (ANDROID-20923261).
+ The original security update was not sufficient to address a variant of this
+originally reported issue.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected Versions</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-3864</td>
+ <td><a href="https://android.googlesource.com/platform/frameworks/av/+/6fe85f7e15203e48df2cc3e8e1c4bc6ad49dc968">ANDROID-23034759</a></td>
+ <td>Critical</td>
+ <td> 5.1 and below</td>
+ </tr>
+</table>
+
+
+<h3 id=elevation_privilege_vulnerability_in_kernel>Elevation Privilege Vulnerability in Kernel</h3>
+
+
+<p>An elevation of privilege vulnerability in the Linux kernel's handling of ping
+sockets could allow a malicious application to execute arbitrary code in
+context of the kernel.</p>
+
+<p>This issue is rated as a Critical severity due to the possibility of code
+execution in a privileged service that can bypass device protections,
+potentially leading to permanent compromise (i.e., requiring re-flashing the
+system partition) on some devices.</p>
+
+<p>This issue was first publicly identified on May 01, 2015. An exploit of this
+vulnerability has been included in a number of “rooting” tools that may be used
+by the device owner to modify the firmware on their device.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected Versions</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-3636 </td>
+ <td><a href="https://github.com/torvalds/linux/commit/a134f083e79f">ANDROID-20770158</a></td>
+ <td>Critical</td>
+ <td>5.1 and below</td>
+ </tr>
+</table>
+
+
+<h3 id=elevation_of_privilege_vulnerability_in_binder>Elevation of Privilege Vulnerability in Binder </h3>
+
+
+<p>An elevation of privilege vulnerability in Binder could allow a malicious
+application to execute arbitrary code within the context of the another app’s
+process.</p>
+
+<p>This issue is rated as High severity because it allows a malicious application
+to gain privileges not accessible to a third-party application.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected Versions</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-3845</td>
+ <td><a href="https://android.googlesource.com/platform/frameworks/native/+/e68cbc3e9e66df4231e70efa3e9c41abc12aea20">ANDROID-17312693</a></td>
+ <td>High</td>
+ <td>5.1 and below</td>
+ </tr>
+ <tr>
+ <td>CVE-2015-1528</td>
+ <td><a href="https://android.googlesource.com/platform/frameworks/native/+/7dcd0ec9c91688cfa3f679804ba6e132f9811254">ANDROID-19334482</a> [<a href="https://android.googlesource.com/platform/system/core/+/e8c62fb484151f76ab88b1d5130f38de24ac8c14">2</a>]</td>
+ <td>High</td>
+ <td>5.1 and below</td>
+ </tr>
+</table>
+
+
+<h3 id=elevation_of_privilege_vulnerability_in_keystore>Elevation of Privilege Vulnerability in Keystore</h3>
+
+
+<p>A elevation of privilege vulnerability in Keystore could allow a malicious
+application to execute arbitrary code within the context of the keystore
+service. This could allow unauthorized use of keys stored by Keystore,
+including hardware-backed keys.</p>
+
+<p>This issue is rated as High severity because it can be used to gain privileges
+not accessible to a third-party application.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected Versions</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-3863</td>
+ <td><a href="https://android.googlesource.com/platform/system/security/+/bb9f4392c2f1b11be3acdc1737828274ff1ec55b">ANDROID-22802399</a></td>
+ <td>High</td>
+ <td>5.1 and below</td>
+ </tr>
+</table>
+
+
+<h3 id=elevation_of_privilege_vulnerability_in_region>Elevation of Privilege Vulnerability in Region </h3>
+
+
+<p>An elevation of privilege vulnerability in Region could, through creation of a
+malicious message to a service, allow a malicious application to execute
+arbitrary code within the context of the target service.</p>
+
+<p>This issue is rated as High severity because it can be used to gain privileges
+not accessible to a third-party application.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected Versions</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-3849</td>
+ <td><a href="https://android.googlesource.com/platform/frameworks/base/+/4cff1f49ff95d990d6c2614da5d5a23d02145885">ANDROID-20883006</a> [<a href="https://android.googlesource.com/platform/frameworks/base/+/1e72dc7a3074cd0b44d89afbf39bbf5000ef7cc3">2</a>]</td>
+ <td>High</td>
+ <td>5.1 and below</td>
+ </tr>
+</table>
+
+
+<h3 id=elevation_of_privilege_vulnerability_in_sms_enables_notification_bypass>Elevation of Privilege vulnerability in SMS enables notification bypass </h3>
+
+
+<p>A elevation of privilege vulnerability in the way that Android processes SMS
+messages could enable a malicious application to send an SMS message that
+bypasses the premium-rate SMS warning notification.</p>
+
+<p>This issue is rated as High severity because it can be used to gain privileges
+not accessible to a third-party application.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected Versions</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-3858</td>
+ <td><a href="https://android.googlesource.com/platform/frameworks/opt/telephony/+/df31d37d285dde9911b699837c351aed2320b586">ANDROID-22314646</a></td>
+ <td>High</td>
+ <td>5.1 and below</td>
+ </tr>
+</table>
+
+
+<h3 id=elevation_of_privilege_vulnerability_in_lockscreen>Elevation of Privilege Vulnerability in Lockscreen</h3>
+
+
+<p>An elevation of privilege vulnerability in Lockscreen could allow a malicious
+user to bypass the lockscreen by causing it to crash. This issue is classified
+as a vulnerability only on Android 5.0 and 5.1. While it's possible to cause
+the System UI to crash from the lockscreen in a similar way on 4.4, the home
+screen cannot be accessed and the device must be rebooted to recover.</p>
+
+<p>This issue is rated as a Moderate severity because it potentially allows
+someone with physical access to a device to install third-party apps without
+the device's owner approving the permissions. It can also allow the attacker to
+view contact data, phone logs, SMS messages, and other data that is normally
+protected with a "dangerous" level permission.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected Versions</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-3860</td>
+ <td><a href="https://android.googlesource.com/platform/frameworks/base/+/8fba7e6931245a17215e0e740e78b45f6b66d590">ANDROID-22214934</a></td>
+ <td>Moderate</td>
+ <td>5.1 and 5.0</td>
+ </tr>
+</table>
+
+
+<h3 id=denial_of_service_vulnerability_in_mediaserver>Denial of Service Vulnerability in Mediaserver</h3>
+
+
+<p>A denial of service vulnerability in mediaserver could allow a local attacker
+to temporarily block access to an affected device.</p>
+
+<p>This issue is rated as a Low severity because a user could reboot into safe
+mode to remove a malicious application that is exploiting this issue. It is
+also possible to cause mediaserver to process the malicious file remotely
+through the web or over MMS, in that case the mediaserver process crashes and
+the device remains usable.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected Versions</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-3861</td>
+ <td><a href="https://android.googlesource.com/platform/frameworks/av/+/304ef91624e12661e7e35c2c0c235da84a73e9c0">ANDROID-21296336</a></td>
+ <td>Low</td>
+ <td>5.1 and below</td>
+ </tr>
+</table>
+
+
diff --git a/src/security/bulletin/2015-10-01.jd b/src/security/bulletin/2015-10-01.jd
new file mode 100644
index 0000000..2e9f112
--- /dev/null
+++ b/src/security/bulletin/2015-10-01.jd
@@ -0,0 +1,798 @@
+page.title=Nexus Security Bulletin - October 2015
+@jd:body
+
+<!--
+ Copyright 2015 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<div id="qv-wrapper">
+ <div id="qv">
+ <h2>In this document</h2>
+ <ol id="auto-toc">
+ </ol>
+ </div>
+</div>
+
+<p><em>Published October 05, 2015 | Updated October 12, 2015</em></p>
+
+<p>We have released a security update to Nexus devices through an over-the-air
+(OTA) update as part of our Android Security Bulletin Monthly Release process.
