← Back to branch summary

~ubuntu-security/ubuntu-cve-tracker/master 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79

Candidate: CVE-2015-1538
PublicDate: 2015-09-30
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1538
 https://plus.google.com/+CyanogenMod/posts/7iuX21Tz7n8
 http://review.cyanogenmod.org/#/q/status:merged+project:CyanogenMod/android_frameworks_av+branch:cm-12.1
 http://review.cyanogenmod.org/#/q/status:merged+project:CyanogenMod/android_frameworks_av+branch:cm-12.0
 https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/Stagefright
Description:
 Integer overflow in the SampleTable::setSampleToChunkParams function in
 SampleTable.cpp in libstagefright in Android before 5.1.1 LMY48I allows
 remote attackers to execute arbitrary code via crafted atoms in MP4 data
 that trigger an unchecked multiplication, aka internal bug 20139950, a
 related issue to CVE-2015-4496.
Ubuntu-Description:
Notes:
 jdstrand> there are limited public details on the issue and these will not be
  disclosed until BlackHat/DEFCON next month. Will use this CVE for all
  information until details are published
 jdstrand> the following patches are the likely fixes (12.1):
  http://review.cyanogenmod.org/#/c/102619/ (code not present, requires edd4a76eb4747bd19ed122df46fa46b452c12a0d)
  http://review.cyanogenmod.org/#/c/102620/ (ebf0d0940f7f42b220b19d3baaee7efb4c6b787d)
  http://review.cyanogenmod.org/#/c/102623/ (4a39c150327e080072d5f8e4239c6bbbbabd48d8)
  http://review.cyanogenmod.org/#/c/103266/ (7ff5505d36b1cfd8b03497e0fb5aa24b5b099e45)
  http://review.cyanogenmod.org/#/c/103267/ (b1f29294f1a5831eb52a81d3ee082a9475f6e879)
  http://review.cyanogenmod.org/#/c/103268/ (889ae4ad7227c395615d03b24a1667caa162c75f)
  http://review.cyanogenmod.org/#/c/103269/ (9824bfd6eec1daa93cf76b6f4199602fe35f1d9d, code not present on 15.04/15.10)
  http://review.cyanogenmod.org/#/c/103270/ (57db9b42418b434751f609ac7e5539367e9f01a6, code not present on 15.04/15.10)
 jdstrand> the attack appears to be if an application opens a specially crafted
  MPEG4 file, an attacker could cause an application crash or execute arbitrary
  code by accessing out of bounds memory. In the case of android, the video
  could be texted to the victim's number and the system will automatically
  start processing the video by examining the video's container and metadata
 jdstrand> Ubuntu's 'android' package is based on Cyanogenmod 12.0
 jdstrand> Ubuntu 14.04 'android' package is affected but no supported images
  use it
 jdstrand> All patches (ESDS, SampleTable and MPEG4Extractor) are for MPEG-4
  processing
 jdstrand> media-hub will typically process MPEG4 files for the system and it
  uses gst-plugins-bad which uses media_codec_* from libhybris but libhybris
  doesn't expose the affected stagefright code (confirmed with jhodapp and
  rsalveti). Therefore, the specific attack of texting a crafted video will not
  work
 jdstrand> services and well-behaved Ubuntu Store apps may access the
  stagefright library via libhybris, but libhybris doesn't expose the affected
  code so these services and apps are not affected
 jdstrand> malicious Ubuntu Store apps could access the stagefright library but
  are otherwise isolated by the app-specific AppArmor profiles
 jdstrand> malicious Ubuntu Store apps could access one of the binder services
  in the container via /dev/binder but none of them use stagefright (the
  services are: healthd, servicemanager, rild, drmserver, camera_service and
  sensorservice, all confirmed via their respective Android.mk files to not
  link stagefright)
 jdstrand> based on the above, adjust priority to 'negligible'
Bugs:
Priority: negligible
Discovered-by:
Assigned-to:

Tags_android: apparmor
Patches_android:
upstream_android: pending
precise_android: DNE
trusty_android: ignored
vivid_android: ignored
vivid/stable-phone-overlay_android: ignored
vivid/ubuntu-core_android: DNE
wily_android: ignored
devel_android: ignored

Patches_libhybris:
upstream_libhybris: not-affected
precise_libhybris: DNE
trusty_libhybris: not-affected
vivid_libhybris: not-affected
vivid/stable-phone-overlay_libhybris: not-affected
vivid/ubuntu-core_libhybris: DNE
wily_libhybris: not-affected
devel_libhybris: not-affected