Google Git
Sign in
android / platform / docs / source.android.com / 02a62fc2556af74122fd3ab113a393961bec4ec7 / . / en / security / bulletin / 2017-06-01.html
blob: 52bf53a6064c00c73aa4f96201f63d96e65057fd [file] [log] [blame]
<html devsite>
<head>
<title>Android Security Bulletin—June 2017</title>
<meta name="project_path" value="/_project.yaml" />
<meta name="book_path" value="/_book.yaml" />
</head>
<body>
<!--
Copyright 2017 The Android Open Source Project
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<p><em>Published June 5, 2017 | Updated August 17, 2017</em></p>
<p>The Android Security Bulletin contains details of security vulnerabilities
affecting Android devices. Security patch levels of June 05, 2017 or later
address all of these issues. Refer to the <a
href="https://support.google.com/pixelphone/answer/4457705#pixel_phones&nexus_devices">Pixel
and Nexus update schedule</a> to learn how to check a device's security patch
level.</p>
<p>Partners were notified of the issues described in the bulletin at least a
month ago. Source code patches for these issues will be released to the Android
Open Source Project (AOSP) repository and linked from this bulletin. This
bulletin also includes links to patches outside of AOSP.</p>
<p>The most severe of these issues is a critical security vulnerability in Media
Framework that could enable a remote attacker using a specially crafted file to
cause memory corruption during media file and data processing. The <a
href="/security/overview/updates-resources.html#severity">severity
assessment</a> is based on the effect that exploiting the vulnerability would
possibly have on an affected device, assuming the platform and service
mitigations are turned off for development purposes or if successfully bypassed.</p>
<p>We have had no reports of active customer exploitation or abuse of these newly
reported issues. Refer to the
<a href="#mitigations">Android and Google Play Protect mitigations</a>
section for details on the <a
href="/security/enhancements/index.html">Android
security platform protections</a> and <a
href="https://www.android.com/play-protect">Google Play Protect</a>,
which improve the security of the Android platform.</p>
<p>We encourage all customers to accept these updates to their devices.</p>
<p class="note"><strong>Note:</strong> Information on the latest over-the-air update (OTA) and
firmware images for Google devices is available in the <a
href="#google-device-updates">Google device updates</a> section.</p>
<h2 id="announcements">Announcements</h2>
<ul>
<li>We've streamlined the monthly security bulletin to make
it easier to read. As part of this update, vulnerability information is
categorized by affected component, sorted by component name within a
security patch level, and Google device-specific information
is hosted in a <a href="#google-device-updates">dedicated section</a>.</li>
<li>This bulletin has two security patch level strings to provide Android
partners with the flexibility to more quickly fix a subset of vulnerabilities
that are similar across all Android devices. See <a
href="#common-questions-and-answers">Common questions and answers</a> for
additional information:
<ul>
<li><strong>2017-06-01</strong>: Partial security patch level string. This
security patch level string indicates that all issues associated with 2017-06-01
(and all previous security patch level strings) are addressed.</li>
<li><strong>2017-06-05</strong>: Complete security patch level string. This
security patch level string indicates that all issues associated with 2017-06-01
and 2017-06-05 (and all previous security patch level strings) are
addressed.</li>
</ul>
</li>
</ul>
<h2 id="mitigations">Android and Google Play Protect mitigations</h2>
<p>This is a summary of the mitigations provided by the <a
href="/security/enhancements/index.html">Android
security platform</a> and service protections such as
<a href="https://www.android.com/play-protect">Google Play Protect</a>.