+The Nexus firmware images have also been released to the <a href="https://developers.google.com/android/nexus/images">Google Developer site</a>. Builds LMY48T or later (such as LMY48W) and Android M with Security Patch
+Level of October 1, 2015 or later address these issues. Refer to the <a href="https://support.google.com/nexus/answer/4457705">Nexus documentation</a> for instructions on how to check the security patch level. </p>
+
+<p>Partners were notified about these issues on September 10, 2015 or earlier.
+Source code patches for these issues have been released to the Android Open
+Source Project (AOSP) repository.</p>
+
+<p>The most severe of these issues is a Critical security vulnerability that could
+enable remote code execution on an affected device through multiple methods
+such as email, web browsing, and MMS when processing media files.</p>
+
+<p>We have had no reports of active customer exploitation of these newly reported
+issues. Refer to the <a href="#mitigations">Mitigations</a> section for details on the <a href="{@docRoot}security/enhancements/index.html">Android security platform protections</a> and service protections such as SafetyNet, which improve the security of the
+Android platform. We encourage all customers to accept these updates to their
+devices. </p>
+
+<h2 id=security_vulnerability_summary>Security Vulnerability Summary</h2>
+
+
+<p>The table below contains a list of security vulnerabilities, the Common
+Vulnerability and Exposures ID (CVE), and their assessed severity. The <a href="{@docRoot}security/overview/updates-resources.html#severity">severity assessment</a> is based on the effect that exploiting the vulnerability would have on an
+affected device, assuming the platform and service mitigations are disabled for
+development purposes or if successfully bypassed. </p>
+<table>
+ <tr>
+ <th>Issue</th>
+ <th>CVE</th>
+ <th>Severity</th>
+ </tr>
+ <tr>
+ <td>Remote Code Execution Vulnerabilities in libstagefright </td>
+ <td>CVE-2015-3873<br />
+ CVE-2015-3872<br />
+ CVE-2015-3871<br />
+ CVE-2015-3868<br />
+ CVE-2015-3867<br />
+ CVE-2015-3869<br />
+ CVE-2015-3870<br />
+ CVE-2015-3823<br />
+ CVE-2015-6598<br />
+ CVE-2015-6599<br />
+ CVE-2015-6600<br />
+ CVE-2015-3870<br />
+ CVE-2015-6601<br />
+ CVE-2015-3876<br />
+ CVE-2015-6604</td>
+ <td>Critical</td>
+ </tr>
+ <tr>
+ <td>Remote Code Execution Vulnerabilities in Sonivox</td>
+ <td>CVE-2015-3874</td>
+ <td>Critical</td>
+ </tr>
+ <tr>
+ <td>Remote Code Execution Vulnerabilities in libutils</td>
+ <td>CVE-2015-3875<br />
+ CVE-2015-6602</td>
+ <td>Critical</td>
+ </tr>
+ <tr>
+ <td>Remote Code Execution Vulnerability in Skia</td>
+ <td>CVE-2015-3877</td>
+ <td>Critical</td>
+ </tr>
+ <tr>
+ <td>Remote Code Execution Vulnerability in libFLAC</td>
+ <td>CVE-2014-9082</td>
+ <td>Critical</td>
+ </tr>
+ <tr>
+ <td>Elevation of Privilege Vulnerability in KeyStore</td>
+ <td>CVE-2015-3863</td>
+ <td>High</td>
+ </tr>
+ <tr>
+ <td>Elevation of Privilege Vulnerability in Media Player Framework</td>
+ <td>CVE-2015-3879</td>
+ <td>High</td>
+ </tr>
+ <tr>
+ <td>Elevation of Privilege Vulnerability in Android Runtime</td>
+ <td>CVE-2015-3865</td>
+ <td>High</td>
+ </tr>
+ <tr>
+ <td>Elevation of Privilege Vulnerabilities in Mediaserver </td>
+ <td>CVE-2015-6596</td>
+ <td>High</td>
+ </tr>
+ <tr>
+ <td>Elevation of Privilege Vulnerability in Secure Element Evaluation Kit</td>
+ <td>CVE-2015-6606</td>
+ <td>High</td>
+ </tr>
+ <tr>
+ <td>Elevation of Privilege Vulnerability in Media Projection</td>
+ <td>CVE-2015-3878</td>
+ <td>Moderate</td>
+ </tr>
+ <tr>
+ <td>Elevation of Privilege Vulnerability in Bluetooth</td>
+ <td> CVE-2015-3847</td>
+ <td>Moderate</td>
+ </tr>
+ <tr>
+ <td>Elevation of Privilege Vulnerabilities in SQLite</td>
+ <td>CVE-2015-6607</td>
+ <td>Moderate</td>
+ </tr>
+ <tr>
+ <td>Denial of Service Vulnerabilities in Mediaserver</td>
+ <td>CVE-2015-6605<br />
+ CVE-2015-3862</td>
+ <td>Low</td>
+ </tr>
+</table>
+
+
+<h2 id=mitigations>Mitigations</h2>
+
+
+<p>This is a summary of the mitigations provided by the <a href="{@docRoot}security/enhancements/index.html">Android security platform</a> and service protections such as SafetyNet. These capabilities reduce the
+likelihood that security vulnerabilities can be successfully exploited on
+Android. </p>
+
+<ul>
+ <li> Exploitation for many issues on Android is made more difficult by enhancements
+in newer versions of the Android platform. We encourage all users to update to
+the latest version of Android where possible.
+ <li> The Android Security team is actively monitoring for abuse with Verify Apps and
+SafetyNet which will warn about potentially harmful applications about to be
+installed. Device rooting tools are prohibited within Google Play. To protect
+users who install applications from outside of Google Play, Verify Apps is
+enabled by default and will warn users about known rooting applications. Verify
+Apps attempts to identify and block installation of known malicious
+applications that exploit a privilege escalation vulnerability. If such an
+application has already been installed, Verify Apps will notify the user and
+attempt to remove any such applications.
+ <li> As appropriate, Google has updated the Hangouts and Messenger applications so
+that media is not automatically passed to vulnerable processes (such as
+mediaserver.)
