[Secure-testing-commits] r49777 - data/CVE

Ben Hutchings benh at moszumanska.debian.org
Sat Mar 18 20:28:38 UTC 2017


Author: benh
Date: 2017-03-18 20:28:38 +0000 (Sat, 18 Mar 2017)
New Revision: 49777

Modified:
   data/CVE/list
Log:
Triage some Android issues; mark most as NOT-FOR-US

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-03-18 18:47:34 UTC (rev 49776)
+++ data/CVE/list	2017-03-18 20:28:38 UTC (rev 49777)
@@ -37078,7 +37078,7 @@
 CVE-2016-3890 (The Java Debug Wire Protocol (JDWP) implementation in adb/sockets.cpp ...)
 	TODO: check
 CVE-2016-3889 (Android 6.x before 2016-09-01 and 7.0 before 2016-09-01 allows ...)
-	TODO: check
+	NOT-FOR-US: Android
 CVE-2016-3888 (internal/telephony/SMSDispatcher.java in Android 4.x before 4.4.4, ...)
 	NOT-FOR-US: Android
 CVE-2016-3887 (providers/settings/SettingsProvider.java in Android 7.0 before ...)
@@ -37227,7 +37227,7 @@
 CVE-2016-3819 (Integer overflow in codecs/on2/h264dec/source/h264bsd_dpb.c in ...)
 	NOT-FOR-US: libstagefright
 CVE-2016-3818 (libc in Android 4.x before 4.4.4 allows remote attackers to cause a ...)
-	TODO: check
+	NOT-FOR-US: Android libc
 CVE-2016-3817
 	RESERVED
 CVE-2016-3816 (The MediaTek display driver in Android before 2016-07-05 on Android ...)
@@ -37257,9 +37257,13 @@
 CVE-2016-3804 (The MediaTek power management driver in Android before 2016-07-05 on ...)
 	NOT-FOR-US: MediaTek driver for Android
 CVE-2016-3803 (The kernel filesystem implementation in Android before 2016-07-05 on ...)
-	TODO: check
+	- linux <undetermined>
+	NOTE: https://source.android.com/security/bulletin/2016-07-01.html
+	NOTE: No source patch available, so may relate to Apache-licensed sdcardfs.
 CVE-2016-3802 (The kernel filesystem implementation in Android before 2016-07-05 on ...)
-	TODO: check
+	- linux <undetermined>
+	NOTE: https://source.android.com/security/bulletin/2016-07-01.html
+	NOTE: No source patch available, so may relate to Apache-licensed sdcardfs.
 CVE-2016-3801 (The MediaTek GPS driver in Android before 2016-07-05 on Android One ...)
 	NOT-FOR-US: MediaTek driver for Android
 CVE-2016-3800 (The MediaTek video driver in Android before 2016-07-05 on Android One ...)
@@ -37313,7 +37317,9 @@
 CVE-2016-3776
 	RESERVED
 CVE-2016-3775 (The kernel filesystem implementation in Android before 2016-07-05 on ...)
-	TODO: check
+	- linux <undetermined>
+	NOTE: https://source.android.com/security/bulletin/2016-07-01.html
+	NOTE: No source patch available, so may relate to Apache-licensed sdcardfs.
 CVE-2016-3774 (The MediaTek drivers in Android before 2016-07-05 on Android One ...)
 	NOT-FOR-US: MediaTek drivers for Android
 CVE-2016-3773 (The MediaTek drivers in Android before 2016-07-05 on Android One ...)
@@ -37339,7 +37345,7 @@
 CVE-2016-3763 (net/PacProxySelector.java in the Proxy Auto-Config (PAC) feature in ...)
 	NOT-FOR-US: Android
 CVE-2016-3762 (The sockets subsystem in Android 5.0.x before 5.0.2, 5.1.x before ...)
-	TODO: check
+	NOT-FOR-US: Android SELinux policy
 CVE-2016-3761 (NfcService.java in NFC in Android 4.x before 4.4.4, 5.0.x before ...)
 	NOT-FOR-US: Android
 CVE-2016-3760 (Bluetooth in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x ...)
@@ -37347,9 +37353,9 @@
 CVE-2016-3759 (The Framework APIs in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, ...)
 	NOT-FOR-US: Android
 CVE-2016-3758 (Multiple buffer overflows in libdex/OptInvocation.cpp in ...)