These capabilities reduce the likelihood that security
vulnerabilities could be successfully exploited on Android.</p>
<ul>
<li>Exploitation for many issues on Android is made more difficult by
enhancements in newer versions of the Android platform. We encourage all users
to update to the latest version of Android where possible.</li>
<li>The Android security team actively monitors for abuse through
<a href="https://www.android.com/play-protect">Google Play Protect</a>
and warns users about <a
href="/security/reports/Google_Android_Security_PHA_classifications.pdf">Potentially
Harmful Applications</a>. Google Play Protect is enabled by default on devices
with <a href="http://www.android.com/gms">Google Mobile Services</a>, and is
especially important for users who install apps from outside of Google Play.</li>
</ul>
<h2 id="2017-06-01-details">2017-06-01 security patch level—Vulnerability details</h2>
<p>In the sections below, we provide details for each of the security
vulnerabilities that apply to the 2017-06-01 patch level. Vulnerabilities are
grouped under the component that they affect. There is a description of the
issue and a table with the CVE, associated references, <a
href="#vulnerability-type">type of vulnerability</a>, <a
href="/security/overview/updates-resources.html#severity">severity</a>,
and updated AOSP versions (where applicable). When available, we link the public
change that addressed the issue to the bug ID, like the AOSP change list. When
multiple changes relate to a single bug, additional references are linked to
numbers following the bug ID.</p>
<h3 id="bluetooth">Bluetooth</h3>
<p>The most severe vulnerability in this section could enable a local malicious app
to access data outside of its permission levels.</p>
<table>
<col width="17%">
<col width="19%">
<col width="9%">
<col width="14%">
<col width="39%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Type</th>
<th>Severity</th>
<th>Updated AOSP versions</th>
</tr>
<tr>
<td>CVE-2017-0645</td>
<td><a href="https://android.googlesource.com/platform/packages/apps/Bluetooth/+/14b7d7e1537af60b7bca6c7b9e55df0dc7c6bf41">A-35385327</a></td>
<td>EoP</td>
<td>Moderate</td>
<td>6.0.1, 7.0, 7.1.1, 7.1.2</td>
</tr>
<tr>
<td>CVE-2017-0646</td>
<td><a href="https://android.googlesource.com/platform/system/bt/+/2bcdf8ec7db12c5651c004601901f1fc25153f2c">A-33899337</a></td>
<td>ID</td>
<td>Moderate</td>
<td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2</td>
</tr>
</table>
<h3 id="libraries">Libraries</h3>
<p>The most severe vulnerability in this section could enable a remote attacker
using a specially crafted file execute arbitrary code within the context of an
unprivileged process.</p>
<table>
<col width="17%">
<col width="19%">
<col width="9%">
<col width="14%">
<col width="39%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Type</th>
<th>Severity</th>
<th>Updated AOSP versions</th>
</tr>
<tr>
<td>CVE-2015-8871</td>
<td>A-35443562<a href="#asterisk">*</a></td>
<td>RCE</td>
<td>High</td>
<td>5.0.2, 5.1.1, 6.0, 6.0.1</td>
</tr>
<tr>
<td>CVE-2016-8332</td>
<td>A-37761553<a href="#asterisk">*</a></td>
<td>RCE</td>
<td>High</td>
<td>5.0.2, 5.1.1, 6.0, 6.0.1</td>
</tr>
<tr>
<td>CVE-2016-5131</td>
<td><a href="https://android.googlesource.com/platform/external/libxml2/+/0eff71008becb7f2c2b4509708da4b79985948bb">A-36554209</a></td>
<td>RCE</td>
<td>High</td>
<td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2</td>
</tr>
<tr>
<td>CVE-2016-4658</td>
<td><a href="https://android.googlesource.com/platform/external/libxml2/+/8ea80f29ea5fdf383ee3ae59ce35e55421a339f8">A-36554207</a></td>
<td>RCE</td>
<td>High</td>
<td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2</td>
</tr>
<tr>
<td>CVE-2017-0663</td>
<td><a href="https://android.googlesource.com/platform/external/libxml2/+/521b88fbb6d18312923f0df653d045384b500ffc">A-37104170</a></td>
<td>RCE</td>
<td>High</td>
<td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2</td>
</tr>
<tr>
<td>CVE-2017-7376</td>
<td><a href="https://android.googlesource.com/platform/external/libxml2/+/51e0cb2e5ec18eaf6fb331bc573ff27b743898f4">A-36555370</a></td>
<td>RCE</td>
<td>High</td>
<td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2</td>
</tr>
<tr>
<td>CVE-2017-5056</td>
<td><a href="https://android.googlesource.com/platform/external/libxml2/+/3f571b1bb85cf56903f06bab3a820182115c5541">A-36809819</a></td>
<td>RCE</td>
<td>Moderate</td>
<td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2</td>
</tr>
<tr>
<td>CVE-2017-7375</td>
<td><a href="https://android.googlesource.com/platform/external/libxml2/+/308396a55280f69ad4112d4f9892f4cbeff042aa">A-36556310</a></td>
<td>RCE</td>
<td>Moderate</td>
<td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2</td>
</tr>
<tr>
<td>CVE-2017-0647</td>
<td><a href="https://android.googlesource.com/platform/system/core/+/3d6a43155c702bce0e7e2a93a67247b5ce3946a5">A-36392138</a></td>
<td>ID</td>
<td>Moderate</td>
<td>5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2</td>
</tr>
<tr>
<td>CVE-2016-1839</td>
