October 2018 Code Aurora Security Bulletin

By October 1, 2018Security Bulletin

Version 1.0

This document describes security vulnerabilities that were addressed through software changes. Source code patches for these issues have been released to the Code Aurora Forum (CAF) and linked from this bulletin. These changes are applicable but not limited to Android for MSM (all Android releases from CAF using the Linux-kernel), Firefox OS for MSM & QRD Android projects. Customers were previously notified of the issues described in this bulletin. Each of the vulnerabilities has an associated security rating. A description of these ratings using v 1.2 of the ratings scheme can be found at the following link.

Please reach out to security-advisory@quicinc.com for any questions related to this bulletin.

Announcements

None.

Acknowledgements

None.

Table of vulnerabilities

Public ID Security Rating Technology Area Date Reported
CVE-2017-18281 High Video Internal

CVE-2017-18281

CVE ID CVE-2017-18281
Title Use of Out-of-range Pointer Offset in Video
Description A bool variable in Video function, which gets typecasted to int before being read could result in an out of bound read access.
Technology Area Video
Vulnerability Type CWE-823 Use of Out-of-range Pointer Offset
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 3/14/2017
Patch

Industry Coordination

Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:

  • Consideration of security protections such as SELinux not enforced on some platforms

  • Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel

Version History

Version Date Comments
1.0 October 1, 2018 Bulletin Published