src/security/bulletin/2015-08-01.jd

page.title=Nexus Security Bulletin - August 2015
@jd:body

<!--
    Copyright 2015 The Android Open Source Project

    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
    You may obtain a copy of the License at

        http://www.apache.org/licenses/LICENSE-2.0

    Unless required by applicable law or agreed to in writing, software
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.
-->

<p><em>Published August 13, 2015</em></p>

<p>We have released a security update to Nexus devices through an over-the-air
(OTA) update as part of our Android Security Bulletin Monthly Release process.
The Nexus firmware images have also been released to the <a href="https://developers.google.com/android/nexus/images">Google Developer site</a>. Builds LMY48I or later address these issues. Partners were notified about these
issues on June 25, 2015 or earlier.</p>

<p>The most severe of these issues is a Critical security vulnerability that could
enable remote code execution on an affected device through multiple methods
such as email, web browsing, and MMS when processing media files.</p>

<h2 id=security_vulnerability_summary>Security Vulnerability Summary</h2>

<p>The table below contains a list of security vulnerabilities, the Common
Vulnerability and Exposures ID (CVE), and their assessed severity. The <a href="{@docRoot}security/overview/updates-resources.html#severity">severity assessment</a> is based on the effect that exploiting the vulnerability would have on an
affected device, assuming the platform and service mitigations are disabled for
development purposes or if successfully bypassed. </p>
<table>
 <tr>
    <th>Issue </th>
    <th>CVE</th>
    <th>Severity</th>
 </tr>
 <tr>
    <td>Integer overflows during MP4 atom processing</td>
    <td>CVE-2015-1538</td>
    <td>Critical</td>
 </tr>
 <tr>
    <td>An integer underflow in ESDS processing</td>
    <td>CVE-2015-1539</td>
    <td>Critical</td>
 </tr>
 <tr>
    <td>Integer overflow in libstagefright when parsing the MPEG4 tx3g atom</td>
    <td>CVE-2015-3824</td>
    <td>Critical</td>
 </tr>
 <tr>
    <td>Integer underflow in libstagefright when processing MPEG4 covr atoms</td>
    <td>CVE-2015-3827</td>
    <td>Critical</td>
 </tr>
 <tr>
    <td>Integer underflow in libstagefright if size is below 6 while processing 3GPP
metadata</td>
    <td>CVE-2015-3828</td>
    <td>Critical</td>
 </tr>
 <tr>
    <td>Integer overflow in libstagefright processing MPEG4 covr atoms when
chunk_data_size is SIZE_MAX</td>
    <td>CVE-2015-3829</td>
    <td>Critical</td>
 </tr>
 <tr>
    <td>Buffer overflow in Sonivox Parse_wave</td>
    <td>CVE-2015-3836</td>
    <td>Critical</td>
 </tr>
 <tr>
    <td>Buffer overflows in libstagefright MPEG4Extractor.cpp</td>
    <td>CVE-2015-3832</td>
    <td>Critical</td>
 </tr>
 <tr>
    <td>Buffer overflow in mediaserver BpMediaHTTPConnection</td>
    <td>CVE-2015-3831</td>
    <td>High</td>
 </tr>
 <tr>
    <td>Vulnerability in libpng: Overflow in png_Read_IDAT_data</td>
    <td>CVE-2015-0973</td>
    <td>High</td>
 </tr>
 <tr>
    <td>Remotely exploitable memcpy() overflow in p2p_add_device() in wpa_supplicant</td>
    <td>CVE-2015-1863</td>
    <td>High</td>
 </tr>
 <tr>
    <td>Memory Corruption in OpenSSLX509Certificate Deserialization</td>
    <td>CVE-2015-3837</td>
    <td>High</td>
 </tr>
 <tr>
    <td>Buffer overflow in mediaserver BnHDCP</td>
    <td>CVE-2015-3834</td>
    <td>High</td>
 </tr>
 <tr>
    <td>Buffer overflow in libstagefright OMXNodeInstance::emptyBuffer</td>
    <td>CVE-2015-3835</td>
    <td>High</td>
 </tr>
 <tr>
    <td>Heap overflow in mediaserver AudioPolicyManager::getInputForAttr()</td>
    <td>CVE-2015-3842</td>
    <td>High</td>
 </tr>
 <tr>
    <td>Applications can intercept or emulate SIM commands to Telephony</td>
    <td>CVE-2015-3843</td>
    <td>High</td>
 </tr>
 <tr>
    <td>Vulnerability in Bitmap unmarshalling</td>
    <td>CVE-2015-1536</td>
    <td>Moderate</td>
 </tr>
 <tr>
    <td>AppWidgetServiceImpl can create IntentSender with system privileges</td>
    <td>CVE-2015-1541</td>
    <td>Moderate</td>
 </tr>
 <tr>
    <td>Mitigation bypass of restrictions on getRecentTasks()</td>
    <td>CVE-2015-3833</td>
    <td>Moderate</td>
 </tr>
 <tr>
    <td>ActivityManagerService.getProcessRecordLocked() may load a system UID
application into the wrong process</td>
    <td>CVE-2015-3844</td>
    <td>Moderate</td>
 </tr>
 <tr>
    <td>Unbounded buffer read in libstagefright while parsing 3GPP metadata</td>
    <td>CVE-2015-3826</td>
    <td>Low</td>
 </tr>
</table>


