-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
BlackBerry powered by Android Security Bulletin - August 2017
15 August 2017
AusCERT Security Bulletin Summary
Operating System: BlackBerry Device
Impact/Access: Root Compromise -- Remote with User Interaction
Increased Privileges -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
CVE Names: CVE-2017-9694 CVE-2017-9693 CVE-2017-9691
CVE-2017-9684 CVE-2017-9682 CVE-2017-9681
CVE-2017-9680 CVE-2017-9679 CVE-2017-9678
CVE-2017-0751 CVE-2017-0750 CVE-2017-0749
CVE-2017-0748 CVE-2017-0747 CVE-2017-0746
CVE-2017-0745 CVE-2017-0740 CVE-2017-0739
CVE-2017-0738 CVE-2017-0737 CVE-2017-0736
CVE-2017-0735 CVE-2017-0734 CVE-2017-0733
CVE-2017-0732 CVE-2017-0731 CVE-2017-0730
CVE-2017-0729 CVE-2017-0728 CVE-2017-0726
CVE-2017-0724 CVE-2017-0723 CVE-2017-0722
CVE-2017-0721 CVE-2017-0720 CVE-2017-0719
CVE-2017-0718 CVE-2017-0716 CVE-2017-0715
CVE-2017-0714 CVE-2017-0713 CVE-2017-0712
- --------------------------BEGIN INCLUDED TEXT--------------------
BlackBerry powered by Android Security Bulletin - August 2017
Article Number: 000045309 First Published: August 14, 2017 Last Modified: August 14, 2017 Type: Security Bulletin
Purpose of this Bulletin
BlackBerry has released a security update to address multiple vulnerabilities in BlackBerry powered by Android smartphones.
We recommend users update to the latest available software build.
BlackBerry releases security bulletins to notify users of its Android smartphones about available security fixes;
see BlackBerry.com/bbsirt for a complete list of monthly bulletins. This advisory is in response to the Android Security Bulletin
(August 2017) and addresses issues in that bulletin that affect BlackBerry powered by Android smartphones.
Vulnerabilities Fixed in this Update
The following vulnerabilities have been remediated in this update:
Summary Description CVE
Elevation of Privilege in In the Wi-Fi service, a copy into a stack structure is not checked for length before the operation CVE-2017-0712
WiFi is performed.
Remote Code Execution in In the sfntly library used by libskia, a malformed font file could achieve privilege escalation due CVE-2017-0713
Sfntly to an out-of-bounds read and probable write.
Remote Code Execution in There is a missing bounds check in the GetMBHeader() function of the h263 decoder, that could lead
Mediaserver to a heap memory overflow. Exploitation of this by a malicious MP4 file could lead to memory CVE-2017-0714
corruption and code execution in a privileged process.
Remote Code Execution in In decoder/ih264d_utils.c in ih264d_allocate_dynamic_bufs (of libavc), there is an out-of-bounds CVE-2017-0715
Mediaserver write issue, which could lead to remote arbitrary code execution.
Remote Code Execution in In decoder/impeg2d_vld.c in impeg2d_vld_decode (of libmpeg2), a missing bounds check can cause a CVE-2017-0716
Mediaserver head buffer overflow that could lead to remote arbitrary code execution in privileged process.
Remote Code Execution in In the mpeg2 decoder, reading a different vertical slice than the one at the current decode CVE-2017-0718
Mediaserver position could result in an invalid calculation of the amount of data remaining.
Remote Code Execution in In the mpeg2 decoder, an invalid picture structure could cause an out-of-bounds write, which could CVE-2017-0719
Mediaserver lead to memory corruption and code execution in a privileged process.
Remote Code Execution in In decoder/ihevcd_parse_slice.c (of libhevc) a potential memory corruption could occur leading to CVE-2017-0720
Mediaserver remote arbitrary code execution.
Remote Code Execution in In decoder/impeg2d_dec_hdr.c in impeg2d_dec_seq_hdr (of libmpeg2), there is no check for a 0 value
Mediaserver of u2_width or u2_height. Parsing a malicious media file could lead to a clip dimension change CVE-2017-0721
which could lead to an out-of-bounds write leading to a remote arbitrary code execution.
