src/security/bulletin/2015-12-01.jd

page.title=Nexus Security Bulletin - December 2015
@jd:body

<!--
    Copyright 2015 The Android Open Source Project

    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
    You may obtain a copy of the License at

        http://www.apache.org/licenses/LICENSE-2.0

    Unless required by applicable law or agreed to in writing, software
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.
-->
<div id="qv-wrapper">
  <div id="qv">
    <h2>In this document</h2>
    <ol id="auto-toc">
   </ol>
  </div>
</div>

<p><em>Published December 07, 2015 | Updated December 09, 2015</em></p>

<p>We have released a security update to Nexus devices through an over-the-air
(OTA) update as part of our Android Security Bulletin Monthly Release process.
The Nexus firmware images have also been released to the <a href="https://developers.google.com/android/nexus/images">Google Developer site</a>. Builds LMY48Z or later and Android 6.0 with Security Patch Level of
December 1, 2015 or later address these issues. Refer to the <a href="#common_questions_and_answers">Common Questions and Answers</a> section for more details.</p>

<p>Partners were notified about and provided updates for these issues on November
2, 2015 or earlier. Where applicable, source code patches for these issues have been released to
the Android Open Source Project (AOSP) repository.</p>

<p>The most severe of these issues is a Critical security vulnerability that could
enable remote code execution on an affected device through multiple methods
such as email, web browsing, and MMS when processing media files.</p>

<p>We have had no reports of active customer exploitation of these newly reported
issues. Refer to the <a href="#mitigations">Mitigations</a> section for details on the <a href="{@docRoot}security/enhancements/index.html">Android security platform protections</a> and service protections such as SafetyNet, which improve the security of the
Android platform. We encourage all customers to accept these updates to their
devices.</p>

<h2 id="security_vulnerability_summary">Security Vulnerability Summary</h2>

<p>The table below contains a list of security vulnerabilities, the Common
Vulnerability and Exposures ID (CVE), and their assessed severity. The <a href="{@docRoot}security/overview/updates-resources.html#severity">severity assessment</a> is based on the effect that exploiting the vulnerability would have on an
affected device, assuming the platform and service mitigations are disabled for
development purposes or if successfully bypassed.</p>
<table>
 <tr>
    <th>Issue</th>
    <th>CVE</th>
    <th>Severity</th>
 </tr>
 <tr>
    <td>Remote Code Execution Vulnerability in Mediaserver</td>
    <td>CVE-2015-6616</td>
    <td>Critical</td>
 </tr>
 <tr>
    <td>Remote Code Execution Vulnerability in Skia</td>
    <td>CVE-2015-6617</td>
    <td>Critical</td>
 </tr>
 <tr>
    <td>Elevation of Privilege in Kernel</td>
    <td>CVE-2015-6619</td>
    <td>Critical</td>
 </tr>
 <tr>
    <td>Remote Code Execution Vulnerabilities in Display Driver</td>
    <td>CVE-2015-6633<br>
        CVE-2015-6634</td>
    <td>Critical</td>
 </tr>
 <tr>
    <td>Remote Code Execution Vulnerability in Bluetooth</td>
    <td>CVE-2015-6618</td>
    <td>High</td>
 </tr>
 <tr>
    <td>Elevation of Privilege Vulnerabilities in libstagefright</td>
    <td>CVE-2015-6620 </td>
    <td>High</td>
 </tr>
 <tr>
    <td>Elevation of Privilege Vulnerability in SystemUI</td>
    <td>CVE-2015-6621</td>
    <td>High</td>
 </tr>
 <tr>
    <td>Elevation of Privilege Vulnerability in Native Frameworks Library</td>
    <td>CVE-2015-6622</td>
    <td>High</td>
 </tr>
 <tr>
    <td>Elevation of Privilege Vulnerability in Wi-Fi</td>
    <td>CVE-2015-6623</td>
    <td>High</td>
 </tr>
 <tr>
    <td>Elevation of Privilege Vulnerability in System Server</td>
    <td>CVE-2015-6624</td>
    <td>High</td>
 </tr>
 <tr>
    <td>Information Disclosure Vulnerabilities in libstagefright</td>
    <td>CVE-2015-6626<br>
        CVE-2015-6631<br>
        CVE-2015-6632</td>
    <td>High</td>
 </tr>
 <tr>
    <td>Information Disclosure Vulnerability in Audio</td>
    <td>CVE-2015-6627</td>
    <td>High</td>
 </tr>
 <tr>
    <td>Information Disclosure Vulnerability in Media Framework</td>
    <td>CVE-2015-6628</td>
    <td>High</td>
 </tr>
 <tr>
    <td>Information Disclosure Vulnerability in Wi-Fi</td>
    <td>CVE-2015-6629</td>
    <td>High</td>
 </tr>
 <tr>
    <td>Elevation of Privilege Vulnerability in System Server</td>
    <td>CVE-2015-6625</td>
    <td>Moderate</td>
 </tr>
 <tr>
    <td>Information Disclosure Vulnerability in SystemUI</td>
    <td>CVE-2015-6630</td>
    <td>Moderate</td>
 </tr>
</table>