<td><a href="https://android.googlesource.com/platform/external/libxml2/+/ff20cd797822dba8569ee518c44e6864d6b4ebfa">A-36553781</a></td>
<td>DoS</td>
<td>Moderate</td>
<td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2</td>
</tr>
</table>
<h3 id="media-framework">Media framework</h3>
<p>The most severe vulnerability in this section could enable a remote attacker
using a specially crafted file to cause memory corruption during media file and
data processing.</p>
<table>
<col width="17%">
<col width="19%">
<col width="9%">
<col width="14%">
<col width="39%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Type</th>
<th>Severity</th>
<th>Updated AOSP versions</th>
</tr>
<tr>
<td>CVE-2017-0637</td>
<td><a href="https://android.googlesource.com/platform/external/libhevc/+/ebaa71da6362c497310377df509651974401d258">A-34064500</a></td>
<td>RCE</td>
<td>Critical</td>
<td>5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2</td>
</tr>
<tr>
<td>CVE-2017-0391</td>
<td><a href="https://android.googlesource.com/platform/external/libhevc/+/14bc1678a80af5be7401cf750ab762ae8c75cc5a">A-32322258</a></td>
<td>DoS</td>
<td>High</td>
<td>5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2</td>
</tr>
<tr>
<td>CVE-2017-0640</td>
<td>A-33129467<a href="#asterisk">*</a></td>
<td>DoS</td>
<td>High</td>
<td>6.0, 6.0.1, 7.0, 7.1.1</td>
</tr>
<tr>
<td>CVE-2017-0641</td>
<td><a href="https://android.googlesource.com/platform/external/libvpx/+/698796fc930baecf5c3fdebef17e73d5d9a58bcb">A-34360591</a></td>
<td>DoS</td>
<td>High</td>
<td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2</td>
</tr>
<tr>
<td>CVE-2017-0642</td>
<td><a href="https://android.googlesource.com/platform/external/libhevc/+/913d9e8d93d6b81bb8eac3fc2c1426651f5b259d">A-34819017</a></td>
<td>DoS</td>
<td>High</td>
<td>5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2</td>
</tr>
<tr>
<td>CVE-2017-0643</td>
<td>A-35645051<a href="#asterisk">*</a></td>
<td>DoS</td>
<td>High</td>
<td>5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1</td>
</tr>
<tr>
<td>CVE-2017-0644</td>
<td>A-35472997<a href="#asterisk">*</a></td>
<td>DoS</td>
<td>High</td>
<td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
</tr>
</table>
<h3 id="system-ui">System UI</h3>
<p>The most severe vulnerability in this section could enable an attacker using a
specially crafted file to execute arbitrary code within the context of an
unprivileged process.</p>
<table>
<col width="17%">
<col width="19%">
<col width="9%">
<col width="14%">
<col width="39%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Type</th>
<th>Severity</th>
<th>Updated AOSP versions</th>
</tr>
<tr>
<td>CVE-2017-0638</td>
<td><a href="https://android.googlesource.com/platform/external/libgdx/+/a98943dd4aece3024f023f00256607d50dcbcd1e">A-36368305</a></td>
<td>RCE</td>
<td>High</td>
<td>7.1.1, 7.1.2</td>
</tr>
</table>
<h2 id="2017-06-05-details">2017-06-05
security patch level—Vulnerability details</h2>
<p>In the sections below, we provide details for each of the security
vulnerabilities that apply to the 2017-06-05 patch level. Vulnerabilities are
grouped under the component that they affect and include details such as the
CVE, associated references, <a
href="#vulnerability-type">type of vulnerability</a>, <a
href="/security/overview/updates-resources.html#severity">severity</a>,
component (where
applicable), and updated AOSP versions (where applicable). When available, we
link the public change that addressed the issue to the bug ID, like the AOSP
change list. When multiple changes relate to a single bug, additional references
are linked to numbers following the bug ID.</p>
<h3 id="kernel-components">Kernel components</h3>
<p>The most severe vulnerability in this section could enable a local malicious app
to execute arbitrary code within the context of the kernel.</p>
<table>
<col width="17%">
<col width="19%">
<col width="9%">
<col width="14%">
<col width="39%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Type</th>
<th>Severity</th>
<th>Component</th>
</tr>
<tr>
<td>CVE-2017-0648</td>
<td>A-36101220<a href="#asterisk">*</a></td>
<td>EoP</td>
<td>High</td>
<td>FIQ debugger</td>
</tr>
<tr>
<td>CVE-2017-0651</td>
<td>A-35644815<a href="#asterisk">*</a></td>
<td>ID</td>
<td>Low</td>
<td>ION subsystem</td>
</tr>
</table>
<h3 id="libraries-05">Libraries</h3>
<p>The most severe vulnerability in this section could enable a remote attacker
using a specially crafted file to gain access to sensitive information.</p>
<table>
<col width="17%">
<col width="19%">
<col width="9%">
<col width="14%">
<col width="39%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Type</th>
<th>Severity</th>
<th>Updated AOSP versions</th>
</tr>
<tr>
<td>CVE-2015-7995</td>
<td>A-36810065<a href="#asterisk">*</a></td>
<td>ID</td>
<td>Moderate</td>
<td>4.4.4</td>
</tr>
</table>
<h3 id="mediatek-components">MediaTek components</h3>
<p>The most severe vulnerability in this section could enable a local malicious app
to execute arbitrary code within the context of the kernel.</p>
<table>
<col width="17%">
<col width="19%">
<col width="9%">
<col width="14%">