+</ul>
+
+<h2 id=acknowledgements>Acknowledgements</h2>
+
+
+<p>We would like to thank these researchers for their contributions:</p>
+
+<ul>
+ <li> Brennan Lautner: CVE-2015-3863
+ <li> Yajin Zhou, Lei Wu, and Xuxian Jiang of C0re Team from Qihoo 360: CVE-2015-3868,
+CVE-2015-3869, CVE-2015-3865, CVE-2015-3862
+ <li> Daniel Micay (daniel.micay@copperhead.co) at Copperhead Security: CVE-2015-3875
+ <li> dragonltx of Alibaba Mobile Security Team: CVE-2015-6599
+ <li> Ian Beer and Steven Vittitoe of Google Project Zero: CVE-2015-6604
+ <li> Joaquín Rinaudo (@xeroxnir) and Iván Arce (@4Dgifts) of Programa STIC at
+Fundación Dr. Manuel Sadosky, Buenos Aires Argentina: CVE-2015-3870
+ <li> Josh Drake of Zimperium: CVE-2015-3876, CVE-2015-6602
+ <li> Jordan Gruskovnjak of Exodus Intelligence (@jgrusko): CVE-2015-3867
+ <li> Peter Pi of Trend Micro: CVE-2015-3872, CVE-2015-3871
+ <li> Ping Li of Qihoo 360 Technology Co. Ltd: CVE-2015-3878
+ <li> Seven Shen: CVE-2015-6600, CVE-2015-3847
+ <li> Wangtao(neobyte) of Baidu X-Team: CVE-2015-6598
+ <li> Wish Wu of Trend Micro Inc. (@wish_wu): CVE-2015-3823
+</ul>
+
+<p>We would also like to acknowledge the contributions of the Chrome Security
+Team, Google Security Team, Project Zero, and other individuals within Google
+for reporting several issues fixed in this bulletin.</p>
+
+<h2 id=security_vulnerability_details>Security Vulnerability Details</h2>
+
+
+<p>In the sections below, we provide details for each of the security
+vulnerabilities listed in the <a href="#security_vulnerability_summary">Security Vulnerability Summary</a> above. There is a description of the issue, a severity rationale, and a table
+with the CVE, associated bug, severity, affected versions, and date reported.
+Where available, we’ve linked the AOSP commit that addressed the issue to the
+bug ID. When multiple changes relate to a single bug, additional AOSP
+references are linked to numbers following the bug ID.</p>
+
+<h3 id=remote_code_execution_vulnerabilities_in_libstagefright>Remote Code Execution Vulnerabilities in libstagefright</h3>
+
+
+<p>Vulnerabilities in libstagefright exist that could allow an attacker, during
+media file and data processing of a specially crafted file, to cause memory
+corruption and remote code execution in the mediaserver service.</p>
+
+<p>These issues are rated as a Critical severity due to the possibility of remote
+code execution as a privileged service. The affected components have access to
+audio and video streams as well as access to privileges that third-party
+applications cannot normally access.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td rowspan="14">CVE-2015-3873</td>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/c23e3dd8af7397f023aae040c4a03dd14091cbed">ANDROID-20674086</a> [<a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/9abb7401df730b5c510f6b8dac2716a0928d9623">2</a>,<a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/b62a73b860757143d3b140b2985fdae71e18d675">3</a>,<a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/b2ae4351539de9aa4667fcb3e02ba40d9c6bd094">4</a>]</td>
+ <td rowspan="13">Critical</td>
+ <td rowspan="13">5.1 and below</td>
+ <td rowspan="13">Google Internal </td>
+ </tr>
+ <tr>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/3fd96683850cf27648e036180acb149fac362242">ANDROID-20674674</a> [<a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/65842db06c2d77e53cc5ac61692160d844cc7d0a">2</a>,<a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/38eff9af5c032bf12f89d6e94df05f65eef51afc">3</a>,<a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/91860b89488b3ee4644c539e89e657fbb79fb6ad">4</a>]</td>
+ </tr>
+ <tr>
+ <td><a href="https://android.googlesource.com/platform%2Fexternal%2Ftremolo/+/2e941e40ce76eb13b273479a4ee8fb6e40d33795">ANDROID-20718524 </a></td>
+ </tr>
+ <tr>
+ <td><a href="https://android.googlesource.com/platform%2Fexternal%2Ftremolo/+/06ca06ac6107f88530cc67225c47537621bb41a5">ANDROID-21048776</a></td>
+ </tr>
+ <tr>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/dc5e47f013bfbb74c5c35ad976aa98d480cb351b">ANDROID-21443020</a></td>
+ </tr>
+ <tr>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/f11e95b21007f24e5ab77298370855f9f085b2d7">ANDROID-21814993 </a></td>
+ </tr>
+ <tr>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/f810a8298aea13fa177060cdc10c8297eac69c49">ANDROID-22008959 </a></td>
+ </tr>
+ <tr>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/7913508110c80da87fb085514208adbd874d7d54">ANDROID-22077698</a></td>
+ </tr>
+ <tr>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/073e4f6748f5d7deb095c42fad9271cb99e22d07">ANDROID-22388975</a> </td>
+ </tr>
+ <tr>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/bf47eb9c67ed364f3c288954857aab9d9311db4c">ANDROID-22845824</a> </td>
+ </tr>
+ <tr>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/b158a9a5bcfe21480f57bc58d45517f1a81cca39">ANDROID-23016072</a></td>
+ </tr>
+ <tr>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/5a132594b531f1f48098a790927f82080cc27f61">ANDROID-23247055 </a></td>
+ </tr>
+ <tr>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/d2ebc0b9e147f9406db20ec4df61da50e3614ee4">ANDROID-23248776</a> </td>
+ </tr>
+ <tr>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/3179e3b3531b5fe93dc7f5b2c378e27010a406d5">ANDROID-20721050</a></td>
+ <td>Critical</td>
+ <td>5.0 and 5.1</td>
+ <td>Google Internal </td>
+ </tr>
+ <tr>
+ <td>CVE-2015-3823</td>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/407d475b797fdc595299d67151230dc6e3835ccd">ANDROID-21335999 </a></td>
+ <td>Critical</td>
+ <td>5.1 and below</td>
+ <td>May 20, 2015</td>
+ </tr>
+ <tr>
+ <td>CVE-2015-6600</td>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/e6f5d47a7f9eab8a0009f8a563de473cd47d3110">ANDROID-22882938 </a></td>
+ <td>Critical</td>
+ <td>5.1 and below</td>
+ <td>Jul 31, 2015</td>
+ </tr>
+ <tr>
+ <td>CVE-2015-6601</td>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/738a753a3ca7bf8f9f608ca941575626265294e4">ANDROID-22935234</a></td>
+ <td>Critical</td>
+ <td>5.1 and below</td>
+ <td>Aug 3, 2015</td>
+ </tr>
+ <tr>
+ <td>CVE-2015-3869</td>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/450e1015b7939292ca988dd1b4f0303a094478e9">ANDROID-23036083</a></td>
+ <td>Critical</td>
+ <td>5.1 and below</td>
+ <td>Aug 4, 2015</td>
+ </tr>
+ <tr>
+ <td>CVE-2015-3870</td>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/4bce636865bdf0e2a79fc9a5d9a69107649c850d">ANDROID-22771132</a></td>
+ <td>Critical</td>
+ <td>5.1 and below</td>
+ <td>Aug 5, 2015</td>
+ </tr>
+ <tr>
+ <td>CVE-2015-3871</td>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/c570778430a22b5488cae72982cf9fb8033dbda3">ANDROID-23031033</a></td>
+ <td>Critical</td>
+ <td>5.1 and below</td>
+ <td>Aug 6, 2015</td>
+ </tr>
+ <tr>
+ <td>CVE-2015-3868</td>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/937c6bedd4b6e5c6cb29a238eb459047dedd3486">ANDROID-23270724</a></td>
+ <td>Critical</td>
+ <td>5.1 and below</td>
+ <td>Aug 6, 2015</td>
+ </tr>
+ <tr>
+ <td>CVE-2015-6604</td>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/f51115bd8e44c2779b74477277c6f6046916e7cf">ANDROID-23129786</a></td>
+ <td>Critical</td>
+ <td>5.1 and below</td>
+ <td>Aug 11, 2015</td>
+ </tr>
+ <tr>
+ <td>CVE-2015-3867</td>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/7e9ac3509d72e8dc6f1316b5ce0a0066638b9737">ANDROID-23213430</a></td>
+ <td>Critical</td>
+ <td>5.1 and below</td>
+ <td>Aug 14, 2015</td>
+ </tr>
+ <tr>
+ <td>CVE-2015-6603</td>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/c37f7f6fa0cb7f55cdc5b2d4ccbf2c87c3bc6c3b">ANDROID-23227354 </a></td>
+ <td>Critical</td>
