https://redmine.replicant.us/https://redmine.replicant.us/favicon.ico?15984615062015-11-18T20:59:40ZReplicantReplicant - Issue #1395: Nexus Security Bulletin from Septemberhttps://redmine.replicant.us/issues/1395?journal_id=43292015-11-18T20:59:40ZMy Self
<ul><li><strong>File</strong> <a href="/attachments/1155">sec-bulletin-september-patches-reviewed.zip</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/1155/sec-bulletin-september-patches-reviewed.zip">sec-bulletin-september-patches-reviewed.zip</a> added</li><li><strong>Status</strong> changed from <i>New</i> to <i>In Progress</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>90</i></li></ul><p>Thanks a lot for providing that patchset!</p>
<p>I've merged them all to my local repo and successfully compiled/reflashed/tested Replicant 4.2 on my i9100.</p>
<p>I've attached your patchset again, with the suffix -reviewed. I've modified the header of your patches inside of this attachment a bit. I added a Signed-off-by: {'From:' contact of the originally patch header}, followed by your Signed-off-by/Tested-by line, finalized with my Tested-by line. Hope that's ok?<br />Additionally I added one left patch (0009-Externally-reported-Moderate-severity-vulnerability.patch) in that reuploaded patchset.</p>
<p>I've looked through the September patches, provided by Google (<a class="external" href="https://groups.google.com/forum/#!topic/android-security-updates/1M7qbSvACjo">https://groups.google.com/forum/#!topic/android-security-updates/1M7qbSvACjo</a>) a bit and completed the overview as follows:</p>
<blockquote>
<p>CVE-2015-3864: Remote Code Execution Vulnerability in Mediaserver</p>
</blockquote>
<p>ANDROID-23034759: <a class="external" href="https://android.googlesource.com/platform/frameworks/av/+/6fe85f7e15203e48df2cc3e8e1c4bc6ad49dc968">https://android.googlesource.com/platform/frameworks/av/+/6fe85f7e15203e48df2cc3e8e1c4bc6ad49dc968</a><br />Affected versions: 5.1 and below<br />Result: already included in the stagefright patchset: <a class="external" href="http://redmine.replicant.us/issues/1287">http://redmine.replicant.us/issues/1287</a></p>
<blockquote>
<p>CVE-2015-3636: Elevation of Privilege Vulnerability in Kernel</p>
</blockquote>
<p>ANDROID-20770158: <a class="external" href="https://github.com/torvalds/linux/commit/a134f083e79f">https://github.com/torvalds/linux/commit/a134f083e79f</a><br />Affected versions: 5.1 and below<br />Result: Included in Wolfgang Wiedmeyer's patchset -> 0001-ipv4-Missing-sk_nulls_node_init-in-ping_unhash.patch</p>
<blockquote>
<p>CVE-2015-3845: Elevation of Privilege Vulnerability in Binder</p>
</blockquote>
<p>ANDROID-17312693: <a class="external" href="https://android.googlesource.com/platform/frameworks/native/+/e68cbc3e9e66df4231e70efa3e9c41abc12aea20">https://android.googlesource.com/platform/frameworks/native/+/e68cbc3e9e66df4231e70efa3e9c41abc12aea20</a><br />Affected versions: 5.1 and below<br />Result: Included in Wolfgang Wiedmeyer's patchset -> 0002-Disregard-alleged-binder-entities-beyond-parcel-boun.patch</p>
<blockquote>
<p>CVE-2015-1528: Elevation of Privilege Vulnerability in Binder</p>
</blockquote>
<p>ANDROID-19334482:<br /><a class="external" href="https://android.googlesource.com/platform/frameworks/native/+/7dcd0ec9c91688cfa3f679804ba6e132f9811254">https://android.googlesource.com/platform/frameworks/native/+/7dcd0ec9c91688cfa3f679804ba6e132f9811254</a><br />Result: Included in Wolfgang Wiedmeyer's patchset -> 0003-Verify-that-the-native-handle-was-created.patch<br /><a class="external" href="https://android.googlesource.com/platform/system/core/+/e8c62fb484151f76ab88b1d5130f38de24ac8c14">https://android.googlesource.com/platform/system/core/+/e8c62fb484151f76ab88b1d5130f38de24ac8c14</a><br />Result: Included in Wolfgang Wiedmeyer's patchset -> 0004-Prevent-integer-overflow-when-allocating-native_hand.patch<br />Affected versions: 5.1 and below</p>