Remote Code Execution in In the h263 decoder, a malformed mpeg4 file could lead to an out-of-bounds write in a privileged CVE-2017-0722
Mediaserver process due to a size mismatch between the frame header and the frame body.
Remote Code Execution in In decoder/ih264d_format_conv.c in ih264d_fmt_conv_420sp_to_420sp (of libavc), a heap buffer
Mediaserver overflow could occur due to an unchecked num_rows in the memcpy, which could lead to remote CVE-2017-0723
arbitrary code execution in privileged process.
Remote Code Execution in In m4v_h263/dec/src/vop.cpp in DecodeShortHeader (of libstagefright), there is no check that the CVE-2017-0745
Mediaserver height and width are less than the total video size.
Denial of Service in In decoder/impeg2d_dec_hdr.c in impeg2d_dec_seq_hdr (of libmpeg2), there is no check for a 0 value CVE-2017-0724
Mediaserver of u2_width or u2_height.
Denial of Service in In libstagefright/MPEG4Extractor.cpp in MPEG4Extractor::parseMetaData (of libstagefright) a memory
Mediaserver leak could lead to resouRemote Code Execution exhaustion which could lead to a remote temporary CVE-2017-0726
denial of service.
Denial of Service in In the hevc software decoder, a malformed mpeg4 file could result in a null pointer dereference. CVE-2017-0728
Elevation of Privilege in There is a possible integer overflow in the clearkey plugin for the MediaDrmServer process. CVE-2017-0729
Denial of Service in In the h264 decoder, a malformed mpeg4 file could cause a crash. CVE-2017-0730
Elevation of Privilege in In the mpeg4 encoder, an app could set a zero width or height parameter causing a bad allocation,
Mediaserver but change the width or height later. When the encoder is cleaned up, the wrong address is freed, CVE-2017-0731
which could to memory corruption and code execution.
There is a vulnerability in mediaserver where an application could cause a hang in a mediaserver
Elevation of Privilege in thread creating a graphics buffer. Another thread attempting to use that buffer could cause the CVE-2017-0732
Mediaserver reference count to be decremented and the buffer freed. When the creating thread resumes, it uses
the buffer that has already been freed, which could lead to memory corruption and code execution.
Denial of Service in In NuPlayerDecoder (of libmediaplayerservice), when processing bad input data, a CHECK abort could CVE-2017-0733
Mediaserver lead to a remote temporary denial of service.
Denial of Service in In decoder/ih264d_dpb_mgr.c in ih264d_delete_st_node_or_make_lt (of libavc), a null pointer CVE-2017-0734
Mediaserver dereference could lead to a remote temporary denial of service.
Denial of Service in In decoder/ih264d_parse_headers.c in ih264d_parse_sps (of libavc) a crafted media could cause an
Mediaserver infinite loop due to improper input validation when changing resolutions which could lead to a CVE-2017-0735
remote temporary denial of service.
Denial of Service in In decoder/ih264d_parse_headers.c in ih264d_parse_nal_unit (of libavc) a crafted media could lead
Mediaserver to an infinite loop due to missing input validation which could lead to a remote temporary denial CVE-2017-0736
Denial of Service in In decoder/ih264d_parse_headers.c in ih264d_parse_sps (of libavc), improper input validation could CVE-2017-0687
Mediaserver lead to remote temporary denial of service when the media stream changes resolution.
Elevation of Privilege in In libgui.so, a missing bounds check could lead to an arbitrary write in a privileged process which CVE-2017-0737
Mediaserver could lead to an elevation of privilege.
Information Disclosure in Inside audioserver the parameters of equalizer Effect_command is not properly checked and could CVE-2017-0738
Mediaserver cause an out-of-bounds read leading to information disclosure.
Information Disclosure in In decoder/ihevcd_nal.c in ihevcd_nal_remv_emuln_bytes (of libhevc), an out-of-bounds read could CVE-2017-0739
Mediaserver lead to information disclosure.