<p>The <a href="{@docRoot}security/overview/updates-resources.html#severity">severity assessment</a> is based on the effect that exploiting the vulnerability would have on an
affected device, assuming the platform and service mitigations are disabled for
development purposes or if successfully bypassed.</p>

<h2 id="mitigations">Mitigations</h2>


<p>This is a summary of the mitigations provided by the <a href="{@docRoot}security/enhancements/index.html">Android security platform</a> and service protections such as SafetyNet. These capabilities reduce the
likelihood that security vulnerabilities could be successfully exploited on
Android.</p>

<ul>
  <li> Exploitation for many issues on Android is made more difficult by enhancements
in newer versions of the Android platform. We encourage all users to update to
the latest version of Android where possible.</li>
  <li> The Android Security team is actively monitoring for abuse with Verify Apps and
SafetyNet which will warn about potentially harmful applications about to be
installed. Device rooting tools are prohibited within Google Play. To protect
users who install applications from outside of Google Play, Verify Apps is
enabled by default and will warn users about known rooting applications. Verify
Apps attempts to identify and block installation of known malicious
applications that exploit a privilege escalation vulnerability. If such an
application has already been installed, Verify Apps will notify the user and
attempt to remove any such applications.</li>
  <li> As appropriate, Google Hangouts and Messenger applications do not automatically
pass media to processes such as mediaserver.</li>
</ul>

<h2 id="acknowledgements">Acknowledgements</h2>

<p>We would like to thank these researchers for their contributions:</p>

<ul>
  <li> Abhishek Arya, Oliver Chang, and Martin Barbella of Google Chrome Security
Team: CVE-2015-6616, CVE-2015-6617, CVE-2015-6623, CVE-2015-6626,
CVE-2015-6619, CVE-2015-6633, CVE-2015-6634
  <li> Flanker (<a href="https://twitter.com/flanker_hqd">@flanker_hqd</a>) of <a href="http://k33nteam.org/">KeenTeam</a> (<a href="https://twitter.com/k33nteam">@K33nTeam</a>): CVE-2015-6620
  <li> Guang Gong (龚广) (<a href="https://twitter.com/oldfresher">@oldfresher</a>, higongguang@gmail.com) of <a href="http://www.360.cn">Qihoo 360 Technology Co.Ltd</a>: CVE-2015-6626
  <li> Mark Carter (<a href="https://twitter.com/hanpingchinese">@hanpingchinese</a>) of EmberMitre Ltd: CVE-2015-6630
  <li> Michał Bednarski (<a href="https://github.com/michalbednarski">https://github.com/michalbednarski</a>): CVE-2015-6621
  <li> Natalie Silvanovich of Google Project Zero: CVE-2015-6616
  <li> Peter Pi of Trend Micro: CVE-2015-6616, CVE-2015-6628
  <li> Qidan He (<a href="https://twitter.com/flanker_hqd">@flanker_hqd</a>) and Marco Grassi (<a href="https://twitter.com/marcograss">@marcograss</a>) of <a href="http://k33nteam.org/">KeenTeam</a> (<a href="https://twitter.com/k33nteam">@K33nTeam</a>): CVE-2015-6622
  <li> Tzu-Yin (Nina) Tai: CVE-2015-6627
</ul>

