Version 1.2
Published: 11/20/2017
Updated: 8/9/2019
This document describes security vulnerabilities that were addressed through software changes until October 2017. Source code patches for these issues have been released to the Code Aurora Forum (CAF) and linked from this bulletin. These changes are applicable but not limited to Android for MSM (all Android releases from CAF using the Linux-kernel), Firefox OS for MSM & QRD Android projects. The Masterarbeit schreiben lassen service has described these rankings using the ranking scheme version 1.2 and they can be found at the following link.
Please reach out to security-advisory@quicinc.com for any questions related to this bulletin.
Announcements
None.
Acknowledgements
We would like to thank these researchers for their contributions in reporting these issues to us.
|
CVE-2017-9683 |
@derrekr6 (https://twitter.com/derrekr6) |
|
CVE-2016-8417, CVE-2016-8479, CVE-2017-11000, CVE-2017-11041, CVE-2017-11053, CVE-2017-8271, CVE-2017-9691 |
Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/bulletin/ for individual credit information. |
|
CVE-2016-5856, CVE-2017-9714 |
Scott Bauer |
|
CVE-2016-5346 |
Seven Shen from Trend Micro Mobile Threat Research Team |
Table of vulnerabilities
|
Public ID |
Security Rating |
Technology Area |
Date Reported |
|
Medium |
Audio |
12/6/2016 |
|
|
Medium |
Trusted Execution Environment |
11/24/2016 |
|
|
Medium |
Camera |
11/11/2016 |
|
|
High |
Graphics_Linux |
11/23/2016 |
|
|
Medium |
Camera |
4/11/2017 |
|
|
High |
Video |
5/26/2017 |
|
|
High |
WLAN HOST |
6/15/2017 |
|
|
Medium |
Display |
4/4/2017 |
|
|
High |
Boot |
4/20/2017 |
|
|
Medium |
Trusted Execution Environment |
1/26/2017 |
|
|
High |
WLAN HOST |
5/12/2017 |
CVE-2016-5346
|
Title: |
Information Exposure in Audio |
|
Description |
While processing IOCTL_GET_AVTIMER_TICK, the uninitialized value of avtimer_tick is copied to user space. |
|
Technology Area |
Audio |
|
Vulnerability Type |
CWE-200 Information Exposure |
|
Access Vector |
Local |
|
Security Rating |
Medium |
|
Date Reported |
12/6/2016 |
|
Customer Notified Date |
1/10/2017 |
|
Patch |
CVE-2016-5856
|
Title: |
Integer Overflow to Buffer Overflow in Core |
|
Description |
In function spcom_handle_send_command(), an out of bounds access and an integer overflow to heap buffer overflow may potentially occur. |
|
Technology Area |
Trusted Execution Environment |
|
Vulnerability Type |
CWE-680 Integer Overflow to Buffer Overflow |
|
Access Vector |
Local |
|
Security Rating |
Medium |
|
Date Reported |
11/24/2016 |
|
Customer Notified Date |
1/10/2017 |
|
Patch |
CVE-2016-8417
|
Title: |
Improper Input Validation in Camera |
|
Description |
Memory over-read/overwrite possible in Camera driver due to improper bounds checking in function msm_jpeg_hw_exec_cmds. |
|
Technology Area |
Camera |
|
Vulnerability Type |
CWE-20 Improper Input Validation |
|
Access Vector |
Local |
|
Security Rating |
Medium |
|
Date Reported |
11/11/2016 |
|
Customer Notified Date |
1/10/2017 |
|
Patch |
CVE-2016-8479
|
Title: |
Use of Uninitialized Variable in Graphics |
|
Description |
A KGSL function allocates a context from the heap but another function de-references the context before it is initialized. |
|
Technology Area |
Graphics_Linux |
|
Vulnerability Type |
CWE-457 Use of Uninitialized Variable |
|
Access Vector |
Local |
|
Security Rating |
High |
|
Date Reported |
11/23/2016 |
|
Customer Notified Date |
1/10/2017 |
|
Patch |
CVE-2017-11000
|
Title: |
Improper Input Validation in Camera |