Remote Code Execution in After the patch for CVE-2016-0802 (ANDROID-25306181), if a device had updated the kernel but not
Broadcom WiFi the bcm4354 firmware, there were still possible out-of-bounds memory writes if the chip sent a CVE-2017-0740
ETHER_TYPE_BRCM packet to the host with a malformed length.
Elevation of Privilege in Unvalidated input parameters In the F2FS module could allow for kernel memory corruption, which CVE-2017-0750
Kernel File System could result in arbitrary code execution in the TCB.
Elevation of Privilege in In msm/kernel/trace/trace.c, there is insufficient locking when accessing savedcmd that could CVE-2017-0749
Kernel result in a use after free, leading to escalation of privilege.
Elevation of Privilege in An integer overflow in the reference counter variables in the ipa driver could cause a potential CVE-2017-0746
Qualcomm IPA Driver use after free leading to elevation of privilege.
Elevation of Privilege
Elevation of Privilege in The qseecomd process has CAP_SYS_ADMIN and CAP_NET_RAW capabilities which are not necessary. CVE-2017-0747
Elevation of Privilege In the /dev/graphics/fb0 driver when running a 32-bit kernel, there is an out-of-bounds write that
Elevation of Privilege in could lead to escalation of privilege. CVE-2017-9678
Qualcomm Video Driver
Elevation of Privilege Reading from /sys/kernel/debug/trustonic_tee/info, on devices where it exists, could lead to an
Elevation of Privilege in escalation of privilege, due to insufficient locking. CVE-2017-9691
Qualcomm MobiCore Driver
Elevation of Privilege in In rndis_qc_bind_config_vendor and related functions, access to the _rndis_qc variable is not
Qualcomm USB Driver protected by a lock. There is a possible use after free vulnerability that could lead to escalation CVE-2017-9684
Information Disclosure in There is an improper locking causing use after free issue in kgsl device which could lead to CVE-2017-9682
Qualcomm GPU Driver information disclosure.
Information Disclosure in In the qbt1000 driver, a user space string is copied into local buffer without ensuring that it is CVE-2017-9679
Qualcomm SoC Driver properly NULL terminated.
Information Disclosure in Uninitialized variables in the qbt1000 driver could lead to information disclosure. CVE-2017-9680
Qualcomm SoC Driver
Information Disclosure in In the audio driver, a missing return value check together with an uninitialized local variable CVE-2017-0748
Qualcomm Audio Driver could lead to information disclosure.
Information Disclosure in The function iris_vidioc_s_ext_ctrls directly dereferences a user-passed pointer as a string, which CVE-2017-9681
Qualcomm Radio Driver could lead to information disclosure.
Information Disclosure in In __wlan_hdd_change_station, the length of params->ext_capab has insufficient checks, which could CVE-2017-9693
Qualcomm Networking Driver lead to information disclosure due to an out-of-bounds read.
In __wlan_hdd_cfg80211_extscan_set_bssid_hotlist, the policy used to enfoRemote Code Execution the
Information Disclosure in size of the attributes for nla_parse does not include an entry for CVE-2017-9694
Qualcomm Networking Driver QCA_WLAN_VENDOR_ATTR_EXTSCAN_BSSID_HOTLIST_PARAMS_LOST_AP_SAMPLE_SIZE, which could lead to a
possible out-of-bounds read and information disclosure.
Elevation of Privilege in Multiple IOCTLs within the QCE driver use a non-validated field provided by the user. CVE-2017-0751
Qualcomm QCE Driver
BlackBerry is making an updated software version available for BlackBerry powered by Android smartphones
that have been purchased from ShopBlackBerry.com. Updated software builds may also be available
from other retailers or carriers, dependent on their deployment schedules.
To identify an up to date software build, navigate to the Settings > About Phone menu.
Look for the following Android security patch level:
August 5, 2017 or later
If your BlackBerry powered by Android smartphone does not have an up-to-date software build available,
please contact your retailer or carrier directly for security maintenance release availability information.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to firstname.lastname@example.org
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: email@example.com
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----