BlackBerry have promised to deliver security patches on a monthly basis for their Android smartphones and so far they are keeping good on that promise.
The company has today rolled out the July 2017 Android Security update to BlackBerry Android devices.
The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. BlackBerry releases security bulletins to notify users of its Android smartphones about available security fixes.
The following vulnerabilities have been remediated in this update:
| Summary | Description | CVE | ||
| Remote Code Execution in Android Runtime | An app using the Java XML parser or which uses the UrlConnection Java class can be sent injected FTP commands to execute on an arbitrary server. | CVE-2017-3544 | ||
| Elevation of Privilege in Android Framework | An AccessibilityNodeInfo object inside a Bundle can be constructed such that, when a Parcelable is passed to another process, the second process can unparcel it and reparcel it incorrectly. The Parcelable can then be sent to a third process, possibly bypassing permission checks. | CVE-2017-0664 | ||
| Elevation of Privilege in Android Framework | In libs/gui/Surface.cpp, there is no bound on the index used to call gbuf on mSlots.buffer, this can allow an OOB heap write in SurfaceFlinger which can enable a local malicious application to execute arbitrary code in the context of a privileged process. | CVE-2017-0665 | ||
| Elevation of Privilege in Android Framework | In libs/ui/Fence.cpp a bad size check in Fence::unflatten can cause an integer underflow which can lead to a OOB write which could enable a local malicious application to execute arbitrary code in the context of a privileged process. | CVE-2017-0666 | ||
| Elevation of Privilege in Android Framework | The attachBuffer() call in the camera server does not check that an index is in range before writing to the mSlots array. | CVE-2017-0667 | ||
| Information Disclosure in Android Framework | When an app is uninstalled, the download manager does not immediately delete the files owned by that app. If the system is reset before the files are deleted, a newly installed app may gain access to files downloaded by a previously installed app. | CVE-2017-0668 | ||
| Information Disclosure in Android Framework | On a device with multiple login users, the generic ContentProvider does not check which user owns files at given paths on the SD card. One user can use the ContentProvider to read media or files owned by other users. | CVE-2017-0669 | ||
| Denial of Service in Android Framework | A memory leak in bionic results in a few hundred bytes leaking for every dlopen/dlclose pair. In a process like mediacodec that repeatedly calls dlopen/dlclose the codec libraries, this can result in a substantial memory leak which may eventually lead to a DOS. | CVE-2017-0670 | ||
| Denial of Service in ASN.1 Parsing | A bad ASN.1 packet could request allocation of large amounts of memory, causing a remote denial of service by resource exhaustion. | CVE-2016-2109 | ||
| Remote Code Execution in Mediaserver | In lihevc in the ihevcd_cabac_decode_bypass_bins_egk function, ps_bitstrm can overflow and several members of ps_bitstrm are passed to BIT_GET which leads to an out-of-bounds write and possible code execution. | CVE-2017-0540 | ||
| Remote Code Execution in Mediaserver | There is a heap buffer overflow in decoder/ih264d_parse_pslice.c (of libavc) in the function ih264d_get_mbaff_neighbours that can lead to an out-of-bounds write because the ps_dec->ps_cur_slice->u1_mbaff_frame_flag is updated in ih264d_start_of_pic but the old value is used afterwards. | CVE-2017-0673 | ||
| Elevation of Privilege in Mediaserver | In the impeg2_mc_fullx_fully_8x8_sse42 function, there is a missing bounds check on a memory write, leading to a possible escalation of privilege in a privileged process. | CVE-2017-0674 | ||
| Remote Code Execution in Mediaserver | There is a possible out-of-bounds write in libhevc, resulting in possible remote arbitrary code execution in mediaserver. | CVE-2017-0675 | ||