<h2 id="security_vulnerability_details">Security Vulnerability Details</h2>

<p>In the sections below, we provide details for each of the security
vulnerabilities listed in the <a href="#security_vulnerability_summary">Security Vulnerability Summary</a> above. There is a description of the issue, a severity rationale, and a table
with the CVE, associated bug, severity, affected versions, and date reported.
When available, we will link the AOSP change that addressed the issue to the
bug ID. When multiple changes relate to a single bug, additional AOSP
references are linked to numbers following the bug ID.</p>

<h3 id="remote_code_execution_vulnerabilities_in_mediaserver">Remote Code Execution Vulnerabilities in Mediaserver</h3>


<p>During media file and data processing of a specially crafted file,
vulnerabilities in mediaserver could allow an attacker to cause memory
corruption and remote code execution as the mediaserver process.</p>

<p>The affected functionality is provided as a core part of the operating system
and there are multiple applications that allow it to be reached with remote
content, most notably MMS and browser playback of media.</p>

<p>This issue is rated as a Critical severity due to the possibility of remote
code execution within the context of the mediaserver service. The mediaserver
service has access to audio and video streams as well as access to privileges
that third-party apps cannot normally access.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug(s) with AOSP links</th>
    <th>Severity</th>
    <th>Affected versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td rowspan="5">CVE-2015-6616</td>
    <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/77c185d5499d6174e7a97b3e1512994d3a803151">ANDROID-24630158</a></td>
    <td>Critical</td>
    <td>6.0 and below</td>
    <td>Google Internal</td>
 </tr>
  <tr>
    <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/0d35dd2068d6422c3c77fb68f248cbabf3d0b10c">ANDROID-23882800</a></td>
    <td>Critical</td>
    <td>6.0 and below</td>
    <td>Google Internal</td>
 </tr>
 <tr>
    <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/dedaca6f04ac9f95fabe3b64d44cd1a2050f079e">ANDROID-17769851</a></td>
    <td>Critical</td>
    <td>5.1 and below</td>
    <td>Google Internal</td>
 </tr>
 <tr>
    <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/5d101298d8b0a78a1dc5bd26dbdada411f4ecd4d">ANDROID-24441553</a></td>
    <td>Critical</td>
    <td>6.0 and below</td>
    <td>Sep 22, 2015</td>
 </tr>
 <tr>
    <td><a href="https://android.googlesource.com/platform%2Fexternal%2Flibavc/+/2ee0c1bced131ffb06d1b430b08a202cd3a52005">ANDROID-24157524</a></td>
    <td>Critical</td>
    <td>6.0</td>
    <td>Sep 08, 2015</td>
 </tr>
</table>

<h3 id="remote_code_execution_vulnerability_in_skia">Remote Code Execution Vulnerability in Skia</h3>

<p>A vulnerability in the Skia component may be leveraged when processing a
specially crafted media file, that could lead to memory corruption and remote
code execution in a privileged process. This issue is rated as a Critical
severity due to the possibility of remote code execution through multiple
attack methods such as email, web browsing, and MMS when processing media
files.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug(s) with AOSP links</th>
    <th>Severity</th>
    <th>Affected versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2015-6617</td>
    <td><a href="https://android.googlesource.com/platform%2Fexternal%2Fskia/+/a1d8ac0ac0af44d74fc082838936ec265216ab60">ANDROID-23648740</a></td>
    <td>Critical</td>
    <td>6.0 and below</td>
    <td>Google internal</td>
 </tr>
</table>

<h3 id="elevation_of_privilege_in_kernel">Elevation of Privilege in Kernel</h3>

<p>An elevation of privilege vulnerability in the system kernel could enable a
local malicious application to execute arbitrary code within the device root
context. This issue is rated as a Critical severity due to the possibility of a
local permanent device compromise and the device could only be repaired by
re-flashing the operating system.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug(s) with AOSP links</th>
    <th>Severity</th>
    <th>Affected versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2015-6619</td>
    <td><a href ="https://android.googlesource.com/device%2Fhtc%2Fflounder-kernel/+/25d3e5d71865a7c0324423fad87aaabb70e82ee4">ANDROID-23520714</a></td>
    <td>Critical</td>
    <td>6.0 and below</td>
    <td>Jun 7, 2015</td>
 </tr>
</table>