<blockquote>
<p>CVE-2015-3863: Elevation of Privilege Vulnerability in Keystore</p>
</blockquote>
<p>ANDROID-22802399: <a class="external" href="https://android.googlesource.com/platform/system/security/+/bb9f4392c2f1b11be3acdc1737828274ff1ec55b">https://android.googlesource.com/platform/system/security/+/bb9f4392c2f1b11be3acdc1737828274ff1ec55b</a><br />Affected versions: 5.1 and below<br />Result: Included in Wolfgang Wiedmeyer's patchset -> 0005-Fix-unchecked-length-in-Blob-creation.patch</p>
<blockquote>
<p>CVE-2015-3849: Elevation of Privilege Vulnerability in Region</p>
</blockquote>
<p>ANDROID-20883006:<br /><a class="external" href="https://android.googlesource.com/platform/frameworks/base/+/4cff1f49ff95d990d6c2614da5d5a23d02145885">https://android.googlesource.com/platform/frameworks/base/+/4cff1f49ff95d990d6c2614da5d5a23d02145885</a><br />Result: Included in Wolfgang Wiedmeyer's patchset -> 0006-Check-that-the-parcel-contained-the-expected-amount.patch<br /><a class="external" href="https://android.googlesource.com/platform/frameworks/base/+/1e72dc7a3074cd0b44d89afbf39bbf5000ef7cc3">https://android.googlesource.com/platform/frameworks/base/+/1e72dc7a3074cd0b44d89afbf39bbf5000ef7cc3</a><br />Result: Included in Wolfgang Wiedmeyer's patchset -> 0007-DO-NOT-MERGE-Ensure-that-unparcelling-Region-only-re.patch<br />Affected versions: 5.1 and below</p>
<blockquote>
<p>CVE-2015-3858: Elevation of Privilege vulnerability in SMS enables notification bypass.</p>
</blockquote>
<p>ANDROID-22314646: <a class="external" href="https://android.googlesource.com/platform/frameworks/opt/telephony/+/df31d37d285dde9911b699837c351aed2320b586">https://android.googlesource.com/platform/frameworks/opt/telephony/+/df31d37d285dde9911b699837c351aed2320b586</a><br />Affected versions: 5.1 and below<br />Result: the patch wasn't found in the patchset, so I <strong>added</strong> it as: <strong>0009-Externally-reported-Moderate-severity-vulnerability.patch</strong></p>
<blockquote>
<p>CVE-2015-3860: Elevation of Privilege Vulnerability in Lockscreen</p>
</blockquote>
<p>ANDROID-22214934: <a class="external" href="https://android.googlesource.com/platform/frameworks/base/+/8fba7e6931245a17215e0e740e78b45f6b66d590">https://android.googlesource.com/platform/frameworks/base/+/8fba7e6931245a17215e0e740e78b45f6b66d590</a><br />Affected versions: 5.1 and 5.0<br />Result: codebase checked, not needed on Replicant 4.2.</p>
<blockquote>
<p>CVE-2015-3861: Denial of Service Vulnerability in Mediaserver</p>
</blockquote>
<p>ANDROID-21296336: <a class="external" href="https://android.googlesource.com/platform/frameworks/av/+/304ef91624e12661e7e35c2c0c235da84a73e9c0">https://android.googlesource.com/platform/frameworks/av/+/304ef91624e12661e7e35c2c0c235da84a73e9c0</a><br />Affected versions: 5.1 and below<br />Result: Included in Wolfgang Wiedmeyer's patchset -> 0008-Guard-against-codecinfo-overflow.patch</p> Replicant - Issue #1395: Nexus Security Bulletin from Septemberhttps://redmine.replicant.us/issues/1395?journal_id=44012015-12-10T00:09:52ZWolfgang Wiedmeyerwreg@wiedmeyer.de
<ul></ul><blockquote>
<p>Additionally I added one left patch (0009-Externally-reported-Moderate-severity-vulnerability.patch) in that reuploaded patchset.</p>
</blockquote>
<blockquote><blockquote>
<p>CVE-2015-3858: Elevation of Privilege vulnerability in SMS enables notification bypass.</p>