<h2 id=mitigations>Mitigations</h2>


<p>This is a summary of the mitigations provided by the <a href="{@docRoot}security/enhancements/index.html">Android security platform</a> and service protections such as SafetyNet. These capabilities reduce the
likelihood that security vulnerabilities can be successfully exploited on
Android.</p>

<ul>
  <li> Exploitation for many issues on Android is made more difficult by enhancements
in newer versions of the Android platform. We encourage all users to update to
the latest version of Android where possible.
  <li> The Android Security team is actively monitoring for abuse with Verify Apps and
SafetyNet which will warn about potentially harmful applications about to be
installed. Device rooting tools are prohibited within Google Play. To protect
users who install applications from outside of Google Play, Verify Apps is
enabled by default and will warn users about known rooting applications. Verify
Apps attempts to identify and block installation of known malicious
applications that exploit a privilege escalation vulnerability. If such an
application has already been installed, Verify Apps will notify the user and
attempt to remove any such applications.
  <li> As appropriate, Google has updated the Hangouts and Messenger applications so
that media is not automatically passed to vulnerable processes (such as
mediaserver.)
</ul>

<h2 id=acknowledgements>Acknowledgements</h2>


<p>We would like to thank these researchers for their contributions:</p>

<ul>
  <li> Joshua Drake: CVE-2015-1538, CVE-2015-3826
  <li> Ben Hawkes: CVE-2015-3836
  <li> Alexandru Blanda: CVE-2015-3832
  <li> Michał Bednarski: CVE-2015-3831, CVE-2015-3844, CVE-2015-1541
  <li> Alex Copot: CVE-2015-1536
  <li> Alex Eubanks: CVE-2015-0973
  <li> Roee Hay and Or Peles: CVE-2015-3837
  <li> Guang Gong: CVE-2015-3834
  <li> Gal Beniamini: CVE-2015-3835
  <li> Wish Wu*: CVE-2015-3842
  <li> Artem Chaykin: CVE-2015-3843
</ul>

<p>*Wish is also our very first <a href="https://www.google.com/about/appsecurity/android-rewards/">Android Security Rewards</a> recipient!</p>

<h3 id=integer_overflows_during_mp4_atom_processing>Integer overflows during MP4 atom processing</h3>


<p>There are several potential integer overflows in libstagefright that could
occur during MP4 atom processing, leading to memory corruption and potentially
remote code execution as the mediaserver process.</p>

<p>The affected functionality is provided as an application API and there are
multiple applications that allow it to be reached with remote content, most
notably MMS and browser playback of media.</p>

<p>This issue is rated as a Critical severity due to the possibility of remote
code execution as the privileged mediaserver service. While mediaserver is
guarded with SELinux, it does have access to audio and video streams as well as
access to privileged kernel driver device nodes on many devices that 3rd party
apps cannot normally access. Note that under our previous severity rating
guidelines, this was rated as a High severity vulnerability and was reported to
partners as such. Under our new guidelines, published in June 2015, it is a
Critical severity issue.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug(s) with AOSP links</th>
    <th>Severity</th>
    <th>Affected versions</th>
 </tr>
 <tr>
    <td>CVE-2015-1538</td>
    <td><a href="https://android.googlesource.com/platform/frameworks/av/+/cf1581c66c2ad8c5b1aaca2e43e350cf5974f46d">ANDROID-20139950</a> [<a href="https://android.googlesource.com/platform/frameworks/av/+/2434839bbd168469f80dd9a22f1328bc81046398">2</a>]</td>
    <td>Critical</td>
    <td>5.1 and below</td>
 </tr>
</table>