| Remote Code Execution in Mediaserver | A heap buffer overflow in the ihevcd_parse_pic_init function in libhevc could allow an attacker to write to memory in media.codec. | CVE-2017-0676 | ||
| Remote Code Execution in Mediaserver | In decoder/ih264d_process_bslice.c (of libavc), because the first picture in list1 could still be invalid, a use-after-free can occur in ih264d_one_to_one which can lead to remote arbitrary code execution in the context of a privileged process. | CVE-2017-0677 | ||
| Remote Code Execution in Mediaserver | In function ih264d_get_implicit_weights there is an OOB write into the pu4_wt_mat buffer which can lead to remote code execution through memory corruption. | CVE-2017-0679 | ||
| Remote Code Execution in Mediaserver | In decoder/ih264d_mb_utils.c (of libavc) if there is an odd number of macroblocks in Mbaff frames, the MbParams is miscalculated leading to an OOB write which can lead to remote arbitrary code execution in the context of a privileged process. | CVE-2017-0680 | ||
| Remote Code Execution in Tremolo | In the Tremolo library (used for Ogg Vorbis), because char types are treated as signed on some platforms (x86) and unsigned on others (ARM), the sign extension for several checks in mapping_info_unpack can result in checks against negative values, when they were intended to be positive values. | CVE-2017-0681 | ||
| Elevation of Privilege in SoftAVC encoder | In the SoftAVC encoder, there is a possible out-of-bounds write if setParameter is called to change the width and height after buffers have been allocated. | CVE-2017-0684 | ||
| Denial of Service in Mediaserver | In Android M, there is a race condition in impeg2d_process_video_bit_stream and impeg2d_dec_frm where the number of bytes consumed was not being incremented, leading to an endless loop, causing a remote denial of service in mediaserver. | CVE-2017-0685 | ||
| Denial of Service in Mediaserver | In Android M, there is a null pointer dereference in impeg2_mc_fullx_fully_8x8_sse42 leading to a remote denial of service in mediaserver. | CVE-2017-0686 | ||
| Denial of Service in Mediaserver | A dead loop resulting from a malformed media file in decoder/ih264d_dpb_mgr.c (of libavc) can result in a remote DoS due to hanging during decoding or eventual segfault. | CVE-2017-0688 | ||
| Denial of Service in Mediaserver | In decoder/ihevcd_nal.c (of libhevc) when parsing an invalid pps/slice in an h265 file, an infinite loop can occur which can lead to a remote denial of service. | CVE-2017-0689 | ||
| Denial of Service in Mediaserver | A null pointer exception can occur if an attacker can allocate too much memory and cause a new object instantiation to fail. | CVE-2017-0690 | ||
| Denial of Service in Mediaserver | In the sonivox library, a media file with its offset value equal to nodeOffset would trigger infinite recursion in TinyCacheSource::readAt, leading to a remote denial of service in mediaserver. | CVE-2017-0692 | ||
| Denial of Service in Mediaserver | In decoder/ih264d_api.c (of libavc) an error in the use of the u1_top_bottom_decoded flag causes a null pointer dereference which can lead to a remote denial of service. | CVE-2017-0693 | ||
| Denial of Service in Mediaserver | In the sonivox library, a media file that sets the pSize value read by NextChunk to -8 will end up in an infinite loop, resulting in a remote denial of service due to resource exhaustion. | CVE-2017-0694 | ||
| Denial of Service in Mediaserver | In libhevc ps_pps_ref is incremented without checking its value, leading to an eventual out-of-bounds read in ihevcd_copy_pps resulting in a denial of service. | CVE-2017-0695 | ||
| Denial of Service in Mediaserver | There is an out-of-bounds read in ih264d_deblock_mb_nonmbaff that leads to denial of service. | CVE-2017-0696 | ||
| Denial of Service in Mediaserver | In libstagefright/MPEG4Extractor.cpp (of libstagefright) a memory leak can occur if there is an error reading from mDataSource as pssh.data will not be freed, this can eventually lead to a remote denial of service. | CVE-2017-0697 | ||
