Project

General

Profile

Issue #1389

Nexus Security Bulletin from August

Added by Wolfgang Wiedmeyer about 5 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
High
Category:
Security
Target version:
Start date:
10/18/2015
Due date:
% Done:

90%

Estimated time:
Resolution:
wontfix
Device:
Grant:

Description

Google now releases monthly security bulletins. I went through the one from August, which also includes some older security fixes: https://groups.google.com/forum/?_escaped_fragment_=msg/android-security-updates/Ugvu3fi6RQM/yzJvoTVrIQAJ#!msg/android-security-updates/Ugvu3fi6RQM/yzJvoTVrIQAJ
Although most of the Stagefright related stuff is already fixed in Replicant, some other security bugs aren't.
I added a note below the link to the commit if the patch needed to be changed.

CVE-2015-3836: Buffer overflow in Sonivox Parse_wave
https://android.googlesource.com/platform/external/sonivox/+/e999f077f6ef59d20282f1e04786816a31fb8be6%5E!/

CVE-2015-3832: Buffer overflows in libstagefright MPEG4Extractor.cpp
https://github.com/CyanogenMod/android_frameworks_av/commit/c086b29ee1353fe85e3c08cb2ea4ce1f5dd462d7
merge conflict resolved

CVE-2015-0973: Vulnerability in libpng: Overflow in png_Read_IDAT_data
https://github.com/CyanogenMod/android_external_libpng/commit/abd737d8149ee16d843c2d9d65f75ecf13d6ca99

CVE-2015-1863: Remotely exploitable memcpy() overflow in p2p_add_device() in wpa_supplicant
https://android.googlesource.com/platform/external/wpa_supplicant_8/+/4cf0f2d0d869c35a9ec4432861d5efa8ead4279c%5E!/
Replicant also has the repository external_wpa_supplicant_8_ti, so I applied the patch to this repository, too.

CVE-2015-3834: Buffer overflow in mediaserver BnHDCP
https://android.googlesource.com/platform/frameworks/av/+/c82e31a7039a03dca7b37c65b7890ba5c1e18ced%5E!/
merge conflict resolved

CVE-2015-3835: Buffer overflow in libstagefright OMXNodeInstance::emptyBuffer
https://github.com/CyanogenMod/android_frameworks_av/commit/49fa7b75b65c3047f55efb4cd2b25261f4289799

CVE-2015-3843: Applications can intercept or emulate SIM commands to Telephony
https://android.googlesource.com/platform/frameworks/opt/telephony/+/b48581401259439dc5ef6dcf8b0f303e4cbefbe9%5E!/
merge conflict resolved

https://android.googlesource.com/platform/packages/apps/Stk/+/1d8e00160c07ae308e5b460214eb2a425b93ccf7%5E!/
merge conflict resolved

https://android.googlesource.com/platform/frameworks/base/+/a5e904e7eb3aaec532de83ca52e24af18e0496b4%5E!/#F0
merge conflict resolved

CVE-2015-1536: Vulnerability in Bitmap unmarshalling
https://android.googlesource.com/platform/frameworks/base/+/d44e5bde18a41beda39d49189bef7f2ba7c8f3cb%5E!/
patch does not work at all. I ported the changes manually. There is also a small change in external/skia necessary for this patch to work. Please review carefully!

CVE-2015-3844: ActivityManagerService.getProcessRecordLocked() may load a system UID application into the wrong process
https://github.com/CyanogenMod/android_frameworks_base/commit/22a5396c052bef500ceea2522c7d8ae61be39c4f

Patches are attached.
These and my other changes can also be found in my personal repository at https://code.fossencdi.org


Files

sec-bulletin-august-patches.zip (13.4 KB) sec-bulletin-august-patches.zip patches Wolfgang Wiedmeyer, 10/18/2015 12:59 PM
sec-bulletin-august-patches-reviewed.zip (14.8 KB) sec-bulletin-august-patches-reviewed.zip My Self, 11/17/2015 09:38 PM

Also available in: Atom PDF