<h3 id=an_integer_underflow_in_esds_processing>An integer underflow in ESDS processing</h3>


<p>There is a potential integer underflow in libstagefright that could occur
during ESDS atom processing, leading to memory corruption and potentially
remote code execution as the mediaserver process.</p>

<p>The affected functionality is provided as an application API and there are
multiple applications that allow it to be reached with remote content, most
notably MMS and browser playback of media.</p>

<p>This issue is rated as a Critical severity due to the possibility of remote
code execution as the privileged mediaserver service. While mediaserver is
guarded with SELinux, it does have access to audio and video streams as well as
access to privileged kernel driver device nodes on many devices that 3rd party
apps cannot normally access. Note that under our previous severity rating
guidelines, this was rated as a High severity vulnerability and was reported to
partners as such. Under our new guidelines, published in June 2015, it is a
Critical severity issue.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug(s) with AOSP links</th>
    <th>Severity</th>
    <th>Affected versions</th>
 </tr>
 <tr>
    <td>CVE-2015-1539</td>
    <td><a href="https://android.googlesource.com/platform/frameworks/av/+/5e751957ba692658b7f67eb03ae5ddb2cd3d970c">ANDROID-20139950</a></td>
    <td>Critical</td>
    <td>5.1 and below</td>
 </tr>
</table>


<h3 id=integer_overflow_in_libstagefright_when_parsing_the_mpeg4_tx3g_atom>Integer overflow in libstagefright when parsing the MPEG4 tx3g atom</h3>


<p>There is a potential integer overflow in libstagefright that could occur during
MPEG4 tx3g data processing, leading to memory corruption and potentially remote
code execution as the mediaserver process.</p>

<p>The affected functionality is provided as an application API and there are
multiple applications that allow it to be reached with remote content, most
notably MMS and browser playback of media.</p>

<p>This issue is rated as a Critical severity due to the possibility of remote
code execution as the privileged mediaserver service. While mediaserver is
guarded with SELinux, it does have access to audio and video streams as well as
access to privileged kernel driver device nodes on many devices that 3rd party
apps cannot normally access.</p>

<p>Note that under our previous severity rating guidelines, this was rated as a
High severity vulnerability and was reported to partners as such. Under our new
guidelines, published in June 2015, it is a Critical severity issue.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug(s) with AOSP links</th>
    <th>Severity</th>
    <th>Affected versions</th>
 </tr>
 <tr>
    <td>CVE-2015-3824</td>
    <td><a href="https://android.googlesource.com/platform/frameworks/av/+/463a6f807e187828442949d1924e143cf07778c6">ANDROID-20923261</a> </td>
    <td>Critical</td>
    <td>5.1 and below</td>
 </tr>
</table>


<h3 id=integer_underflow_in_libstagefright_when_processing_mpeg4_covr_atoms>Integer underflow in libstagefright when processing MPEG4 covr atoms</h3>


<p>There is a potential integer underflow in libstagefright that could occur
during MPEG4 data processing, leading to memory corruption and potentially
remote code execution as the mediaserver process.</p>

<p>The affected functionality is provided as an application API and there are
multiple applications that allow it to be reached with remote content, most
notably MMS and browser playback of media.</p>

<p>This issue is rated as a Critical severity due to the possibility of remote
code execution as the privileged mediaserver service. While mediaserver is
guarded with SELinux, it does have access to audio and video streams as well as
access to privileged kernel driver device nodes on many devices that 3rd party
apps cannot normally access.</p>

<p>Note that under our previous severity rating guidelines, this was rated as a
High severity vulnerability and was reported to partners as such. Under our new
guidelines, published in June 2015, it is a Critical severity issue.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug(s) with AOSP links</th>
    <th>Severity</th>
    <th>Affected versions</th>
 </tr>
 <tr>
    <td>CVE-2015-3827</td>
    <td><a href="https://android.googlesource.com/platform/frameworks/av/+/f4a88c8ed4f8186b3d6e2852993e063fc33ff231">ANDROID-20923261</a></td>
    <td>Critical</td>
    <td>5.1 and below</td>
 </tr>
</table>