| Information Disclosure in Mediaserver | The media server uses internal heap pointers as supposedly-opaque handles, and writes them to memory that is shared with the application. An app could use this to break ASLR or otherwise manipulate the media server. | CVE-2017-0698 | ||
| Information Disclosure in Mediaserver | There is a possible out-of-bounds read in the ih264_intra_pred_luma_4x4_mode_diag_dr_ssse3 function in libavc, leading to possible information disclosure in a privileged process. | CVE-2017-0699 | ||
| Elevation of Privilege in System UI | Applications are able to declare new account types which results in the settings app sending an intent on that application’s behalf when creating a new account of that type. These intents carry the Settings app’s permissions, and can thus reach receivers which are otherwise restricted to system apps only. | CVE-2017-0703 | ||
| Remote Code Execution in Broadcom Component | The vulnerability exists in the function wlc_bss_parse_wme_ie. The specific flaw is a buffer overflow when parsing the WME IE in the Association Response from an access point, allowing a buffer overflow and code execution. | CVE-2017-9417 | ||
| Elevation of Privilege in Broadcom Component | The vulnerability is in the function wl_cfgvendor_significant_change_cfg. The specific flaw is that it is missing a boundary check in the handling of GSCAN_ATTRIBUTE_SIGNIFICANT_CHANGE_BSSIDS. | CVE-2017-0705 | ||
| Elevation of Privilege in Broadcom Component | There is a missing bounds check leading to a memcpy in the function wl_cfg80211_mgmt_tx, allowing for kernel memory corruption. | CVE-2017-0706 | ||
| Elevation of Privilege in Kernel Networking Subsystem | The vulnerability is in the dccp_rcv_state_process function. The specific flaw is that the function mishandles DCCP_PKT_REQUEST packet data structures in the LISTEN state, allows for memory corruption by a local application which makes IPV6_RECVPKTINFO setsockopt system call. | CVE-2017-6074 | ||
| Denial of Service in Kernel Networking Subsystem | The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux kernel through 4.9.9 allows attackers to cause a denial of service (system crash) via (1) an application that makes crafted system calls or possibly (2) IPv4 traffic with invalid IP options. | CVE-2017-5970 | ||
| Elevation of Privilege in Kernel SCSI Driver | There is an integer overflow in the sg_start_req function, potentially leading to kernel memory corruption. | CVE-2015-5707 | ||
| Elevation of Privilege in Kernel TCB | A process with CAP_SYS_RESOURCE bypasses the permission check allowing arbitrary ptrace access. | CVE-2017-0710 | ||
| Elevation of Privilege in Kernel Networking Driver | There is an incorrect integer overflow check in AF_PACKET handling code causing kernel heap corruption. | CVE-2017-7308 | ||
| Information Disclosure in Kernel File System | The UDF filesystem implementation in the Linux kernel before 3.18.2 does not ensure that space is available for storing a symlink target’s name along with a trailing � character, which allows local users to obtain sensitive information via a crafted filesystem image. | CVE-2014-9731 | ||
| Elevation of Privilege in Camera Driver | In msm_cci_i2c_read in the camera driver, there is a missing bounds check that allows for an out-of-bounds write in the kernel. | CVE-2017-8253 | ||
| Elevation of Privilege in GPU Driver | In the code handling ioctl cmd IOCTL_KGSL_GPUOBJ_ALLOC and IOCTL_KGSL_GPUOBJ_FREE there is a race condition which can lead to UAF and corrupt the kernel heap. | CVE-2017-8262 | ||
| Elevation of Privilege in Ashmem | There is a missing bound check in ashmem ASHMEM_CACHE_FLUSH_RANGE handling which can cause elevation of privilege. | CVE-2017-8263 | ||
| Elevation of Privilege in Ashmem | There is a TOCTOU issue in ashmem_cache_op of ashmem driver leading to OOB read/write of kernel memory. | CVE-2017-8267 | ||
| Elevation of Privilege in Bootloader | While processing fastboot boot command when verified boot feature is disabled, with length greater than boot image buffer, a buffer overflow could occur. | CVE-2017-8273 | ||