<col width="39%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Type</th>
<th>Severity</th>
<th>Component</th>
</tr>
<tr>
<td>CVE-2017-0636</td>
<td>A-35310230<a href="#asterisk">*</a><br>
M-ALPS03162263</td>
<td>EoP</td>
<td>High</td>
<td>Command queue driver</td>
</tr>
<tr>
<td>CVE-2017-0649</td>
<td>A-34468195<a href="#asterisk">*</a><br>
M-ALPS03162283</td>
<td>EoP</td>
<td>Moderate</td>
<td>Sound driver</td>
</tr>
</table>
<h3 id="nvidia-components">NVIDIA components</h3>
<p>The most severe vulnerability in this section could enable a local malicious app
to execute arbitrary code within the context of the kernel.</p>
<table>
<col width="17%">
<col width="19%">
<col width="9%">
<col width="14%">
<col width="39%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Type</th>
<th>Severity</th>
<th>Component</th>
</tr>
<tr>
<td>CVE-2017-6247</td>
<td>A-34386301<a href="#asterisk">*</a><br>
N-CVE-2017-6247</td>
<td>EoP</td>
<td>High</td>
<td>Sound driver</td>
</tr>
<tr>
<td>CVE-2017-6248</td>
<td>A-34372667<a href="#asterisk">*</a><br>
N-CVE-2017-6248</td>
<td>EoP</td>
<td>Moderate</td>
<td>Sound driver</td>
</tr>
<tr>
<td>CVE-2017-6249</td>
<td>A-34373711<a href="#asterisk">*</a><br>
N-CVE-2017-6249</td>
<td>EoP</td>
<td>Moderate</td>
<td>Sound driver</td>
</tr>
</table>
<h3 id="qualcomm-components">Qualcomm components</h3>
<p>The most severe vulnerability in this section could enable a proximate attacker
to execute arbitrary code within the context of the kernel.</p>
<table>
<col width="17%">
<col width="19%">
<col width="9%">
<col width="14%">
<col width="39%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Type</th>
<th>Severity</th>
<th>Component</th>
</tr>
<tr>
<td>CVE-2017-7371</td>
<td>A-36250786<br>
<a href="https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=e02e63b8014f7a0a5ea17a5196fb4ef1283fd1fd">QC-CR#1101054</a></td>
<td>RCE</td>
<td>Critical</td>
<td>Bluetooth driver</td>
</tr>
<tr>
<td>CVE-2017-7365</td>
<td>A-32449913<br>
<a href="https://source.codeaurora.org/quic/la//kernel/lk/commit/?id=da49bf21d1c19a6293d33c985066dc0273c476db">QC-CR#1017009</a></td>
<td>EoP</td>
<td>High</td>
<td>Bootloader</td>
</tr>
<tr>
<td>CVE-2017-7366</td>
<td>A-36252171<br>
<a
href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=f4c9ffd6cd7960265f38e285ac43cbecf2459e45">QC-CR#1036161</a>
[<a
href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=7c4d5736d32f91f0cafe6cd86d00e26389970b00">2</a>]</td>
<td>EoP</td>
<td>High</td>
<td>GPU driver</td>
</tr>
<tr>
<td>CVE-2017-7367</td>
<td>A-34514708<br>
<a href="https://source.codeaurora.org/quic/la//kernel/lk/commit/?id=07174af1af48c60a41c7136f0c80ffdf4ccc0b57">QC-CR#1008421</a></td>
<td>DoS</td>
<td>High</td>
<td>Bootloader</td>
</tr>
<tr>
<td>CVE-2016-5861</td>
<td>A-36251375<br>
<a href="https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=cf3c97b8b6165f13810e530068fbf94b07f1f77d">QC-CR#1103510</a></td>
<td>EoP</td>
<td>Moderate</td>
<td>Video driver</td>
</tr>
<tr>
<td>CVE-2016-5864</td>
<td>A-36251231<br>
<a href="https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=cbc21ceb69cb7bca0643423a7ca982abce3ce50a">QC-CR#1105441</a></td>
<td>EoP</td>
<td>Moderate</td>
<td>Sound driver</td>
</tr>
<tr>
<td>CVE-2017-6421</td>
<td>A-36251986<br>
<a href="https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=be42c7ff1f0396484882451fd18f47144c8f1b6b">QC-CR#1110563</a></td>
<td>EoP</td>
<td>Moderate</td>
<td>MStar touchscreen driver</td>
</tr>
<tr>
<td>CVE-2017-7364</td>
<td>A-36252179<br>
<a href="https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=3ce6c47d2142fcd2c4c1181afe08630aaae5a267">QC-CR#1113926</a></td>
<td>EoP</td>
<td>Moderate</td>
<td>Video driver</td>
</tr>
<tr>
<td>CVE-2017-7368</td>
<td>A-33452365<br>
<a href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=143ef972be1621458930ea3fc1def5ebce7b0c5d">QC-CR#1103085</a></td>
<td>EoP</td>
<td>Moderate</td>
<td>Sound driver</td>
</tr>
<tr>
<td>CVE-2017-7369</td>
<td>A-33751424<br>
<a href="https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=75ed08a822cf378ffed0d2f177d06555bd77a006">QC-CR#2009216</a>
[<a href="https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=ae8f1d5f60644983aba7fbab469d0e542a187c6e">2</a>]</td>
<td>EoP</td>
<td>Moderate</td>
<td>Sound driver</td>
</tr>
<tr>
<td>CVE-2017-7370</td>
<td>A-34328139<br>
<a href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=970edf007fbe64b094437541a42477d653802d85">QC-CR#2006159</a></td>
<td>EoP</td>
<td>Moderate</td>
<td>Video driver</td>
</tr>
<tr>
<td>CVE-2017-7372</td>
<td>A-36251497<br>
<a href="https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=1806be003731d6d4be55e5b940d14ab772839e13">QC-CR#1110068</a></td>
<td>EoP</td>
<td>Moderate</td>
<td>Video driver</td>
</tr>
<tr>
<td>CVE-2017-7373</td>
<td>A-36251984<br>
<a href="https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=e5eb0d3aa6fe62ee437a2269a1802b1a72f61b75">QC-CR#1090244</a></td>
<td>EoP</td>
<td>Moderate</td>
<td>Video driver</td>
</tr>
<tr>
<td>CVE-2017-8233</td>
<td>A-34621613<br>