<h3 id=integer_underflow_in_libstagefright_if_size_is_below_6_while_processing_3gpp_metadata>Integer underflow in libstagefright if size is below 6 while processing 3GPP
metadata</h3>


<p>There is a potential integer underflow in libstagefright that could occur
during 3GPP data processing, leading to memory corruption and potentially
remote code execution as the mediaserver process.</p>

<p>The affected functionality is provided as an application API and there are
multiple applications that allow it to be reached with remote content, most
notably MMS and browser playback of media.</p>

<p>This issue is rated as a Critical severity due to the possibility of remote
code execution as the privileged mediaserver service. While mediaserver is
guarded with SELinux, it does have access to audio and video streams as well as
access to privileged kernel driver device nodes on many devices that 3rd party
apps cannot normally access. Note that under our previous severity rating
guidelines, this was rated as a High severity vulnerability and was reported to
partners as such. Under our new guidelines, published in June 2015, it is a
Critical severity issue.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug(s) with AOSP links</th>
    <th>Severity</th>
    <th>Affected versions</th>
 </tr>
 <tr>
    <td>CVE-2015-3828</td>
    <td><a href="https://android.googlesource.com/platform/frameworks/av/+/f4f7e0c102819f039ebb1972b3dba1d3186bc1d1">ANDROID-20923261</a></td>
    <td>Critical</td>
    <td>5.0 and above</td>
 </tr>
</table>


<h3 id=integer_overflow_in_libstagefright_processing_mpeg4_covr_atoms_when_chunk_data_size_is_size_max>Integer overflow in libstagefright processing MPEG4 covr atoms when
chunk_data_size is SIZE_MAX</h3>


<p>There is a potential integer overflow in libstagefright that could occur during
 MPEG4 covr data processing, leading to memory corruption and potentially
remote code execution as the mediaserver process.</p>

<p>The affected functionality is provided as an application API and there are
multiple applications that allow it to be reached with remote content, most
notably MMS and browser playback of media.</p>

<p>This issue is rated as a Critical severity due to the possibility of remote
code execution as the privileged mediaserver service. While mediaserver is
guarded with SELinux, it does have access to audio and video streams as well as
access to privileged kernel driver device nodes on many devices that 3rd party
apps cannot normally access. Note that under our previous severity rating
guidelines, this was rated as a High severity vulnerability and was reported to
partners as such. Under our new guidelines, published in June 2015, it is a
Critical severity issue.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug(s) with AOSP links</th>
    <th>Severity</th>
    <th>Affected versions</th>
 </tr>
 <tr>
    <td>CVE-2015-3829</td>
    <td><a href="https://android.googlesource.com/platform/frameworks/av/+/2674a7218eaa3c87f2ee26d26da5b9170e10f859">ANDROID-20923261</a></td>
    <td>Critical</td>
    <td>5.0 and above</td>
 </tr>
</table>


<h3 id=buffer_overflow_in_sonivox_parse_wave>Buffer overflow in Sonivox Parse_wave</h3>


<p>There is a potential buffer overflow in Sonivox that could occur during XMF
data processing, leading to memory corruption and potentially remote code
execution as the mediaserver process.</p>

<p>The affected functionality is provided as an application API and there are
multiple applications that allow it to be reached with remote content, most
notably MMS and browser playback of media.</p>

<p>This issue is rated as a Critical severity due to the possibility of remote
code execution as the privileged mediaserver service. While mediaserver is
guarded with SELinux, it does have access to audio and video streams as well as
access to privileged kernel driver device nodes on many devices that 3rd party
apps cannot normally access. Note that under our previous severity rating
guidelines, this was rated as a High severity vulnerability and was reported to
partners as such. Under our new guidelines, published in June 2015, it is a
Critical severity issue.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug(s) with AOSP links</th>
    <th>Severity</th>
    <th>Affected versions</th>
 </tr>
 <tr>
    <td>CVE-2015-3836</td>
    <td><a href="https://android.googlesource.com/platform/external/sonivox/+/e999f077f6ef59d20282f1e04786816a31fb8be6">ANDROID-21132860</a></td>
    <td>Critical</td>
    <td>5.1 and below</td>
 </tr>
</table>