+ <td>5.1 and below</td>
+ <td>Aug 15,2015</td>
+ </tr>
+ <tr>
+ <td>CVE-2015-3876</td>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/c580c836c1941fb4912e1dd4e08626caf98a62c7">ANDROID-23285192</a></td>
+ <td>Critical</td>
+ <td>5.1 and below</td>
+ <td>Aug 15, 2015</td>
+ </tr>
+ <tr>
+ <td>CVE-2015-6598</td>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/ba6093a4c6997b9d36d9700ee8c974941bf82e3a">ANDROID-23306638</a></td>
+ <td>Critical</td>
+ <td>5.1 and below</td>
+ <td>Aug 18, 2015</td>
+ </tr>
+ <tr>
+ <td>CVE-2015-3872</td>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/4d46f6f18f5160b8992ec1e66ef1844212fc7d48">ANDROID-23346388</a></td>
+ <td>Critical</td>
+ <td>5.1 and below</td>
+ <td>Aug 19, 2015</td>
+ </tr>
+ <tr>
+ <td>CVE-2015-6599</td>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/af7e33f6043c0be1c0310d675884e3b263ca2438">ANDROID-23416608 </a></td>
+ <td>Critical</td>
+ <td>5.1 and below</td>
+ <td>Aug 21, 2015</td>
+ </tr>
+</table>
+
+
+<h3 id=remote_code_execution_vulnerabilities_in_sonivox>Remote Code Execution Vulnerabilities in Sonivox</h3>
+
+
+<p>Vulnerabilities in Sonivox exist that could allow an attacker, during media
+file processing of a specially crafted file, to cause memory corruption and
+remote code execution in the mediaserver service. This issue is rated as a
+Critical severity due to the possibility of remote code execution as a
+privileged service. The affected component has access to audio and video
+streams as well as access to privileges that third-party applications cannot
+normally access.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td rowspan="3">CVE-2015-3874</td>
+ <td><a href="https://android.googlesource.com/platform%2Fexternal%2Fsonivox/+/8cbef48ba6e3d3f844b895f8ca1a1aee74414fff">ANDROID-23335715</a> </td>
+ <td rowspan="3">Critical</td>
+ <td rowspan="3">5.1 and below</td>
+ <td rowspan="3">Multiple</td>
+ </tr>
+ <tr>
+ <td><a href="https://android.googlesource.com/platform%2Fexternal%2Fsonivox/+/5d2e7de37d4a28cf25cc5d0c64b3a29c1824dc0a">ANDROID-23307276</a> [<a href="https://android.googlesource.com/platform%2Fexternal%2Fsonivox/+/f333a822c38c3d92f40e8f1686348e6a62c291">2</a>]</td>
+ </tr>
+ <tr>
+ <td><a href="https://android.googlesource.com/platform%2Fexternal%2Fsonivox/+/8a9f53ee2c661e8b5b94d6e9fbb8af3baa34310d">ANDROID-23286323</a></td>
+ </tr>
+</table>
+
+
+<h3 id=remote_code_execution_vulnerabilities_in_libutils>Remote Code Execution Vulnerabilities in libutils </h3>
+
+
+<p>Vulnerabilities in libutils, a generic library, exist in audio file processing.
+These vulnerabilities could allow an attacker, during processing of a specially
+crafted file, to cause memory corruption and remote code execution in a service
+that uses this library such as mediaserver.</p>
+
+<p>The affected functionality is provided as an application API and there are
+multiple applications that allow it to be reached with remote content, most
+notably MMS and browser playback of media. This issue is rated as a Critical
+severity due to the possibility of remote code execution in a privileged
+service. The affected component has access to audio and video streams as well
+as access to privileges that third-party apps cannot normally access.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-3875</td>
+ <td><a href="https://android.googlesource.com/platform%2Fsystem%2Fcore/+/0cc9a6e6e1f8e675c1238e5e05418cabcc699b52">ANDROID-22952485</a></td>
+ <td>Critical</td>
+ <td>5.1 and below</td>
+ <td>Aug 15, 2015</td>
+ </tr>
+ <tr>
+ <td>CVE-2015-6602</td>
+ <td><a href="https://android.googlesource.com/platform%2Fsystem%2Fcore/+/e0dce90b0de2b2b7c2baae8035f810a55526effb">ANDROID-23290056</a> [<a href="https://android.googlesource.com/platform%2Fsystem%2Fcore/+/5b85b1d40d619c2064d321364f212ebfeb6ba185">2</a>]</td>
+ <td>Critical</td>
+ <td>5.1 and below</td>
+ <td>Aug 15, 2015</td>
+ </tr>
+</table>
+
+
+<h3 id=remote_code_execution_vulnerability_in_skia>Remote Code Execution Vulnerability in Skia</h3>
+
+
+<p>A vulnerability in the Skia component may be leveraged when processing a
+specially crafted media file, that could lead to memory corruption and remote
+code execution in a privileged process. This issue is rated as a Critical
+severity due to the possibility of remote code execution through multiple
+attack methods such as email, web browsing, and MMS when processing media
+files.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-3877</td>
+ <td><a href="https://android.googlesource.com/platform%2Fexternal%2Fskia/+/55ad31336a6de7037139820558c5de834797c09e">ANDROID-20723696</a></td>
+ <td>Critical</td>
+ <td>5.1 and below</td>
+ <td>Jul 30, 2015</td>
+ </tr>
+</table>
+
+
+<h3 id=remote_code_execution_vulnerabilities_in_libflac>Remote Code Execution Vulnerabilities in libFLAC</h3>
+
+
+<p>A vulnerability in libFLAC exists in media file processing. These
+vulnerabilities could allow an attacker, during processing of a specially
+crafted file, to cause memory corruption and remote code execution.</p>
+
+<p>The affected functionality is provided as an application API and there are
+multiple applications that allow it to be reached with remote content, such as
+browser playback of media. This issue is rated as a Critical severity due to
+the possibility of remote code execution in a privileged service. The affected
+component has access to audio and video streams as well as access to privileges
+that third-party apps cannot normally access.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2014-9028</td>
+ <td><a href="https://android.googlesource.com/platform%2Fexternal%2Fflac/+/fe03f73d86bb415f5d5145f0de091834d89ae3a9">ANDROID-18872897</a> [<a href="https://android.googlesource.com/platform%2Fexternal%2Fflac/+/5859ae22db0a2d16af3e3ca19d582de37daf5eb6">2</a>]</td>
+ <td>Critical</td>
+ <td>5.1 and below</td>
+ <td>Nov 14, 2014</td>
+ </tr>
+</table>
+
+
+<p>
+</p>
+
+<h3 id=elevation_of_privilege_vulnerability_in_keystore>Elevation of Privilege Vulnerability in KeyStore</h3>
+
+
+<p>An elevation of privilege vulnerability in the KeyStore component may be
+leveraged by a malicious application when calling into the KeyStore APIs. This
+application could cause memory corruption and arbitrary code execution in the
+context of KeyStore. This issue is rated as High severity because it can be
+used to access privileges which are not directly accessible to a third-party
+application.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-3863</td>
+ <td><a href="https://android.googlesource.com/platform%2Fsystem%2Fsecurity/+/0d5935262dbbcaf2cf6145529ffd71a728ef4609">ANDROID-22802399</a></td>
+ <td>High</td>
+ <td>5.1 and below</td>
+ <td>Jul 28, 2015</td>
+ </tr>
+</table>
+
+
+<h3 id=elevation_of_privilege_vulnerability_in_media_player_framework>Elevation of Privilege Vulnerability in Media Player Framework</h3>
+
+
+<p>An elevation of privilege vulnerability in the media player framework component
+could allow a malicious application to execute arbitrary code within the
+context of mediaserver. This issue is rated as High severity because it allows
+a malicious application to access privileges not accessible to a third-party
+application.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-3879</td>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/aa4da6fa7ca2454f0713de0a5a583b5b8160166b">ANDROID-23223325</a> [2]*</td>
+ <td>High</td>
+ <td>5.1 and below</td>
+ <td>Aug 14, 2015</td>
+ </tr>
+</table>
+
+
+<p>* A second change for this issue is not in AOSP. The update is contained in the
+latest binary drivers for Nexus devices available from the <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.
