Issue #1395
closedNexus Security Bulletin from September
90%
Description
Same procedure as in #1389. This time the bulletin from September: https://groups.google.com/forum/?_escaped_fragment_=msg/android-security-updates/1M7qbSvACjo/Y7jewiW1AwAJ#!msg/android-security-updates/1M7qbSvACjo/Y7jewiW1AwAJ
CVE-2015-3636: Elevation of Privilege Vulnerability in Kernel
https://github.com/torvalds/linux/commit/a134f083e79f
Elevation of Privilege Vulnerability in Binder
CVE-2015-3845
https://android.googlesource.com/platform/frameworks/native/+/e68cbc3e9e66df4231e70efa3e9c41abc12aea20%5E!/
CVE-2015-1528
https://android.googlesource.com/platform/frameworks/native/+/7dcd0ec9c91688cfa3f679804ba6e132f9811254%5E!/
https://github.com/CyanogenMod/android_system_core/commit/d869e89766d80256117c528bbcc0854acbc068f1
CVE-2015-3863: Elevation of Privilege Vulnerability in Keystore
https://android.googlesource.com/platform/system/security/+/bb9f4392c2f1b11be3acdc1737828274ff1ec55b%5E!/
merge conflict resolved
CVE-2015-3849: Elevation of Privilege Vulnerability in Region
https://android.googlesource.com/platform/frameworks/base/+/4cff1f49ff95d990d6c2614da5d5a23d02145885%5E!/
merge conflict: Problem is that readFromMemory() is not available in Replicant's Skia, so I kept the unflatten function in there.
https://android.googlesource.com/platform/frameworks/base/+/1e72dc7a3074cd0b44d89afbf39bbf5000ef7cc3%5E!/
merge conflict: Same as above, working around missing readFromMemory()
CVE-2015-3858: Elevation of Privilege vulnerability in SMS enables notification bypass.
It seems that Replicant is not affected by this. android.permission.SEND_SMS_NO_CONFIRMATION was renamed to android.permission.SEND_RESPOND_VIA_MESSAGE in API level 18 so we should be safe.
CVE-2015-3861: Denial of Service Vulnerability in Mediaserver
https://android.googlesource.com/platform/frameworks/av/+/304ef91624e12661e7e35c2c0c235da84a73e9c0%5E!/
merge conflict resolved
Files