| Elevation of Privilege in USB HID driver | In hiddev_ioctl_usage, if the condition uref->report_id == HID_REPORT_ID_UNKNOWN is true, several checks in the else block are not performed, allowing for a heap buffer overflow. | CVE-2016-5863 | ||
| Elevation of Privilege in SoC Driver | There is a missing bound check issue in function pil_mss_reset_load_mba can cause kernel heap buffer overflow. | CVE-2017-8243 | ||
| Elevation of Privilege in Sound Driver | The vulnerability is in the memory management of certain audio streams. The specific flaw is that a field was not set to NULL after being freed, resulting in a dangling pointer that could later be used. | CVE-2017-8246 | ||
| Elevation of Privilege in Wi-Fi Driver | The vulnerability is in the hdd_set_rx_filter function. The specific flaw is that the hdd_driver_rxfilter_command_handler function can pass more multicast addresses than the hdd_set_rx_filter can handle, resulting in heap memory corruption. | CVE-2017-8256 | ||
| Elevation of Privilege in SoC Driver | The domain_list variable is allocated based on a user controlled size but bound checked with another size. Inconsistency in those two sizes leads to kernel heap corruption. | CVE-2017-8259 | ||
| Elevation of Privilege in Camera Driver | The vulnerability is in the handling of user provided ispif commands. The specific flaw is that a user provided enum was being provided to a verification function that took a uint_8, allowing for integer truncation and the subsequent use of an illegal value, resulting in memory corruption. | CVE-2017-8260 | ||
| Elevation of Privilege in Camera Driver | Failure of clock enabling in msm_csiphy_init can can cause OOB issue in kernel memory. | CVE-2017-8264 | ||
| Elevation of Privilege in Video Driver | There is a double free issue in venus_hfi.c when multiple instances trying to reallocate the vote_data memory | CVE-2017-8265 | ||
| Elevation of Privilege in Video Driver | There is a race condition in /mdss_debug.c can cause UAF of the file->private_data->buf buffer and lead to kernel heap corruption. | CVE-2017-8266 | ||
| Elevation of Privilege in Camera Driver | The vulnerability is in in the function msm_cpp_cfg_frame. The specific flaw is that the new_frame->last_stripe_index and new_frame->first_stripe_index fields are user provided, but used without any verification, resulting in memory corruption. | CVE-2017-8268 | ||
| Elevation of Privilege in Wi-Fi Driver | Due to insufficient locking, there is a race condition between pktlog_enable and pktlog_setsize that results in a potential use after free, leading to memory corruption in the kernel. | CVE-2017-8270 | ||
| Elevation of Privilege in Video Driver | In the mdss_rotator_ioctl ioctl handler, there is a possible out-of-bounds write when writing to the msmfb_data planes variable on the stack, in mdss_rotator_import_buffer, resulting in kernel stack corruption. | CVE-2017-8271 | ||
| Elevation of Privilege in Video Driver | There is an out-of-bounds write to the kernel stack in mdss_mdp_wfd_import_data, when copying to msmfb_data planes, resulting in kernel stack corruption. | CVE-2017-8272 | ||
| Information Disclosure in Camera Driver | The vulnerability is in the function msm_isp_set_dual_HW_master_slave_mode. The specific flaw is that the dual_hw_ms_cmd->num_src is not validated, allowing for out-of-bounds access to kernel memory. | CVE-2017-8258 | ||
| Information Disclosure in IPA Driver | In the RMNET_IOCTL_ADD_MUX_CHANNEL ioctl handler, if the vchannel_name string passed in is too long, it ends up not being null terminated in the driver, which leads to possible information disclosure. | CVE-2017-8269 |
If you own an Android device from BlackBerry and are not seeing the system update message, you can check manually by heading into Settings -> About phone -> System updates and checking manually. Look for the following Android security patch level July 1st, 2017 or later.
Updated software builds may also be available from other retailers or carriers, dependent on their deployment schedules.