+</p>
+
+<h3 id=elevation_of_privilege_vulnerability_in_android_runtime>Elevation of Privilege Vulnerability in Android Runtime</h3>
+
+
+<p>An elevation of privilege vulnerability in Android Runtime can enable a local
+malicious application to execute arbitrary code within the context of an
+elevated system application. This issue is rated as High severity because it
+can be used to gain elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to a third-party application.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-3865</td>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fbase/+/ff8dc21278b19b22ed8dc9f9475850838336d351">ANDROID-23050463</a> [<a href="https://android.googlesource.com/platform%2Fcts/+/3f7334822ba4cc53f81f22f3519093bf4e1d7f89">2</a>]</td>
+ <td>High</td>
+ <td>5.1 and below</td>
+ <td>Aug 8, 2015</td>
+ </tr>
+</table>
+
+
+<h3 id=elevation_of_privilege_vulnerabilities_in_mediaserver>Elevation of Privilege Vulnerabilities in Mediaserver</h3>
+
+
+<p>There are multiple vulnerabilities in mediaserver that can enable a local
+malicious application to execute arbitrary code within the context of a
+privileged native service. This issue is rated as High severity because it can
+be used to access privileges that are not directly accessible to a third-party
+application.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td rowspan="3">CVE-2015-6596</td>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/b97ee930e4f7ed1587b869c92b4aa1dc90b641cc">ANDROID-20731946</a></td>
+ <td rowspan="2">High</td>
+ <td rowspan="2">5.1 and below</td>
+ <td rowspan="2">Multiple</td>
+ </tr>
+ <tr>
+ <td>ANDROID-20719651*</td>
+ </tr>
+ <tr>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/9ef830c6dbd4f6000b94abee3df14b9e27a38294">ANDROID-19573085</a></td>
+ <td>High</td>
+ <td>5.0 - 6.0</td>
+ <td>Google Internal</td>
+ </tr>
+</table>
+
+
+<p>* The patch for this issue is not in AOSP. The update is contained in the
+latest binary drivers for Nexus devices available from the <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.
+</p>
+
+<h3 id=elevation_of_privilege_vulnerability_in_secure_element_evaluation_kit>Elevation of Privilege Vulnerability in Secure Element Evaluation Kit</h3>
+
+
+<p>A vulnerability in the <a href="http://seek-for-android.github.io/">SEEK</a> (Secure Element Evaluation Kit, a.k.a. the SmartCard API) plugin could allow
+an application to obtain elevated permissions without requesting them. This
+issue is rated as High severity because it can be used to gain elevated
+capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to third-party applications. </p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-6606</td>
+ <td>ANDROID-22301786*</td>
+ <td>High</td>
+ <td>5.1 and below</td>
+ <td>Jun 30, 2015</td>
+ </tr>
+</table>
+
+
+<p>* The upgrade that addresses this issue is located at the <a href="http://seek-for-android.github.io/">SEEK for Android site</a>.
+</p>
+
+<h3 id=elevation_of_privilege_vulnerability_in_media_projection>Elevation of Privilege Vulnerability in Media Projection</h3>
+
+
+<p>A vulnerability in the Media Projection component can allow user data to be
+disclosed in the form of screen snapshots. The issue is a result of the
+operating system allowing overly long application names. The use of these long
+names by a local malicious application may prevent a warning about screen
+recording from being visible by the user. This issue is rated as Moderate
+severity because it can be used to improperly gain elevated permissions.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-3878</td>
+ <td><a href="https://android.googlesource.com/platform/frameworks/base/+/b3145760db5d58a107fd1ffd8eeec67d983d45f3">ANDROID-23345192</a></td>
+ <td>Moderate</td>
+ <td>5.0 - 6.0</td>
+ <td> Aug 18, 2015</td>
+ </tr>
+</table>
+
+
+<h3 id=elevation_of_privilege_vulnerability_in_bluetooth>Elevation of Privilege Vulnerability in Bluetooth</h3>
+
+
+<p>A vulnerability in Android's Bluetooth component could allow an application to
+delete stored SMS messages. This issue is rated as Moderate severity because it
+can be used to improperly gain elevated permissions.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-3847</td>
+ <td><a href="https://android.googlesource.com/platform%2Fpackages%2Fapps%2FBluetooth/+/19004c751f36aa2b01d3e03d4f761d8897542bd2">ANDROID-22343270</a></td>
+ <td>Moderate</td>
+ <td>5.1 and below</td>
+ <td>Jul 8, 2015</td>
+ </tr>
+</table>
+
+
+<h3 id=elevation_of_privilege_vulnerabilities_in_sqlite>
+Elevation of Privilege Vulnerabilities in SQLite</h3>
+
+
+<p>Multiple vulnerabilities were discovered in the SQLite parsing engine. These
+vulnerabilities may be exploitable by a local application that can cause
+another application or service to execute arbitrary SQL queries. Successful
+exploitation could result in arbitrary code execution in the context of the
+target application.</p>
+
+<p>A fix was uploaded to AOSP master on April 8, 2015, upgrading the SQLite
+version to 3.8.9: <a href="https://android-review.googlesource.com/#/c/145961/">https://android-review.googlesource.com/#/c/145961/</a></p>
+
+<p>This bulletin contains patches for the SQLite versions in Android 4.4 (SQLite
+3.7.11) and Android 5.0 and 5.1 (SQLite 3.8.6).</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-6607</td>
+ <td><a href="https://android.googlesource.com/platform%2Fexternal%2Fsqlite/+/3fcd43a0f1ef02756029e12af3cb9ba9faa13364">ANDROID-20099586</a></td>
+ <td>Moderate</td>
+ <td> 5.1 and below</td>
+ <td>April 7, 2015<br />Publicly Known</td>
+ </tr>
+</table>
+
+
+<h3 id=denial_of_service_vulnerabilities_in_mediaserver>
+Denial of Service Vulnerabilities in Mediaserver</h3>
+
+
+<p>There are multiple vulnerabilities in mediaserver that can cause a Denial of
+Service by crashing the mediaserver process. These issues are rated as Low
+severity because the effect is experienced by a crash of the media server
+resulting in a local temporary denial of service.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td rowspan="3">CVE-2015-6605</td>
+ <td><a href="https://android.googlesource.com/platform%2Fexternal%2Ftremolo/+/36ec928f52271dd1feb4c86b18026564220629e9">ANDROID-20915134</a></td>
+ <td rowspan="2">Low</td>
+ <td rowspan="2">5.1 and below</td>
+ <td rowspan="2">Google Internal </td>
+ </tr>
+ <tr>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/3ce293842fed1b3abd2ff0aecd2a0c70a55086ee">ANDROID-23142203</a></td>
+ </tr>
+ <tr>
+ <td><a href="https://android.googlesource.com/platform%2Fexternal%2Flibhevc/+/2b67e532653b815e2341a0ac0b59d1b0ef82170d">ANDROID-22278703</a></td>
+ <td>Low</td>
+ <td>5.0 - 6.0</td>
+ <td>Google Internal</td>
+ </tr>
+ <tr>
+ <td>CVE-2015-3862</td>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/f26400c9d01a0e2f71690d5ebc644270f098d590">ANDROID-22954006</a></td>
+ <td>Low</td>
+ <td>5.1 and below</td>
+ <td>Aug 2, 2015</td>
+ </tr>
+</table>
+
+
+<h2 id=revisions>Revisions</h2>
+
+
+<ul>
+ <li> October 05, 2015: Bulletin published.