<a href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=64b7bc25e019dd07e8042e0a6ec6dc6a1dd0c385">QC-CR#2004036</a></td>
<td>EoP</td>
<td>Moderate</td>
<td>Camera driver</td>
</tr>
<tr>
<td>CVE-2017-8234</td>
<td>A-36252121<br>
<a href="https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=6266f954a52641f550ef71653ea83c80bdd083be">QC-CR#832920</a></td>
<td>EoP</td>
<td>Moderate</td>
<td>Camera driver</td>
</tr>
<tr>
<td>CVE-2017-8235</td>
<td>A-36252376<br>
<a href="https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=7e4424a1b5f6a6536066cca7aac2c3a23fd39f6f">QC-CR#1083323</a></td>
<td>EoP</td>
<td>Moderate</td>
<td>Camera driver</td>
</tr>
<tr>
<td>CVE-2017-8236</td>
<td>A-35047217<br>
<a href="https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=cf0d31bc3b04cf2db7737d36b11a5bf50af0c1db">QC-CR#2009606</a></td>
<td>EoP</td>
<td>Moderate</td>
<td>IPA driver</td>
</tr>
<tr>
<td>CVE-2017-8237</td>
<td>A-36252377<br>
<a href="https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=342d16ac6fb01e304ec75344c693257e00628ecf">QC-CR#1110522</a></td>
<td>EoP</td>
<td>Moderate</td>
<td>Networking driver</td>
</tr>
<tr>
<td>CVE-2017-8242</td>
<td>A-34327981<br>
<a href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=6a3b8afdf97e77c0b64005b23fa6d32025d922e5">QC-CR#2009231</a></td>
<td>EoP</td>
<td>Moderate</td>
<td>Secure Execution Environment Communicator driver</td>
</tr>
<tr>
<td>CVE-2017-8239</td>
<td>A-36251230<br>
<a href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=01db0e012f86b8ba6974e5cb9905261a552a0610">QC-CR#1091603</a></td>
<td>ID</td>
<td>Moderate</td>
<td>Camera driver</td>
</tr>
<tr>
<td>CVE-2017-8240</td>
<td>A-36251985<br>
<a href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=22b8b6608174c1308208d5bc6c143f4998744547">QC-CR#856379</a></td>
<td>ID</td>
<td>Moderate</td>
<td>Pin controller driver</td>
</tr>
<tr>
<td>CVE-2017-8241</td>
<td>A-34203184<br>
<a href="https://source.codeaurora.org/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=90213394b7efb28fa511b2eaebc1343ae3b54724">QC-CR#1069175</a></td>
<td>ID</td>
<td>Low</td>
<td>Wi-Fi driver</td>
</tr>
</table>
<h3 id="synaptics-components">Synaptics components</h3>
<p>The most severe vulnerability in this section could enable a local malicious app
to access data outside of its permission levels.</p>
<table>
<col width="17%">
<col width="19%">
<col width="9%">
<col width="14%">
<col width="39%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Type</th>
<th>Severity</th>
<th>Component</th>
</tr>
<tr>
<td>CVE-2017-0650</td>
<td>A-35472278<a href="#asterisk">*</a></td>
<td>EoP</td>
<td>Low</td>
<td>Touchscreen driver</td>
</tr>
</table>
<h3 id="qualcomm-closed-source-components">Qualcomm closed-source
components</h3>
<p>These vulnerabilities affect Qualcomm components and are described in further
detail in Qualcomm AMSS security bulletins from 2014–2016. They are included in
this Android security bulletin to associate their fixes with an Android security
patch level. Fixes for these vulnerabilities are available directly from Qualcomm.</p>
<table>
<col width="17%">
<col width="19%">
<col width="9%">
<col width="14%">
<col width="39%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Type</th>
<th>Severity</th>
<th>Component</th>
</tr>
<tr>
<td>CVE-2014-9960</td>
<td>A-37280308<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>Critical</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2014-9961</td>
<td>A-37279724<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>Critical</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2014-9953</td>
<td>A-36714770<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>Critical</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2014-9967</td>
<td>A-37281466<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>Critical</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2015-9026</td>
<td>A-37277231<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>Critical</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2015-9027</td>
<td>A-37279124<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>Critical</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2015-9008</td>
<td>A-36384689<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>Critical</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2015-9009</td>
<td>A-36393600<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>Critical</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2015-9010</td>
<td>A-36393101<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>Critical</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2015-9011</td>
<td>A-36714882<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>Critical</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2015-9024</td>
<td>A-37265657<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>Critical</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2015-9012</td>
<td>A-36384691<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>Critical</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2015-9013</td>