<h3 id="remote_code_execution_vulnerabilities_in_display_driver">
Remote Code Execution Vulnerabilities in Display Driver</h3>

<p>There are vulnerabilities in the display drivers that, when processing a media
file, could cause memory corruption and potential arbitrary code execution in
the context of the user mode driver loaded by mediaserver. This issue is rated
as a Critical severity due to the possibility of remote code execution through
multiple attack methods such as email, web browsing, and MMS when processing
media files.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug(s) with AOSP links</th>
    <th>Severity</th>
    <th>Affected versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2015-6633</td>
    <td>ANDROID-23987307*</td>
    <td>Critical</td>
    <td>6.0 and below</td>
    <td>Google Internal</td>
 </tr>
 <tr>
    <td>CVE-2015-6634</td>
    <td><a href="https://android.googlesource.com/platform%2Fhardware%2Fqcom%2Fdisplay/+/25016fd2865943dec1a6b2b167ef85c772fb90f7">ANDROID-24163261</a> [<a href="https://android.googlesource.com/platform%2Fhardware%2Fqcom%2Fdisplay/+/0787bc222a016e944f01492c2dd04bd03c1da6af">2</a>] [<a href="https://android.googlesource.com/platform%2Fhardware%2Fqcom%2Fdisplay/+/95c2601aab7f27505e8b086fdd1f1dce31091e5d">3</a>] [<a href="https://android.googlesource.com/platform%2Fhardware%2Fqcom%2Fdisplay/+/45660529af1f4063a00e84aa2361649e6a9a878c">4</a>]</td>
    <td>Critical</td>
    <td>5.1 and below</td>
    <td>Google Internal</td>
 </tr>
</table>
<p> *The patch for this issue is not in AOSP. The update is contained in the
latest binary drivers for Nexus devices available from the <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p>

<h3 id="remote_code_execution_vulnerability_in_bluetooth">Remote Code Execution Vulnerability in Bluetooth</h3>

<p>A vulnerability in Android's Bluetooth component could allow remote code
execution. However multiple manual steps are required before this could occur.
In order to do this it would require a successfully paired device, after the
personal area network (PAN) profile is enabled (for example using Bluetooth
Tethering) and the device is paired. The remote code execution would be at the
privilege of the Bluetooth service. A device is only vulnerable to this issue
from a successfully paired device while in local proximity.</p>

<p>This issue is rated as High severity because an attacker could remotely execute
arbitrary code only after multiple manual steps are taken and from a locally
proximate attacker that had previously been allowed to pair a device.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug(s) </th>
    <th>Severity</th>
    <th>Affected versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2015-6618</td>
    <td>ANDROID-24595992*</td>
    <td>High</td>
    <td>4.4, 5.0, and 5.1</td>
    <td>Sep 28, 2015</td>
 </tr>
</table>
<p> *The patch for this issue is not in AOSP. The update is contained in the
latest binary drivers for Nexus devices available from the <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p>

<h3 id="elevation_of_privilege_vulnerabilities_in_libstagefright">
Elevation of Privilege Vulnerabilities in libstagefright</h3>

<p>There are multiple vulnerabilities in libstagefright that could enable a local
malicious application to execute arbitrary code within the context of the
mediaserver service. This issue is rated as High severity because it could be
used to gain elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to a third-party
applications.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug(s) with AOSP links</th>
    <th>Severity</th>
    <th>Affected versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td rowspan="2">CVE-2015-6620</td>
    <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/2b8cd9cbb3e72ffd048ffdd1609fac74f61a22ac">ANDROID-24123723</a></td>
    <td>High</td>
    <td>6.0 and below</td>
    <td>Sep 10, 2015</td>
 </tr>
 <tr>
    <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/77c185d5499d6174e7a97b3e1512994d3a803151">ANDROID-24445127</a></td>
    <td>High</td>
    <td>6.0 and below</td>
    <td>Sep 2, 2015</td>
 </tr>
</table>

<h3 id="elevation_of_privilege_vulnerability_in_systemui">
Elevation of Privilege Vulnerability in SystemUI</h3>