+ <li> October 07, 2015: Bulletin updated with AOSP references. Clarified the bug
+references for CVE-2014-9082.
+ <li> October 12, 2015: Updated acknowledgements for CVE-2015-3868, CVE-2015-3869,
+CVE-2015-3865, CVE-2015-3862.
+</ul>
diff --git a/src/security/bulletin/2015-11-01.jd b/src/security/bulletin/2015-11-01.jd
new file mode 100644
index 0000000..046cd0a
--- /dev/null
+++ b/src/security/bulletin/2015-11-01.jd
@@ -0,0 +1,448 @@
+page.title=Nexus Security Bulletin - November 2015
+@jd:body
+
+<!--
+ Copyright 2015 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<div id="qv-wrapper">
+ <div id="qv">
+ <h2>In this document</h2>
+ <ol id="auto-toc">
+ </ol>
+ </div>
+</div>
+
+<p><em>Published November 02, 2015</em></p>
+
+<p>We have released a security update to Nexus devices through an over-the-air
+(OTA) update as part of our Android Security Bulletin Monthly Release process.
+The Nexus firmware images have also been released to the <a href="https://developers.google.com/android/nexus/images">Google Developer site</a>. Builds LMY48X or later and Android Marshmallow with Security Patch Level of
+November 1, 2015 or later address these issues. Refer to the <a href="#common_questions_and_answers">Common Questions and Answers</a> section for more details.</p>
+
+<p>Partners were notified about these issues on October 5, 2015 or earlier. Source
+code patches for these issues will be released to the Android Open Source
+Project (AOSP) repository over the next 48 hours. We will revise this bulletin
+with the AOSP links when they are available.</p>
+
+<p>The most severe of these issues is a Critical security vulnerability that could
+enable remote code execution on an affected device through multiple methods
+such as email, web browsing, and MMS when processing media files.</p>
+
+<p>We have had no reports of active customer exploitation of these newly reported
+issues. Refer to the <a href="#mitigations">Mitigations</a> section for details on the <a href="{@docRoot}security/enhancements/index.html">Android security platform protections</a> and service protections such as SafetyNet, which improve the security of the
+Android platform. We encourage all customers to accept these updates to their
+devices.</p>
+
+<h2 id=security_vulnerability_summary>Security Vulnerability Summary</h2>
+
+
+<p>The table below contains a list of security vulnerabilities, the Common
+Vulnerability and Exposures ID (CVE), and their assessed severity. The <a href="{@docRoot}security/overview/updates-resources.html#severity">severity assessment</a> is based on the effect that exploiting the vulnerability would have on an
+affected device, assuming the platform and service mitigations are disabled for
+development purposes or if successfully bypassed. </p>
+<table>
+ <tr>
+ <th>Issue</th>
+ <th>CVE</th>
+ <th>Severity</th>
+ </tr>
+ <tr>
+ <td>Remote Code Execution Vulnerabilities in Mediaserver</td>
+ <td>CVE-2015-6608</td>
+ <td>Critical</td>
+ </tr>
+ <tr>
+ <td>Remote Code Execution Vulnerability in libutils</td>
+ <td>CVE-2015-6609</td>
+ <td>Critical</td>
+ </tr>
+ <tr>
+ <td>Information Disclosure Vulnerabilities in Mediaserver </td>
+ <td>CVE-2015-6611</td>
+ <td>High</td>
+ </tr>
+ <tr>
+ <td>Elevation of Privilege Vulnerability in libstagefright</td>
+ <td>CVE-2015-6610</td>
+ <td>High</td>
+ </tr>
+ <tr>
+ <td>Elevation of Privilege Vulnerability in libmedia</td>
+ <td>CVE-2015-6612</td>
+ <td>High</td>
+ </tr>
+ <tr>
+ <td>Elevation of Privilege Vulnerability in Bluetooth</td>
+ <td>CVE-2015-6613</td>
+ <td>High</td>
+ </tr>
+ <tr>
+ <td>Elevation of Privilege Vulnerability in Telephony</td>
+ <td>CVE-2015-6614</td>
+ <td>Moderate</td>
+ </tr>
+</table>
+
+
+<p>The <a href="{@docRoot}security/overview/updates-resources.html#severity">severity assessment</a> is based on the effect that exploiting the vulnerability would have on an
+affected device, assuming the platform and service mitigations are disabled for
+development purposes or if successfully bypassed. </p>
+
+<h2 id=mitigations>Mitigations</h2>
+
+
+<p>This is a summary of the mitigations provided by the <a href="{@docRoot}security/enhancements/index.html">Android security platform</a> and service protections such as SafetyNet. These capabilities reduce the
+likelihood that security vulnerabilities can be successfully exploited on
+Android. </p>
+
+<ul>
+ <li> Exploitation for many issues on Android is made more difficult by enhancements
+in newer versions of the Android platform. We encourage all users to update to
+the latest version of Android where possible.
+ <li> The Android Security team is actively monitoring for abuse with Verify Apps and
+SafetyNet which will warn about potentially harmful applications about to be
+installed. Device rooting tools are prohibited within Google Play. To protect
+users who install applications from outside of Google Play, Verify Apps is
+enabled by default and will warn users about known rooting applications. Verify
+Apps attempts to identify and block installation of known malicious
+applications that exploit a privilege escalation vulnerability. If such an
+application has already been installed, Verify Apps will notify the user and
+attempt to remove any such applications.