<h3 id=buffer_overflows_in_libstagefright_mpeg4extractor_cpp>Buffer overflows in libstagefright MPEG4Extractor.cpp</h3>


<p>There are several buffer overflows in libstagefright that could occur during
MP4 processing, leading to memory corruption and potentially remote code
execution as the mediaserver process.</p>

<p>The affected functionality is provided as an application API and there are
multiple applications that allow it to be reached with remote content, most
notably MMS and browser playback of media.</p>

<p>This issue is rated as a Critical severity due to the possibility of remote
code execution as the privileged mediaserver service. While mediaserver is
guarded with SELinux, it does have access to audio and video streams as well as
access to privileged kernel driver device nodes on many devices that 3rd party
apps cannot normally access.</p>

<p>Initially this issue was reported as a local exploit (not remotely accessible).
Note that under our previous severity rating guidelines, this was rated as a
Moderate severity vulnerability and was reported to partners as such. Under our
new guidelines, published in June 2015, it is a Critical severity issue.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug(s) with AOSP links</th>
    <th>Severity</th>
    <th>Affected versions</th>
 </tr>
 <tr>
    <td>CVE-2015-3832</td>
    <td><a href="https://android.googlesource.com/platform/frameworks/av/+/d48f0f145f8f0f4472bc0af668ac9a8bce44ba9b">ANDROID-19641538</a></td>
    <td>Critical</td>
    <td>5.1 and below</td>
 </tr>
</table>


<h3 id=buffer_overflow_in_mediaserver_bpmediahttpconnection>Buffer overflow in mediaserver BpMediaHTTPConnection</h3>


<p>There is is a potential buffer overflow in BpMediaHTTPConnection when
processing data provided by another application, leading to memory corruption
and potentially code execution as the mediaserver process.</p>

<p>The affected functionality is provided as an application API.  We don’t believe
the issue is remotely exploitable.</p>

<p>This issue is rated as a High severity due to the possibility of code execution
as the privileged mediaserver service, from a local application. While
mediaserver is guarded with SELinux, it does have access to audio and video
streams as well as access to privileged kernel driver device nodes on many
devices that 3rd party apps cannot normally access.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug(s) with AOSP links</th>
    <th>Severity</th>
    <th>Affected versions</th>
 </tr>
 <tr>
    <td>CVE-2015-3831</td>
    <td><a href="https://android.googlesource.com/platform/frameworks/av/+/51504928746edff6c94a1c498cf99c0a83bedaed">ANDROID-19400722</a></td>
    <td>High</td>
    <td>5.0 and 5.1</td>
 </tr>
</table>


<h3 id=vulnerability_in_libpng_overflow_in_png_read_idat_data>Vulnerability in libpng: Overflow in png_Read_IDAT_data</h3>


<p>There is a potential buffer overflow that could occur in reading IDAT data
within the png_read_IDAT_data() function in libpng,  leading to memory
corruption and potentially remote code execution within an application using
this method.</p>

<p>The affected functionality is provided as an application API. There may be
applications that allow it to be reached with remote content, most notably
messaging applications and browsers.</p>

<p>This issue is rated as a High severity due to the possibility of remote code
execution as an unprivileged application.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug(s) with AOSP links</th>
    <th>Severity</th>
    <th>Affected versions</th>
 </tr>
 <tr>
    <td>CVE-2015-0973</td>
    <td><a href="https://android.googlesource.com/platform/external/libpng/+/dd0ed46397a05ae69dc8c401f5711f0db0a964fa">ANDROID-19499430</a></td>
    <td>High</td>
    <td>5.1 and below</td>
 </tr>
</table>


<h3 id=remotely_exploitable_memcpy_overflow_in_p2p_add_device_in_wpa_supplicant>Remotely exploitable memcpy() overflow in p2p_add_device() in wpa_supplicant</h3>


<p>When wpa_supplicant is operating in WLAN Direct mode, it's vulnerable to
potential remote code execution due to an overflow in the p2p_add_device()
method. Successful exploitation could result in code execution as the 'wifi'
user in Android.</p>