<td>A-36393251<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>Critical</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2015-9014</td>
<td>A-36393750<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>Critical</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2015-9015</td>
<td>A-36714120<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>Critical</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2015-9029</td>
<td>A-37276981<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>Critical</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2016-10338</td>
<td>A-37277738<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>Critical</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2016-10336</td>
<td>A-37278436<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>Critical</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2016-10333</td>
<td>A-37280574<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>Critical</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2016-10341</td>
<td>A-37281667<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>Critical</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2016-10335</td>
<td>A-37282802<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>Critical</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2016-10340</td>
<td>A-37280614<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>Critical</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2016-10334</td>
<td>A-37280664<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>Critical</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2016-10339</td>
<td>A-37280575<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>Critical</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2016-10298</td>
<td>A-36393252<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>Critical</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2016-10299</td>
<td>A-32577244<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>Critical</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2014-9954</td>
<td>A-36388559<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>High</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2014-9955</td>
<td>A-36384686<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>High</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2014-9956</td>
<td>A-36389611<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>High</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2014-9957</td>
<td>A-36387564<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>High</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2014-9958</td>
<td>A-36384774<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>High</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2014-9962</td>
<td>A-37275888<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>High</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2014-9963</td>
<td>A-37276741<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>High</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2014-9959</td>
<td>A-36383694<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>High</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2014-9964</td>
<td>A-37280321<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>High</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2014-9965</td>
<td>A-37278233<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>High</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2014-9966</td>
<td>A-37282854<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>High</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2015-9023</td>
<td>A-37276138<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>High</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2015-9020</td>
<td>A-37276742<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>High</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2015-9021</td>
<td>A-37276743<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>High</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2015-9025</td>
<td>A-37276744<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>High</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2015-9022</td>
<td>A-37280226<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>High</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2015-9028</td>
<td>A-37277982<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>High</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2015-9031</td>
<td>A-37275889<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>High</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2015-9032</td>
<td>A-37279125<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>High</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2015-9033</td>
<td>A-37276139<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>High</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2015-9030</td>
<td>A-37282907<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>High</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2016-10332</td>