+ <li> As appropriate, Google Hangouts and Messenger applications do not automatically
+pass media to processes such as mediaserver.
+</ul>
+
+<h2 id=acknowledgements>Acknowledgements</h2>
+
+
+<p>We would like to thank these researchers for their contributions:</p>
+
+<ul>
+ <li> Abhishek Arya, Oliver Chang and Martin Barbella, Google Chrome Security Team:
+CVE-2015-6608
+ <li> Daniel Micay (daniel.micay@copperhead.co) at Copperhead Security: CVE-2015-6609
+ <li> Dongkwan Kim of System Security Lab, KAIST (dkay@kaist.ac.kr): CVE-2015-6614
+ <li> Hongil Kim of System Security Lab, KAIST (hongilk@kaist.ac.kr): CVE-2015-6614
+ <li> Jack Tang of Trend Micro (@jacktang310): CVE-2015-6611
+ <li> Peter Pi of Trend Micro: CVE-2015-6611
+ <li> Natalie Silvanovich of Google Project Zero: CVE-2015-6608
+ <li> Qidan He (@flanker_hqd) and Wen Xu (@antlr7) from KeenTeam (@K33nTeam,
+http://k33nteam.org/): CVE-2015-6612
+ <li> Seven Shen of Trend Micro: CVE-2015-6610
+</ul>
+
+<h2 id=security_vulnerability_details>Security Vulnerability Details</h2>
+
+
+<p>In the sections below, we provide details for each of the security
+vulnerabilities listed in the <a href="#security_vulnerability_summary">Security Vulnerability Summary</a> above. There is a description of the issue, a severity rationale, and a table
+with the CVE, associated bug, severity, affected versions, and date reported.
+Where available, we’ve linked the AOSP commit that addressed the issue to the
+bug ID. When multiple changes relate to a single bug, additional AOSP
+references are linked to numbers following the bug ID.</p>
+
+<h3 id=remote_code_execution_vulnerabilities_in_mediaserver>Remote Code Execution Vulnerabilities in Mediaserver</h3>
+
+
+<p>During media file and data processing of a specially crafted file,
+vulnerabilities in mediaserver could allow an attacker to cause memory
+corruption and remote code execution as the mediaserver process.</p>
+
+<p>The affected functionality is provided as a core part of the operating system
+and there are multiple applications that allow it to be reached with remote
+content, most notably MMS and browser playback of media.</p>
+
+<p>This issue is rated as a Critical severity due to the possibility of remote
+code execution within the context of the mediaserver service. The mediaserver
+service has access to audio and video streams as well as access to privileges
+that third-party apps cannot normally access.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td rowspan="6">CVE-2015-6608</td>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/8ec845c8fe0f03bc57c901bc484541bdd6a7cf80">ANDROID-19779574</a></td>
+ <td rowspan="3">Critical</td>
+ <td rowspan="3">5.0, 5.1, 6.0</td>
+ <td rowspan="3">Google Internal</td>
+ </tr>
+ <tr>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/c6a2815eadfce62702d58b3fa3887f24c49e1864">ANDROID-23680780</a></td>
+ </tr>
+ <tr>
+ <td><a href="https://android.googlesource.com/platform%2Fexternal%2Faac/+/b3c5a4bb8442ab3158fa1f52b790fadc64546f46">ANDROID-23876444</a></td>
+ </tr>
+ <tr>
+ <td><a href="https://android.googlesource.com/platform%2Fexternal%2Ftremolo/+/3830d0b585ada64ee75dea6da267505b19c622fd">ANDROID-23881715</a></td>
+ <td>Critical</td>
+ <td>4.4, 5.0, 5.1, 6.0</td>
+ <td>Google Internal</td>
+ </tr>
+ <tr>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/3878b990f7d53eae7c2cf9246b6ef2db5a049872">ANDROID-14388161</a></td>
+ <td>Critical</td>
+ <td>4.4 and 5.1</td>
+ <td>Google Internal</td>
+ </tr>
+ <tr>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/f3eb82683a80341f5ac23057aab733a57963cab2">ANDROID-23658148</a></td>
+ <td>Critical</td>
+ <td>5.0, 5.1, 6.0</td>
+ <td>Google Internal</td>
+ </tr>
+</table>
+
+
+<h3 id=remote_code_execution_vulnerability_in_libutils>Remote Code Execution Vulnerability in libutils</h3>
+
+
+<p>A vulnerability in libutils, a generic library, can be exploited during audio
+file processing. This vulnerability could allow an attacker, during processing
+of a specially crafted file, to cause memory corruption and remote code
+execution.</p>
+
+<p>The affected functionality is provided as an API and there are multiple
+applications that allow it to be reached with remote content, most notably MMS
+and browser playback of media. This issue is rated as a Critical severity issue
+due to the possibility of remote code execution in a privileged service. The
+affected component has access to audio and video streams as well as access to
+privileges that third-party apps cannot normally access.</p>
+
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-6609</td>
+ <td><a href="https://android.googlesource.com/platform%2Fbootable%2Frecovery/+/ec63d564a86ad5b30f75aa307b4bd271f6a96a56">ANDROID-22953624</a>
+[<a href="https://android.googlesource.com/platform%2Fsystem%2Fcore/+/419e6c3c68413bd6dbb6872340b2ae0d69a0fd60">2</a>]</td>
+ <td>Critical</td>
+ <td>6.0 and below</td>
+ <td>Aug 3, 2015</td>
+ </tr>
+</table>
+
+
+<h3 id=information_disclosure_vulnerabilities_in_mediaserver>Information Disclosure Vulnerabilities in Mediaserver</h3>
+
+
+<p>There are information disclosure vulnerabilities in mediaserver that can permit
+a bypass of security measures in place to increase the difficulty of attackers
+exploiting the platform.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td rowspan="12">CVE-2015-6611</td>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/1c7719820359f4190cd4bfd1a24d521face7b4f8">ANDROID-23905951</a>
+[<a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/3b76870d146b1350db8a2f7797e06897c8c92dc2">2</a>]
+[<a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/40715a2ee896edd2df4023d9f6f586977887d34c">3</a>] </td>
+ <td rowspan="3">High</td>
+ <td rowspan="3">6.0 and below</td>
+ <td rowspan="3">Sep 07, 2015</td>
+ </tr>
+ <tr>
+ <td>ANDROID-23912202*</td>
+ </tr>
+ <tr>
+ <td>ANDROID-23953967*</td>
+ </tr>
+ <tr>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fnative/+/b414255f53b560a06e642251535b019327ba0d7b">ANDROID-23696300</a></td>
+ <td>High</td>
+ <td>6.0 and below</td>
+ <td>Aug 31, 2015</td>
+ </tr>
+ <tr>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/09ed70fab1f1424971ccc105dcdf5be5ce2e2643">ANDROID-23600291</a></td>
+ <td>High</td>
+ <td>6.0 and below</td>
+ <td>Aug 26, 2015</td>
+ </tr>
+ <tr>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/892354335d49f0b9fcd10e20e0c13e3cd0f1f1cb">ANDROID-23756261</a>
+[<a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/a946d844a77906072f5eb7093d41db465d6514bb">2</a>]</td>
+ <td>High</td>
+ <td>6.0 and below</td>
+ <td>Aug 26, 2015</td>
+ </tr>
+ <tr>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/57bed83a539535bb64a33722fb67231119cb0618">ANDROID-23540907</a> [<a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/25a634427dec455b79d73562131985ae85b98c43">2</a>]</td>