<p>There are several mitigations that can effect successful exploitation of this
issue:</p>

<p>- WLAN Direct is not enabled by default on most Android devices</p>

<p>- Exploitation requires an attacker to be locally proximate (within WiFi range)</p>

<p>- The wpa_supplicant process runs as the 'wifi' user which has limited access
to the system</p>

<p>- Remote exploitation is mitigated by ASLR on Android 4.1 and later devices.</p>

<p>- The wpa_supplicant process is tightly constrained by SELinux policy on
Android 5.0 and greater</p>

<p>This issue is rated as High severity due to the possibility of remote code
execution. While the 'wifi' service does have capabilities that are not
normally accessible to 3rd party apps which could rate this as Critical, we
believe the limited capabilities and level of mitigation warrant decreasing the
severity to High.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug(s) with AOSP links</th>
    <th>Severity</th>
    <th>Affected versions</th>
 </tr>
 <tr>
    <td>CVE-2015-1863</td>
    <td><a href="https://android.googlesource.com/platform/external/wpa_supplicant_8/+/4cf0f2d0d869c35a9ec4432861d5efa8ead4279c">ANDROID-20076874</a></td>
    <td>High</td>
    <td>5.1 and below</td>
 </tr>
</table>


<h3 id=memory_corruption_in_opensslx509certificate_deserialization>Memory Corruption in OpenSSLX509Certificate Deserialization</h3>


<p>A malicious local application can send an Intent which, when deserialized by
the receiving application, can decrement a value at an arbitrary memory
address, leading to memory corruption and potentially code execution within the
receiving application.</p>

<p>This issue is rated as High severity because it can be used to gain privileges
not accessible to a third-party application.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug(s) with AOSP links</th>
    <th>Severity</th>
    <th>Affected versions</th>
 </tr>
 <tr>
    <td>CVE-2015-3837</td>
    <td><a href="https://android.googlesource.com/platform/external/conscrypt/+/edf7055461e2d7fa18de5196dca80896a56e3540">ANDROID-21437603</a></td>
    <td>High</td>
    <td>5.1 and below</td>
 </tr>
</table>


<h3 id=buffer_overflow_in_mediaserver_bnhdcp>Buffer overflow in mediaserver BnHDCP</h3>


<p>There is is a potential integer overflow in libstagefright when processing data
provided by another application, leading to memory (heap) corruption and
potentially code execution as the mediaserver process.</p>

<p>This issue is rated as High severity because it can be used to gain privileges
not accessible to a third-party application. While mediaserver is guarded with
SELinux, it does have access to audio and video streams as well as access to
privileged kernel driver device nodes on many devices that 3rd party apps
cannot normally access.</p>

<p>Note that under our previous severity rating guidelines, this was rated as a
Moderate severity vulnerability and was reported to partners as such. Under our
new guidelines, published in June 2015, it is a High severity vulnerability.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug(s) with AOSP links</th>
    <th>Severity</th>
    <th>Affected versions</th>
 </tr>
 <tr>
    <td>CVE-2015-3834</td>
    <td><a href="https://android.googlesource.com/platform/frameworks/av/+/c82e31a7039a03dca7b37c65b7890ba5c1e18ced">ANDROID-20222489</a></td>
    <td>High</td>
    <td>5.1 and below</td>
 </tr>
</table>


<h3 id=buffer_overflow_in_libstagefright_omxnodeinstance_emptybuffer>Buffer overflow in libstagefright OMXNodeInstance::emptyBuffer</h3>


<p>There is is a potential buffer overflow in libstagefright when processing data
provided by another application, leading to memory corruption and potentially
code execution as the mediaserver process.</p>

<p>This issue is rated as High severity because it can be used to gain privileges
not accessible to a third-party application. While mediaserver is guarded with
SELinux, it does have access to audio and video streams as well as access to
privileged kernel driver device nodes on many devices that 3rd party apps
cannot normally access.</p>