-	TODO: check
+	- android-platform-dalvik 6.0.1+r55-1
 CVE-2016-3757 (The print_maps function in toolbox/lsof.c in Android 4.x before 4.4.4, ...)
-	TODO: check
+	NOT-FOR-US: toolbox
 CVE-2016-3756 (Tremolo/res012.c in mediaserver in Android 4.x before 4.4.4, 5.0.x ...)
 	NOT-FOR-US: Android Mediaserver
 CVE-2016-3755 (decoder/ih264d_parse_pslice.c in mediaserver in Android 6.x before ...)
@@ -37367,11 +37373,11 @@
 CVE-2016-3749 (server/LockSettingsService.java in LockSettingsService in Android 6.x ...)
 	NOT-FOR-US: Android
 CVE-2016-3748 (The sockets subsystem in Android 6.x before 2016-07-01 allows ...)
-	TODO: check
+	NOT-FOR-US: Android SELinux policy
 CVE-2016-3747 (Use-after-free vulnerability in the mm-video-v4l2 venc component in ...)
-	TODO: check
+	NOT-FOR-US: Android Mediaserver
 CVE-2016-3746 (Use-after-free vulnerability in the mm-video-v4l2 vdec component in ...)
-	TODO: check
+	NOT-FOR-US: Android Mediaserver
 CVE-2016-3745 (Multiple buffer overflows in mediaserver in Android 4.x before 4.4.4, ...)
 	NOT-FOR-US: Android Mediaserver
 CVE-2016-3744 (Buffer overflow in the create_pbuf function in btif/src/btif_hh.c in ...)
@@ -55221,7 +55227,9 @@
 CVE-2015-6647 (The Widevine QSEE TrustZone application in Android 5.x before 5.1.1 ...)
 	NOT-FOR-US: Android
 CVE-2015-6646 (The System V IPC implementation in the kernel in Android before 6.0 ...)
-	- linux <undetermined>
+	NOT-FOR-US: Android
+	NOTE: https://source.android.com/security/bulletin/2016-01-01.html
+	NOTE: This doesn't represent a specific kernel vulnerability. Android does not need and did not apply resource limits to System V IPC.
 CVE-2015-6645 (SyncManager in Android before 5.1.1 LMY49F and 6.0 before 2016-01-01 ...)
 	NOT-FOR-US: Android
 CVE-2015-6644 (Bouncy Castle in Android before 5.1.1 LMY49F and 6.0 before 2016-01-01 ...)
@@ -55229,11 +55237,13 @@
 CVE-2015-6643 (Setup Wizard in Android 5.x before 5.1.1 LMY49F and 6.0 before ...)
 	NOT-FOR-US: Android
 CVE-2015-6642 (The kernel in Android before 5.1.1 LMY49F and 6.0 before 2016-01-01 ...)
-	TODO: check
+	NOT-FOR-US: Qualcomm driver for Android
+	NOTE: https://www.codeaurora.org/projects/security-advisories/information-disclosure-vulnerability-kernel-ipc-router-module-cve-2015-6642
 CVE-2015-6641 (Bluetooth in Android 6.0 before 2016-01-01 allows remote attackers to ...)
 	NOT-FOR-US: Android
 CVE-2015-6640 (The prctl_set_vma_anon_name function in kernel/sys.c in Android before ...)
-	TODO: check
+	NOT-FOR-US: Android kernel extension
+	NOTE: https://android.googlesource.com/kernel%2Fcommon/+/69bfe2d957d903521d32324190c2754cb073be15
 CVE-2015-6639 (The Widevine QSEE TrustZone application in Android 5.x before 5.1.1 ...)
 	NOT-FOR-US: Android
 CVE-2015-6638 (The Imagination Technologies driver in Android 5.x before 5.1.1 LMY49F ...)
@@ -55276,6 +55286,8 @@
 	NOT-FOR-US: libstagefright
 CVE-2015-6619 (The kernel in Android before 5.1.1 LMY48Z and 6.0 before 2015-12-01 ...)
 	TODO: check
+	NOTE: https://android.googlesource.com/device%2Fhtc%2Fflounder-kernel/+/25d3e5d71865a7c0324423fad87aaabb70e82ee4
+	NOTE: Appears to be caused by a flawed backport of O_TMPFILE feature
 CVE-2015-6618 (Bluetooth in Android 4.4 and 5.x before 5.1.1 LMY48Z allows ...)
 	NOT-FOR-US: Android
 CVE-2015-6617 (Skia, as used in Android before 5.1.1 LMY48Z and 6.0 before ...)




More information about the Secure-testing-commits mailing list