+ <td>High</td>
+ <td>5.1 and below</td>
+ <td>Aug 25, 2015</td>
+ </tr>
+ <tr>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/d53aced041b7214a92b1f2fd5970d895bb9934e5">ANDROID-23541506</a></td>
+ <td rowspan="4">High</td>
+ <td rowspan="4">6.0 and below</td>
+ <td rowspan="4">Aug 25, 2015</td>
+ </tr>
+ <tr>
+ <td>ANDROID-23284974*</td>
+ </tr>
+ <tr>
+ <td>ANDROID-23542351*</td>
+ </tr>
+ <tr>
+ <td>ANDROID-23542352*</td>
+ </tr>
+ <tr>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/0981df6e3db106bfb7a56a2b668c012fcc34dd2c">ANDROID-23515142</a></td>
+ <td>High</td>
+ <td>5.1 and below</td>
+ <td>Aug 19, 2015</td>
+ </tr>
+</table>
+<p>* The patch for this bug is included in other provided AOSP links.</p>
+
+<h3 id=elevation_of_privilege_vulnerability_in_libstagefright>Elevation of Privilege Vulnerability in libstagefright</h3>
+
+
+<p>There is an elevation of privilege vulnerability in libstagefright that can
+enable a local malicious application to cause memory corruption and arbitrary
+code execution within the context of the mediaserver service. While this issue
+would normally be rated Critical, we have assessed this issue as High
+severity because of a lower likelihood that it can be exploited remotely.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-6610</td>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/d26052738f7b095b7e318c8dde7f32db0a48450c">ANDROID-23707088</a>
+[<a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/820c105f7a4dc0971ee563caea4c9b346854a2f7">2</a>]</td>
+ <td>High</td>
+ <td>6.0 and below</td>
+ <td>Aug 19, 2015</td>
+ </tr>
+</table>
+
+
+<h3 id=elevation_of_privilege_vulnerability_in_libmedia>Elevation of Privilege Vulnerability in libmedia</h3>
+
+
+<p>There is a vulnerability in libmedia that can enable a local malicious
+application to execute arbitrary code within the context of the mediaserver
+service. This issue is rated as High severity because it can be used to access
+privileges which are not directly accessible to a third-party application. </p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-6612</td>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/4b219e9e5ab237eec9931497cf10db4d78982d84">ANDROID-23540426</a></td>
+ <td>High</td>
+ <td>6.0 and below</td>
+ <td>Aug 23, 2015</td>
+ </tr>
+</table>
+
+
+<h3 id=elevation_of_privilege_vulnerability_in_bluetooth>Elevation of Privilege Vulnerability in Bluetooth</h3>
+
+
+<p>There is a vulnerability in Bluetooth that can enable a local application to
+send commands to a listening debug port on the device. This issue is rated as
+High severity because it can be used to gain elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to a third-party application.</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-6613</td>
+ <td><a href="https://android.googlesource.com/platform%2Fsystem%2Fbt/+/74dad51510f7d7b05c6617ef88168bf0bbdf3fcd">ANDROID-24371736</a></td>
+ <td>High</td>
+ <td>6.0</td>
+ <td>Google Internal</td>
+ </tr>
+</table>
+
+
+<h3 id=elevation_of_privilege_vulnerability_in_telephony>
+Elevation Of Privilege Vulnerability in Telephony</h3>
+
+
+<p>A vulnerability in the Telephony component that can enable a local malicious
+application to pass unauthorized data to the restricted network interfaces,
+potentially impacting data charges. It could also prevent the device from
+receiving calls as well as allowing an attacker to control the mute settings of
+calls. This issue is rated as Moderate severity because it can be used to
+improperly gain “<a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">dangerous</a>” permissions. </p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>Bug(s) with AOSP links</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-6614</td>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fopt%2Ftelephony/+/70dd1f77873913635288e513564a6c93ae4d0a26">ANDROID-21900139</a>
+[<a href="https://android.googlesource.com/platform%2Fframeworks%2Fbase/+/a12044215b1148826ea9a88d5d1102378b13922f">2</a>]
+[<a href="https://android.googlesource.com/platform%2Fframeworks%2Fbase/+/2b6af396ad14def9a967f62cccc87ee715823bb1">3</a>]</td>
+ <td>Moderate</td>
+ <td>5.0, 5.1</td>
+ <td>Jun 8, 2015</td>
+ </tr>
+</table>
+
+
+<h3 id=common_questions_and_answers>Common Questions and Answers</h3>
+
+
+<p>This section will review answers to common questions that may occur after
+reading this bulletin.</p>
+
+<p><strong>1. How do I determine if my device is updated to address these issues?</strong></p>
+
+<p>Builds LMY48X or later and Android Marshmallow with Security Patch Level of
+November 1, 2015 or later address these issues. Refer to the <a href="https://support.google.com/nexus/answer/4457705">Nexus documentation</a> for instructions on how to check the security patch level. Device
+manufacturers that include these updates should set the patch string level to:
+[ro.build.version.security_patch]:[2015-11-01]</p>
+
+<h2 id=revisions>Revisions</h2>
+
+<ul>
+ <li> November 02, 2015: Originally Published
+</ul>
diff --git a/src/security/bulletin/index.jd b/src/security/bulletin/index.jd
new file mode 100644
index 0000000..de31a16
--- /dev/null
+++ b/src/security/bulletin/index.jd
@@ -0,0 +1,64 @@
+page.title=Nexus Security Bulletins
+@jd:body
+
+<!--
+ Copyright 2015 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<div id="qv-wrapper">
+ <div id="qv">
+ <h2>In this document</h2>
+ <ol id="auto-toc">
+ </ol>
+ </div>
+</div>
+<p>Security has always been a major focus for Android and Google Play: Android was
+built from day one with security in mind. Monthly device updates are an
+important tool to make and keep Android users safe. This page contains the
+available Nexus Security Bulletins. These security bulletins include
+information users can follow to ensure their device has the latest security
+updates. Refer to the<a href="https://support.google.com/nexus/answer/4457705"> Nexus documentation</a>
+for instructions on how to check the security patch level, using the security
+patch level provided below. The Nexus firmware images are also released each
+month to the<a href="https://developers.google.com/android/nexus/images"> Google Developer site</a>.
+</p>
+<table>
+ <tr>
+ <th>Nexus Security Bulletin</th>
+ <th>Published Date</th>
+ <th>Android Security Patch Level</th>
+ </tr>
+ <tr>
+ <td><a href="2015-11-01.html">November 2015</a></td>
+ <td>November 2, 2015</td>
+ <td>November 1, 2015: [2015-11-01]</td>
+ </tr>
+ <tr>
+ <td><a href="2015-10-01.html">October 2015</a></td>
+ <td>October 5, 2015</td>
+ <td>October 1, 2015: [2015-10-01]</td>
+ </tr>
+ <tr>
+ <td><a href="2015-09-01.html">September 2015</a></td>
+ <td>September 9, 2015</td>
+ <td>N/A</td>
+ </tr>
+ <tr>
+ <td><a href="2015-08-01.html">August 2015</a></td>
+ <td>August 13, 2015</td>
+ <td>N/A</td>
+ </tr>
+</table>
+
+