<td>A-37282801<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>High</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2016-10337</td>
<td>A-37280665<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>High</td>
<td>Closed-source component</td>
</tr>
<tr>
<td>CVE-2016-10342</td>
<td>A-37281763<a href="#asterisk">*</a></td>
<td>N/A</td>
<td>High</td>
<td>Closed-source component</td>
</tr>
</table>
<h2 id="google-device-updates">Google device updates</h2>
<p>This table contains the security patch level in the latest over-the-air update
(OTA) and firmware images for Google devices. The Google device firmware images
are available on the <a
href="https://developers.google.com/android/nexus/images">Google Developer
site</a>.</p>
<table>
<col width="25%">
<col width="75%">
<tr>
<th>Google device</th>
<th>Security patch level</th>
</tr>
<tr>
<td>Pixel / Pixel XL</td>
<td>June 05, 2017</td>
</tr>
<tr>
<td>Nexus 5X</td>
<td>June 05, 2017</td>
</tr>
<tr>
<td>Nexus 6</td>
<td>June 05, 2017</td>
</tr>
<tr>
<td>Nexus 6P</td>
<td>June 05, 2017</td>
</tr>
<tr>
<td>Nexus 9</td>
<td>June 05, 2017</td>
</tr>
<tr>
<td>Nexus Player</td>
<td>June 05, 2017</td>
</tr>
<tr>
<td>Pixel C</td>
<td>June 05, 2017</td>
</tr>
</table>
<p>Google device updates also contain patches for these security
vulnerabilities, if applicable:</p>
<table>
<col width="17%">
<col width="19%">
<col width="9%">
<col width="14%">
<col width="39%">
<tr>
<th>CVE</th>
<th>References</th>
<th>Type</th>
<th>Severity</th>
<th>Updated AOSP versions</th>
</tr>
<tr>
<td>CVE-2017-0639</td>
<td><a href="https://android.googlesource.com/platform/packages/apps/Bluetooth/+/f196061addcc56878078e5684f2029ddbf7055ff">A-35310991</a></td>
<td>ID</td>
<td>High</td>
<td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2</td>
</tr>
</table>
<h2 id="acknowledgements">Acknowledgements</h2>
<p>We would like to thank these researchers for their contributions:</p>
<table>
<col width="17%">
<col width="83%">
<tr>
<th>CVEs</th>
<th>Researchers</th>
</tr>
<tr>
<td>CVE-2017-0643, CVE-2017-0641</td>
<td>Ecular Xu(徐健) of Trend Micro</td>
</tr>
<tr>
<td>CVE-2017-0645, CVE-2017-0639</td>
<td>En He (<a href="https://twitter.com/heeeeen4x">@heeeeen4x</a>) and Bo Liu
of <a href="http://www.ms509.com">MS509Team</a></td>
</tr>
<tr>
<td>CVE-2017-0649</td>
<td>Gengjia Chen (<a
href="https://twitter.com/chengjia4574">@chengjia4574</a>) and <a
href="http://weibo.com/jfpan">pjf</a> of IceSword Lab, Qihoo 360 Technology Co.
Ltd.</td>
</tr>
<tr>
<td>CVE-2017-0646</td>
<td>Godzheng (郑文选 -<a
href="https://twitter.com/VirtualSeekers">@VirtualSeekers</a>) of Tencent PC
Manager</td>
</tr>
<tr>
<td>CVE-2017-0636</td>
<td>Jake Corina (<a href="https://twitter.com/JakeCorina">@JakeCorina</a>) of
Shellphish Grill Team</td>
</tr>
<tr>
<td>CVE-2017-8233</td>
<td>Jianqiang Zhao (<a
href="https://twitter.com/jianqiangzhao">@jianqiangzhao</a>) and <a
href="http://weibo.com/jfpan">pjf </a>of IceSword Lab, Qihoo 360</td>
</tr>
<tr>
<td>CVE-2017-7368</td>
<td>Lubo Zhang (<a
href="mailto:zlbzlb815@163.com">zlbzlb815@163.com</a>),Yuan-Tsung Lo (<a
href="mailto:computernik@gmail.com">computernik@gmail.com</a>), and Xuxian Jiang
of <a href="http://c0reteam.org">C0RE Team</a></td>
</tr>
<tr>
<td>CVE-2017-8242</td>
<td>Nathan Crandall (<a href="https://twitter.com/natecray">@natecray</a>) of
Tesla's Product Security Team</td>
</tr>
<tr>
<td>CVE-2017-0650</td>
<td>Omer Shwartz, Amir Cohen, Dr. Asaf Shabtai, and Dr. Yossi Oren of Ben
Gurion University Cyber Lab</td>
</tr>
<tr>
<td>CVE-2017-0648</td>
<td>Roee Hay (<a href="https://twitter.com/roeehay">@roeehay</a>) of <a
href="https://alephsecurity.com/">Aleph Research</a>, HCL Technologies</td>
</tr>
<tr>
<td>CVE-2017-7369, CVE-2017-6249, CVE-2017-6247, CVE-2017-6248</td>
<td>sevenshen (<a href="https://twitter.com/lingtongshen">@lingtongshen</a>)
of TrendMicro</td>
</tr>
<tr>
<td>CVE-2017-0642, CVE-2017-0637, CVE-2017-0638</td>
<td>Vasily Vasiliev</td>
</tr>
<tr>
<td>CVE-2017-0640</td>
<td>V.E.O (<a href="https://twitter.com/vysea">@VYSEa</a>) of <a
href="http://blog.trendmicro.com/trendlabs-security-intelligence/category/mobile/">Mobile
Threat Response Team</a>, <a href="http://www.trendmicro.com">Trend Micro</a></td>
</tr>
<tr>
<td>CVE-2017-8236</td>
<td>Xiling Gong of Tencent Security Platform Department</td>
</tr>
<tr>
<td>CVE-2017-0647</td>
<td>Yangkang (<a href="https://twitter.com/dnpushme">@dnpushme</a>) and
Liyadong of Qex Team, Qihoo 360</td>
</tr>
<tr>
<td>CVE-2017-7370</td>
<td>Yonggang Guo (<a href="https://twitter.com/guoygang">@guoygang</a>) of
IceSword Lab, Qihoo 360 Technology Co. Ltd</td>
</tr>
<tr>
<td>CVE-2017-0651</td>
<td>Yuan-Tsung Lo (<a
href="mailto:computernik@gmail.com">computernik@gmail.com</a>) and Xuxian Jiang
of <a href="http://c0reteam.org">C0RE Team</a></td>
</tr>
<tr>
<td>CVE-2017-8241</td>
<td>Zubin Mithra of Google</td>
</tr>
</table>
<h2 id="common-questions-and-answers">Common questions and answers</h2>
<p>This section answers common questions that may occur after reading this
bulletin.</p>
<p><strong>1. How do I determine if my device is updated to address these issues?
