10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.954 High
EPSS
Percentile
99.4%
Integer overflow in the SampleTable::setSampleToChunkParams function in
SampleTable.cpp in libstagefright in Android before 5.1.1 LMY48I allows
remote attackers to execute arbitrary code via crafted atoms in MP4 data
that trigger an unchecked multiplication, aka internal bug 20139950, a
related issue to CVE-2015-4496.
Author | Note |
---|---|
jdstrand | there are limited public details on the issue and these will not be disclosed until BlackHat/DEFCON next month. Will use this CVE for all information until details are published the following patches are the likely fixes (12.1): http://review.cyanogenmod.org/#/c/102619/ (code not present, requires edd4a76eb4747bd19ed122df46fa46b452c12a0d) http://review.cyanogenmod.org/#/c/102620/ (ebf0d0940f7f42b220b19d3baaee7efb4c6b787d) http://review.cyanogenmod.org/#/c/102623/ (4a39c150327e080072d5f8e4239c6bbbbabd48d8) http://review.cyanogenmod.org/#/c/103266/ (7ff5505d36b1cfd8b03497e0fb5aa24b5b099e45) http://review.cyanogenmod.org/#/c/103267/ (b1f29294f1a5831eb52a81d3ee082a9475f6e879) http://review.cyanogenmod.org/#/c/103268/ (889ae4ad7227c395615d03b24a1667caa162c75f) http://review.cyanogenmod.org/#/c/103269/ (9824bfd6eec1daa93cf76b6f4199602fe35f1d9d, code not present on 15.04/15.10) http://review.cyanogenmod.org/#/c/103270/ (57db9b42418b434751f609ac7e5539367e9f01a6, code not present on 15.04/15.10) the attack appears to be if an application opens a specially crafted MPEG4 file, an attacker could cause an application crash or execute arbitrary code by accessing out of bounds memory. In the case of android, the video could be texted to the victimβs number and the system will automatically start processing the video by examining the videoβs container and metadata Ubuntuβs βandroidβ package is based on Cyanogenmod 12.0 Ubuntu 14.04 βandroidβ package is affected but no supported images use it All patches (ESDS, SampleTable and MPEG4Extractor) are for MPEG-4 processing media-hub will typically process MPEG4 files for the system and it uses gst-plugins-bad which uses media_codec_* from libhybris but libhybris doesnβt expose the affected stagefright code (confirmed with jhodapp and rsalveti). Therefore, the specific attack of texting a crafted video will not work services and well-behaved Ubuntu Store apps may access the stagefright library via libhybris, but libhybris doesnβt expose the affected code so these services and apps are not affected malicious Ubuntu Store apps could access the stagefright library but are otherwise isolated by the app-specific AppArmor profiles malicious Ubuntu Store apps could access one of the binder services in the container via /dev/binder but none of them use stagefright (the services are: healthd, servicemanager, rild, drmserver, camera_service and sensorservice, all confirmed via their respective Android.mk files to not link stagefright) based on the above, adjust priority to βnegligibleβ |
review.cyanogenmod.org/#/q/status:merged+project:CyanogenMod/android_frameworks_av+branch:cm-12.0
review.cyanogenmod.org/#/q/status:merged+project:CyanogenMod/android_frameworks_av+branch:cm-12.1
launchpad.net/bugs/cve/CVE-2015-1538
nvd.nist.gov/vuln/detail/CVE-2015-1538
plus.google.com/+CyanogenMod/posts/7iuX21Tz7n8
security-tracker.debian.org/tracker/CVE-2015-1538
wiki.ubuntu.com/SecurityTeam/KnowledgeBase/Stagefright
www.cve.org/CVERecord?id=CVE-2015-1538