<p>When setting an alarm using the clock application, a vulnerability in the
SystemUI component could allow an application to execute a task at an elevated
privilege level. This issue is rated as High severity because it could be used
to gain elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to a third-party
applications.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug(s) with AOSP links</th>
    <th>Severity</th>
    <th>Affected versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2015-6621</td>
    <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fbase/+/e70e8ac93807c51240b2cd9afed35bf454ea00b3">ANDROID-23909438</a></td>
    <td>High</td>
    <td>5.0, 5.1, and 6.0</td>
    <td>Sep 7, 2015</td>
 </tr>
</table>

<h3 id="information_disclosure_vulnerability_in_native_frameworks_library">Information Disclosure Vulnerability in Native Frameworks Library</h3>

<p>An information disclosure vulnerability in Android Native Frameworks Library
could permit a bypass of security measures in place to increase the difficulty
of attackers exploiting the platform. These issues are rated as High severity
because they could also be used to gain elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to third-party applications.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug(s) with AOSP links</th>
    <th>Severity</th>
    <th>Affected versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2015-6622</td>
    <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fnative/+/5d17838adef13062717322e79d4db0b9bb6b2395">ANDROID-23905002</a></td>
    <td>High</td>
    <td>6.0 and below</td>
    <td>Sep 7, 2015</td>
 </tr>
</table>

<h3 id="elevation_of_privilege_vulnerability_in_wi-fi">Elevation of Privilege Vulnerability in Wi-Fi</h3>

<p>An elevation of privilege vulnerability in Wi-Fi could enable a local malicious
application to execute arbitrary code within the context of an elevated system
service. This issue is rated as High severity because it could be used to gain
elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to a third-party application.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug(s) with AOSP links</th>
    <th>Severity</th>
    <th>Affected versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2015-6623</td>
    <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fopt%2Fnet%2Fwifi/+/a15a2ee69156fa6fff09c0dd9b8182cb8fafde1c">ANDROID-24872703</a></td>
    <td>High</td>
    <td>6.0</td>
    <td>Google Internal</td>
 </tr>
</table>


<h3 id="elevation_of_privilege_vulnerability_in_system_server">Elevation of Privilege Vulnerability in System Server</h3>


<p>An elevation of privilege vulnerability in the System Server component could
enable a local malicious application to gain access to service related
information. This issue is rated as High severity because it could be used to
gain elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to third-party applications.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug(s) with AOSP links</th>
    <th>Severity</th>
    <th>Affected versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2015-6624</td>
    <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/f86a441cb5b0dccd3106019e578c3535498e5315">ANDROID-23999740</a></td>
    <td>High</td>
    <td>6.0</td>
    <td>Google internal</td>
 </tr>
</table>


<h3 id="information_disclosure_vulnerabilities_in_libstagefright">
Information Disclosure Vulnerabilities in libstagefright</h3>

<p>There are information disclosure vulnerabilities in libstagefright that during
communication with mediaserver, could permit a bypass of security measures in
place to increase the difficulty of attackers exploiting the platform. These
issues are rated as High severity because they could also be used to gain
elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to third-party applications.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug(s) with AOSP links</th>
    <th>Severity</th>
    <th>Affected versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2015-6632</td>
    <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/5cae16bdce77b0a3ba590b55637f7d55a2f35402">ANDROID-24346430</a></td>
    <td>High</td>
    <td>6.0 and below</td>
    <td>Google Internal</td>
 </tr>
 <tr>
    <td>CVE-2015-6626</td>
    <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/8dde7269a5356503d2b283234b6cb46d0c3f214e">ANDROID-24310423</a></td>
    <td>High</td>
    <td>6.0 and below</td>
    <td>Sep 2, 2015</td>
 </tr>
 <tr>
    <td>CVE-2015-6631</td>
    <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/7ed8d1eff9b292b3c65a875b13a549e29654534b">ANDROID-24623447</a></td>
    <td>High</td>
    <td>6.0 and below</td>
    <td>Aug 21, 2015</td>
 </tr>
</table>

<h3 id="information_disclosure_vulnerability_in_audio">Information Disclosure Vulnerability in Audio</h3>