</strong></p>
<p>To learn how to check a device's security patch level, read the instructions on
the <a
href="https://support.google.com/pixelphone/answer/4457705#pixel_phones&nexus_devices">Pixel
and Nexus update schedule</a>.</p>
<ul>
<li>Security patch levels of 2017-06-01 or later address all issues associated
with the 2017-06-01 security patch level.</li>
<li>Security patch levels of 2017-06-05 or later address all issues associated
with the 2017-06-05 security patch level and all previous patch levels.</li></ul>
<p>Device manufacturers that include these updates should set the patch string
level to:</p>
<ul>
<li>[ro.build.version.security_patch]:[2017-06-01]</li>
<li>[ro.build.version.security_patch]:[2017-06-05]</li></ul>
<p><strong>2. Why does this bulletin have two security patch levels?</strong></p>
<p>This bulletin has two security patch levels so that Android partners have the
flexibility to fix a subset of vulnerabilities that are similar across all
Android devices more quickly. Android partners are encouraged to fix all issues
in this bulletin and use the latest security patch level.</p>
<ul>
<li>Devices that use the June 01, 2017 security patch level must include all
issues associated with that security patch level, as well as fixes for all
issues reported in previous security bulletins.</li>
<li>Devices that use the security patch level of June 05, 2017 or newer must
include all applicable patches in this (and previous) security
bulletins.</li></ul>
<p>Partners are encouraged to bundle the fixes for all issues they are addressing
in a single update.</p>
<p id="vulnerability-type"><strong>3. What do the entries in the <em>Type</em> column mean?</strong></p>
<p>Entries in the <em>Type</em> column of the vulnerability details table reference
the classification of the security vulnerability.</p>
<table>
<col width="25%">
<col width="75%">
<tr>
<th>Abbreviation</th>
<th>Definition</th>
</tr>
<tr>
<td>RCE</td>
<td>Remote code execution</td>
</tr>
<tr>
<td>EoP</td>
<td>Elevation of privilege</td>
</tr>
<tr>
<td>ID</td>
<td>Information disclosure</td>
</tr>
<tr>
<td>DoS</td>
<td>Denial of service</td>
</tr>
<tr>
<td>N/A</td>
<td>Classification not available</td>
</tr>
</table>
<p><strong>4. What do the entries in the <em>References</em> column mean?</strong></p>
<p>Entries under the <em>References</em> column of the vulnerability details table
may contain a prefix identifying the organization to which the reference value
belongs.</p>
<table>
<col width="25%">
<col width="75%">
<tr>
<th>Prefix</th>
<th>Reference</th>
</tr>
<tr>
<td>A-</td>
<td>Android bug ID</td>
</tr>
<tr>
<td>QC-</td>
<td>Qualcomm reference number</td>
</tr>
<tr>
<td>M-</td>
<td>MediaTek reference number</td>
</tr>
<tr>
<td>N-</td>
<td>NVIDIA reference number</td>
</tr>
<tr>
<td>B-</td>
<td>Broadcom reference number</td>
</tr>
</table>
<p id="asterisk"><strong>5. What does a <a href="#asterisk">*</a> next to the Android bug ID in the <em>References</em>
column mean?</strong></p>
<p>Issues that are not publicly available have a <a href="#asterisk">*</a> next to the Android bug ID in
the <em>References</em> column. The update for that issue is generally contained
in the latest binary drivers for Nexus devices available from the <a
href="https://developers.google.com/android/nexus/drivers">Google Developer
site</a>.</p>
<h2 id="versions">Versions</h2>
<table>
<col width="25%">
<col width="25%">
<col width="50%">
<tr>
<th>Version</th>
<th>Date</th>
<th>Notes</th>
</tr>
<tr>
<td>1.0</td>
<td>June 5, 2017</td>
<td>Bulletin published.</td>
</tr>
<tr>
<td>1.1</td>
<td>June 7, 2017</td>
<td>Bulletin revised to include AOSP links.</td>
</tr>
<tr>
<td>1.2</td>
<td>July 11, 2017</td>
<td>Bulletin revised to include CVE-2017-6249.</td>
</tr>
<tr>
<td>1.3</td>
<td>August 17, 2017</td>
<td>Bulletin revised to update reference numbers.</td>
</tr>
</table>
</body>
</html>