|
Description |
In an ISP Camera kernel driver function, an incorrect bounds check may potentially lead to an out-of-bounds write. |
|
Technology Area |
Camera |
|
Vulnerability Type |
CWE-129 Improper Validation of Array Index |
|
Access Vector |
Local |
|
Security Rating |
Medium |
|
Date Reported |
4/11/2017 |
|
Customer Notified Date |
9/1/2017 |
|
Patch |
CVE-2017-11041
|
Title: |
Use After Free in Video |
|
Description |
An output buffer is accessed in one thread and can be potentially freed in another. |
|
Technology Area |
Video |
|
Vulnerability Type |
CWE-416 Use After Free |
|
Access Vector |
Local |
|
Security Rating |
High |
|
Date Reported |
5/26/2017 |
|
Customer Notified Date |
9/1/2017 |
|
Patch |
CVE-2017-11053
|
Title: |
Improper Validation of Array Index in WLAN |
|
Description |
When qos map set IE of length less than 16 is received in association response or in qos map configure action frame, a buffer overflow can potentially occur in ConvertQosMapsetFrame(). |
|
Technology Area |
WLAN HOST |
|
Vulnerability Type |
CWE-20 Improper Input Validation |
|
Access Vector |
Local |
|
Security Rating |
High |
|
Date Reported |
6/15/2017 |
|
Customer Notified Date |
9/1/2017 |
|
Patch |
CVE-2017-8271
|
Title: |
Buffer overflow in video driver |
|
Description |
Out of bound memory write can happen in the MDSS Rotator driver by an unsanitized userspace-controlled parameter |
|
Technology Area |
Display |
|
Vulnerability Type |
CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
|
Access Vector |
Local |
|
Security Rating |
Medium |
|
Date Reported |
4/4/2017 |
|
Customer Notified Date |
9/1/2017 |
|
Patch |
CVE-2017-9683
|
Title: |
Integer Overflow or Wraparound in Boot |
|
Description |
While flashing meta image integer overflow can occur, if user-defined image offset and size values are too large. |
|
Technology Area |
Boot |
|
Vulnerability Type |
CWE-190 Integer Overflow or Wraparound |
|
Access Vector |
Local |
|
Security Rating |
High |
|
Date Reported |
4/20/2017 |
|
Customer Notified Date |
6/5/2017 |
|
Patch |
CVE-2017-9691
|
Title: |
Time-of-check Time-of-use (TOCTOU) Race Condition in Core |
|
Description |
There is a race condition that allows to access to already free’d memory in the debug message output functionality contained within the mobicore driver. |
|
Technology Area |
Trusted Execution Environment |
|
Vulnerability Type |
CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition |
|
Access Vector |
Local |
|
Security Rating |
Medium |
|
Date Reported |
1/26/2017 |
|
Customer Notified Date |
7/3/2017 |
|
Patch |
CVE-2017-9714
|
Title: |
Improper Validation of Array Index in WLAN |
|
Description |
Out of bound memory access may happen in limCheckRxRSNIeMatch in case incorrect RSNIE is received from the client in assoc request. |
|
Technology Area |
WLAN HOST |
|
Vulnerability Type |
CWE-129 Improper Validation of Array Index |
|
Access Vector |
AdjacentNetwork |
|
Security Rating |
High |
|
Date Reported |
5/12/2017 |
|
Customer Notified Date |
7/3/2017 |
|
Patch |
|
Industry Coordination
Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:
- Consideration of security protections such as SELinux not enforced on some platforms
- Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel
Version History
| Version | Date | Comments |
| 1.0 | November 20, 2017 | Bulletin Published |
| 1.1 | June 18, 2019 | Additional patches added to CVE-2017-9714 |
| 1.2 | August 9, 2019 | Additional patches added to CVE-2017-9714 |