<p>A vulnerability in the Audio component could be exploited during audio file
processing. This vulnerability could allow a local malicious application,
during processing of a specially crafted file, to cause information disclosure.
This issue is rated as High severity because it could be used to gain elevated
capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to third-party applications.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug(s) with AOSP links</th>
    <th>Severity</th>
    <th>Affected versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2015-6627</td>
    <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/8c987fa71326eb0cc504959a5ebb440410d73180">ANDROID-24211743</a></td>
    <td>High</td>
    <td>6.0 and below</td>
    <td>Google Internal</td>
 </tr>
</table>

<h3 id="information_disclosure_vulnerability_in_media_framework">Information Disclosure Vulnerability in Media Framework</h3>

<p>There is an information disclosure vulnerability in Media Framework that during
communication with mediaserver, could permit a bypass of security measures in
place to increase the difficulty of attackers exploiting the platform. This
issue is rated as High severity because it could also be used to gain elevated
capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to third-party applications.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug(s) with AOSP links</th>
    <th>Severity</th>
    <th>Affected versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2015-6628</td>
    <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/5e7e87a383fdb1fece977097a7e3cc51b296f3a0">ANDROID-24074485</a></td>
    <td>High</td>
    <td>6.0 and below</td>
    <td>Sep 8, 2015</td>
 </tr>
</table>

<h3 id="information_disclosure_vulnerability_in_wi-fi">Information Disclosure Vulnerability in Wi-Fi</h3>

<p>A vulnerability in the Wi-Fi component could allow an attacker to cause the
Wi-Fi service to disclose information. This issue is rated as High severity
because it could be used to gain elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to a third-party
applications.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug(s) with AOSP links</th>
    <th>Severity</th>
    <th>Affected versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2015-6629</td>
    <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fopt%2Fnet%2Fwifi/+/8b41627f7411306a0c42867fb526fa214f2991cd">ANDROID-22667667</a></td>
    <td>High</td>
    <td>5.1 and 5.0</td>
    <td>Google Internal</td>
 </tr>
</table>

<h3 id="elevation_of_privilege_vulnerability_in_system_server19">Elevation of Privilege Vulnerability in System Server</h3>


<p>An elevation of privilege vulnerability in the System Server could enable a
local malicious application to gain access to Wi-Fi service related
information. This issue is rated as Moderate severity because it could be used
to improperly gain “<a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">dangerous</a>” permissions.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug(s) with AOSP links</th>
    <th>Severity</th>
    <th>Affected versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2015-6625</td>
    <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fopt%2Fnet%2Fwifi/+/29fa7d2ffc3bba55173969309e280328b43eeca1">ANDROID-23936840</a></td>
    <td>Moderate</td>
    <td>6.0</td>
    <td>Google Internal</td>
 </tr>
</table>

<h3 id="information_disclosure_vulnerability_in_systemui">Information Disclosure Vulnerability in SystemUI</h3>

<p>An information disclosure vulnerability in the SystemUI could enable a local
malicious application to gain access to screenshots. This issue is rated as
Moderate severity because it could be used to improperly gain “<a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">dangerous</a>” permissions.</p>
<table>
 <tr>
    <th>CVE</th>
    <th>Bug(s) with AOSP links</th>
    <th>Severity</th>
    <th>Affected versions</th>
    <th>Date reported</th>
 </tr>
 <tr>
    <td>CVE-2015-6630</td>
    <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fbase/+/51c2619c7706575a171cf29819db14e91b815a62">ANDROID-19121797</a></td>
    <td>Moderate</td>
    <td>5.0, 5.1, and 6.0</td>
    <td>Jan 22, 2015</td>
 </tr>
</table>

<h3 id="common_questions_and_answers">Common Questions and Answers</h3>

<p>This section will review answers to common questions that may occur after
reading this bulletin.</p>

<p><strong>1. How do I determine if my device is updated to address these issues?</strong></p>

<p>Builds LMY48Z or later and Android 6.0 with Security Patch Level of
December 1, 2015 or later address these issues. Refer to the <a href="https://support.google.com/nexus/answer/4457705">Nexus documentation</a> for instructions on how to check the security patch level. Device
manufacturers that include these updates should set the patch string level to:
[ro.build.version.security_patch]:[2015-12-01]</p>

<h2 id="revisions">Revisions</h2>
<ul>
  <li> December 07, 2015: Originally Published
  <li> December 09, 2015: Bulletin revised to include AOSP links.
</ul>