1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
|
Candidate: CVE-2015-1538
PublicDate: 2015-09-30
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1538
https://plus.google.com/+CyanogenMod/posts/7iuX21Tz7n8
http://review.cyanogenmod.org/#/q/status:merged+project:CyanogenMod/android_frameworks_av+branch:cm-12.1
http://review.cyanogenmod.org/#/q/status:merged+project:CyanogenMod/android_frameworks_av+branch:cm-12.0
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/Stagefright
Description:
Integer overflow in the SampleTable::setSampleToChunkParams function in
SampleTable.cpp in libstagefright in Android before 5.1.1 LMY48I allows
remote attackers to execute arbitrary code via crafted atoms in MP4 data
that trigger an unchecked multiplication, aka internal bug 20139950, a
related issue to CVE-2015-4496.
Ubuntu-Description:
Notes:
jdstrand> there are limited public details on the issue and these will not be
disclosed until BlackHat/DEFCON next month. Will use this CVE for all
information until details are published
jdstrand> the following patches are the likely fixes (12.1):
http://review.cyanogenmod.org/#/c/102619/ (code not present, requires edd4a76eb4747bd19ed122df46fa46b452c12a0d)
http://review.cyanogenmod.org/#/c/102620/ (ebf0d0940f7f42b220b19d3baaee7efb4c6b787d)
http://review.cyanogenmod.org/#/c/102623/ (4a39c150327e080072d5f8e4239c6bbbbabd48d8)
http://review.cyanogenmod.org/#/c/103266/ (7ff5505d36b1cfd8b03497e0fb5aa24b5b099e45)
http://review.cyanogenmod.org/#/c/103267/ (b1f29294f1a5831eb52a81d3ee082a9475f6e879)
http://review.cyanogenmod.org/#/c/103268/ (889ae4ad7227c395615d03b24a1667caa162c75f)
http://review.cyanogenmod.org/#/c/103269/ (9824bfd6eec1daa93cf76b6f4199602fe35f1d9d, code not present on 15.04/15.10)
http://review.cyanogenmod.org/#/c/103270/ (57db9b42418b434751f609ac7e5539367e9f01a6, code not present on 15.04/15.10)
jdstrand> the attack appears to be if an application opens a specially crafted
MPEG4 file, an attacker could cause an application crash or execute arbitrary
code by accessing out of bounds memory. In the case of android, the video
could be texted to the victim's number and the system will automatically
start processing the video by examining the video's container and metadata
jdstrand> Ubuntu's 'android' package is based on Cyanogenmod 12.0
jdstrand> Ubuntu 14.04 'android' package is affected but no supported images
use it
jdstrand> All patches (ESDS, SampleTable and MPEG4Extractor) are for MPEG-4
processing
jdstrand> media-hub will typically process MPEG4 files for the system and it
uses gst-plugins-bad which uses media_codec_* from libhybris but libhybris
doesn't expose the affected stagefright code (confirmed with jhodapp and
rsalveti). Therefore, the specific attack of texting a crafted video will not
work
jdstrand> services and well-behaved Ubuntu Store apps may access the
stagefright library via libhybris, but libhybris doesn't expose the affected
code so these services and apps are not affected
jdstrand> malicious Ubuntu Store apps could access the stagefright library but
are otherwise isolated by the app-specific AppArmor profiles
jdstrand> malicious Ubuntu Store apps could access one of the binder services
in the container via /dev/binder but none of them use stagefright (the
services are: healthd, servicemanager, rild, drmserver, camera_service and
sensorservice, all confirmed via their respective Android.mk files to not
link stagefright)
jdstrand> based on the above, adjust priority to 'negligible'
Bugs:
Priority: negligible
Discovered-by:
Assigned-to:
Tags_android: apparmor
Patches_android:
upstream_android: pending
precise_android: DNE
trusty_android: ignored
vivid_android: ignored
vivid/stable-phone-overlay_android: ignored
vivid/ubuntu-core_android: DNE
wily_android: ignored
devel_android: ignored
Patches_libhybris:
upstream_libhybris: not-affected
precise_libhybris: DNE
trusty_libhybris: not-affected
vivid_libhybris: not-affected
vivid/stable-phone-overlay_libhybris: not-affected
vivid/ubuntu-core_libhybris: DNE
wily_libhybris: not-affected
devel_libhybris: not-affected
|