<p>Note that under our previous severity rating guidelines, this was rated as a
Moderate severity vulnerability and was reported to partners as such. Under our
new guidelines, published in June 2015, it is a High severity vulnerability.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug(s) with AOSP links</th>
    <th>Severity</th>
    <th>Affected versions</th>
 </tr>
 <tr>
    <td>CVE-2015-3835</td>
    <td><a href="https://android.googlesource.com/platform/frameworks/av/+/086d84f45ab7b64d1a7ed7ac8ba5833664a6a5ab">ANDROID-20634516</a> [<a href="https://android.googlesource.com/platform/frameworks/av/+/3cb1b6944e776863aea316e25fdc16d7f9962902">2</a>]</td>
    <td>High</td>
    <td>5.1 and below</td>
 </tr>
</table>


<h3 id=heap_overflow_in_mediaserver_audiopolicymanager_getinputforattr>Heap overflow in mediaserver AudioPolicyManager::getInputForAttr()</h3>


<p>There is a heap overflow in mediaserver's Audio Policy Service that could allow
a local application to execute arbitrary code in mediaserver's process.</p>

<p>The affected functionality is provided as an application API.   We don’t
believe the issue is remotely exploitable.</p>

<p>This issue is rated as a High severity due to the possibility of code execution
as the privileged mediaserver service, from a local application. While
mediaserver is guarded with SELinux, it does have access to audio and video
streams as well as access to privileged kernel driver device nodes on many
devices that 3rd party apps cannot normally access.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug(s) with AOSP links</th>
    <th>Severity</th>
    <th>Affected versions</th>
 </tr>
 <tr>
    <td>CVE-2015-3842</td>
    <td><a href="https://android.googlesource.com/platform/frameworks/av/+/aeea52da00d210587fb3ed895de3d5f2e0264c88">ANDROID-21953516</a></td>
    <td>High</td>
    <td>5.1 and below</td>
 </tr>
</table>


<h3 id=applications_can_intercept_or_emulate_sim_commands_to_telephony>Applications can intercept or emulate SIM commands to Telephony</h3>


<p>There is a vulnerability in the SIM Toolkit (STK) framework that could allow
apps to intercept or emulate certain STK SIM commands to Android's Telephony
subsystem.</p>

<p>This issue is rated at a High severity because it could allow an unprivileged
app to access capabilities or data normally protected by a "signature" or
"system" level permission.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug(s) with AOSP links</th>
    <th>Severity</th>
    <th>Affected versions</th>
 </tr>
 <tr>
    <td>CVE-2015-3843</td>
    <td><a href="https://android.googlesource.com/platform/frameworks/opt/telephony/+/b48581401259439dc5ef6dcf8b0f303e4cbefbe9">ANDROID-21697171</a> [<a href="https://android.googlesource.com/platform/packages/apps/Stk/+/1d8e00160c07ae308e5b460214eb2a425b93ccf7">2</a>, <a href="https://android.googlesource.com/platform/frameworks/base/+/a5e904e7eb3aaec532de83ca52e24af18e0496b4">3</a>, <a href="https://android.googlesource.com/platform/packages/services/Telephony/+/fcb1d13c320dd1a6350bc7af3166929b4d54a456">4</a>]</td>
    <td>High</td>
    <td>5.1 and below</td>
 </tr>
</table>


<h3 id=vulnerability_in_bitmap_unmarshalling>Vulnerability in Bitmap unmarshalling</h3>


<p>An integer overflow in Bitmap_createFromParcel() could allow an app to either
crash the system_server process or read memory data from system_server.</p>

<p>This issue is rated as Moderate severity due to the possibility of leaking
sensitive data from the system_server process to an unprivileged local process.
While this type of vulnerability would normally be rated as High severity, the
severity has been reduced because the data that is leaked in a successful
attack cannot be controlled by the attacking process and the consequence of an
unsuccessful attack is to render the device temporarily unusable (requiring a
reboot).</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug(s) with AOSP links</th>
    <th>Severity</th>
    <th>Affected versions</th>
 </tr>
 <tr>
    <td>CVE-2015-1536</td>
    <td><a href="https://android.googlesource.com/platform/frameworks/base/+/d44e5bde18a41beda39d49189bef7f2ba7c8f3cb">ANDROID-19666945</a></td>
    <td>Moderate</td>
    <td>5.1 and below</td>
 </tr>
</table>


<h3 id=appwidgetserviceimpl_can_create_intentsender_with_system_privileges>AppWidgetServiceImpl can create IntentSender with system privileges</h3>