</blockquote>
<p>ANDROID-22314646: <a class="external" href="https://android.googlesource.com/platform/frameworks/opt/telephony/+/df31d37d285dde9911b699837c351aed2320b586">https://android.googlesource.com/platform/frameworks/opt/telephony/+/df31d37d285dde9911b699837c351aed2320b586</a><br />Affected versions: 5.1 and below<br />Result: the patch wasn't found in the patchset, so I <strong>added</strong> it as: <strong>0009-Externally-reported-Moderate-severity-vulnerability.patch</strong></p>
</blockquote>
<p>Including that patch is imho not a good idea. I already wrote:</p>
<blockquote>
<p>It seems that Replicant is not affected by this. android.permission.SEND_SMS_NO_CONFIRMATION was renamed to >android.permission.SEND_RESPOND_VIA_MESSAGE in API level 18 so we should be safe.</p>
</blockquote>
<p>So if this patch is included in the current Replicant 4.2 code, it checks for a permission string that does not exist. This would actually introduce the vulnerability in Replicant.</p>
<p>Please correct me if I'm wrong!</p> Replicant - Issue #1395: Nexus Security Bulletin from Septemberhttps://redmine.replicant.us/issues/1395?journal_id=45812015-12-11T14:52:21ZDenis 'GNUtoo' CarikliGNUtoo@cyberdimension.org
<ul><li><strong>Device</strong> <i>Not device specific</i> added</li></ul> Replicant - Issue #1395: Nexus Security Bulletin from Septemberhttps://redmine.replicant.us/issues/1395?journal_id=62732016-05-30T12:14:03ZMy Self
<ul><li><strong>Device</strong> <i></i> added</li><li><strong>Device</strong> deleted (<del><i>Not device specific</i></del>)</li></ul><p>Wolfgang Wiedmeyer wrote:</p>
<blockquote><blockquote>
<p>Additionally I added one left patch (0009-Externally-reported-Moderate-severity-vulnerability.patch) in that reuploaded patchset.</p>
</blockquote>
<blockquote><blockquote>
<p>CVE-2015-3858: Elevation of Privilege vulnerability in SMS enables notification bypass.</p>
</blockquote>
<p>ANDROID-22314646: <a class="external" href="https://android.googlesource.com/platform/frameworks/opt/telephony/+/df31d37d285dde9911b699837c351aed2320b586">https://android.googlesource.com/platform/frameworks/opt/telephony/+/df31d37d285dde9911b699837c351aed2320b586</a><br />Affected versions: 5.1 and below<br />Result: the patch wasn't found in the patchset, so I <strong>added</strong> it as: <strong>0009-Externally-reported-Moderate-severity-vulnerability.patch</strong></p>
</blockquote>
<p>Including that patch is imho not a good idea. I already wrote:</p>
<blockquote>
<p>It seems that Replicant is not affected by this. android.permission.SEND_SMS_NO_CONFIRMATION was renamed to >android.permission.SEND_RESPOND_VIA_MESSAGE in API level 18 so we should be safe.</p>
</blockquote>
<p>So if this patch is included in the current Replicant 4.2 code, it checks for a permission string that does not exist. This would actually introduce the vulnerability in Replicant.</p>
<p>Please correct me if I'm wrong!</p>
</blockquote>
<p>Sorry, my bad. You're absolutely right.</p> Replicant - Issue #1395: Nexus Security Bulletin from Septemberhttps://redmine.replicant.us/issues/1395?journal_id=66132017-04-22T18:21:11ZWolfgang Wiedmeyerwreg@wiedmeyer.de
<ul><li><strong>Target version</strong> set to <i>Replicant 4.2</i></li></ul> Replicant - Issue #1395: Nexus Security Bulletin from Septemberhttps://redmine.replicant.us/issues/1395?journal_id=75262019-08-16T20:59:34ZKurtis HannaKurtis@riseup.net
<ul><li><strong>Status</strong> changed from <i>In Progress</i> to <i>Closed</i></li><li><strong>Resolution</strong> set to <i>wontfix</i></li></ul><p>This issue has been closed because Replicant 4.2 is no longer supported or maintained.</p>