<p>There is a vulnerability in AppWidgetServiceImpl in the Settings app that
allows an app to grant itself a URI permission by specifying
FLAG_GRANT_READ/WRITE_URI_PERMISSION. For example, this could be exploited to
read contact data without the READ_CONTACTS permission.</p>

<p>This is rated as a Moderate severity vulnerability because it can allow a local
app to access data normally protected by permissions with a "dangerous"
protection level.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug(s) with AOSP links</th>
    <th>Severity</th>
    <th>Affected versions</th>
 </tr>
 <tr>
    <td>CVE-2015-1541 </td>
    <td><a href="https://android.googlesource.com/platform/frameworks/base/+/0b98d304c467184602b4c6bce76fda0b0274bc07">ANDROID-19618745</a></td>
    <td>Moderate</td>
    <td>5.1 </td>
 </tr>
</table>


<h3 id=mitigation_bypass_of_restrictions_on_getrecenttasks>Mitigation bypass of restrictions on getRecentTasks()</h3>


<p>A local application can reliably determine the foreground application,
circumventing the getRecentTasks() restriction introduced in Android 5.0.</p>

<p>This is rated as a moderate severity vulnerability because it can allow a local
app to access data normally protected by permissions with a "dangerous"
protection level.</p>

<p>We believe this vulnerability was first described publicly at:<a href="http://stackoverflow.com/questions/24625936/getrunningtasks-doesnt-work-in-android-l">http://stackoverflow.com/questions/24625936/getrunningtasks-doesnt-work-in-android-l</a></p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug(s) with AOSP links</th>
    <th>Severity</th>
    <th>Affected versions</th>
 </tr>
 <tr>
    <td>CVE-2015-3833 </td>
    <td><a href="https://android.googlesource.com/platform/frameworks/base/+/aaa0fee0d7a8da347a0c47cef5249c70efee209e">ANDROID-20034603</a></td>
    <td>Moderate</td>
    <td>5.0 and 5.1 </td>
 </tr>
</table>


<h3 id=activitymanagerservice_getprocessrecordlocked_may_load_a_system_uid_application_into_the_wrong_process>ActivityManagerService.getProcessRecordLocked() may load a system UID
application into the wrong process</h3>


<p>ActivityManager's getProcessRecordLocked() method doesn't properly verify that
an application's process name matches the corresponding package name. In some
cases, this can allow ActivityManager to load the wrong process for certain
tasks.</p>

<p>The implications are that an app can prevent Settings from being loaded or
inject parameters for Settings fragments. We don't believe that this
vulnerability can be used to execute arbitrary code as the "system" user.</p>

<p>While the ability to access capabilities normally only accessible to "system"
would be rated as a High severity, we rated this one as a Moderate due to the
limited level of access granted by the vulnerability.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug(s) with AOSP links</th>
    <th>Severity</th>
    <th>Affected versions</th>
 </tr>
 <tr>
    <td>CVE-2015-3844 </td>
    <td><a href="https://android.googlesource.com/platform/frameworks/base/+/e3cde784e3d99966f313fe00dcecf191f6a44a31">ANDROID-21669445</a></td>
    <td>Moderate</td>
    <td>5.1 and below</td>
 </tr>
</table>


<h3 id=unbounded_buffer_read_in_libstagefright_while_parsing_3gpp_metadata>Unbounded buffer read in libstagefright while parsing 3GPP metadata</h3>


<p>An integer underflow during parsing of 3GPP data can result in a read operation
overrunning a buffer, causing mediaserver to crash.</p>

<p>This issue was originally rated as a High severity and was reported to partners
as such, but after further investigation it has been downgraded to Low severity
as the impact is limited to crashing mediaserver.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug(s) with AOSP links</th>
    <th>Severity</th>
    <th>Affected versions</th>
 </tr>
 <tr>
    <td>CVE-2015-3826</td>
    <td><a href="https://android.googlesource.com/platform/frameworks/av/+/f4f7e0c102819f039ebb1972b3dba1d3186bc1d1">ANDROID-20923261</a></td>
    <td>Low</td>
    <td>5.0 and 5.1</td>
 </tr>
</table>


<h2 id=revisions>Revisions</h2>


<ul>
  <li> August 13, 2015: Originally Published