BlackBerry August 2017 Android Security Update

BlackBerry has today rolled out the August 2017 Android Security update to BlackBerry Android devices.

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. BlackBerry releases security bulletins to notify users of its Android smartphones about available security fixes.

The following vulnerabilities have been remediated in this update:

Summary	Description	CVE
Elevation of Privilege in WiFi	In the Wi-Fi service, a copy into a stack structure is not checked for length before the operation is performed.	CVE-2017-0712
Remote Code Execution in Sfntly	In the sfntly library used by libskia, a malformed font file could achieve privilege escalation due to an out-of-bounds read and probable write.	CVE-2017-0713
Remote Code Execution in Mediaserver	There is a missing bounds check in the GetMBHeader() function of the h263 decoder, that could lead to a heap memory overflow. Exploitation of this by a malicious MP4 file could lead to memory corruption and code execution in a privileged process.	CVE-2017-0714
Remote Code Execution in Mediaserver	In decoder/ih264d_utils.c in ih264d_allocate_dynamic_bufs (of libavc), there is an out-of-bounds write issue, which could lead to remote arbitrary code execution.	CVE-2017-0715
Remote Code Execution in Mediaserver	In decoder/impeg2d_vld.c in impeg2d_vld_decode (of libmpeg2), a missing bounds check can cause a head buffer overflow that could lead to remote arbitrary code execution in privileged process.	CVE-2017-0716
Remote Code Execution in Mediaserver	In the mpeg2 decoder, reading a different vertical slice than the one at the current decode position could result in an invalid calculation of the amount of data remaining.	CVE-2017-0718
Remote Code Execution in Mediaserver	In the mpeg2 decoder, an invalid picture structure could cause an out-of-bounds write, which could lead to memory corruption and code execution in a privileged process.	CVE-2017-0719
Remote Code Execution in Mediaserver	In decoder/ihevcd_parse_slice.c (of libhevc) a potential memory corruption could occur leading to remote arbitrary code execution.	CVE-2017-0720
Remote Code Execution in Mediaserver	In decoder/impeg2d_dec_hdr.c in impeg2d_dec_seq_hdr (of libmpeg2), there is no check for a 0 value of u2_width or u2_height. Parsing a malicious media file could lead to a clip dimension change which could lead to an out-of-bounds write leading to a remote arbitrary code execution.	CVE-2017-0721
Remote Code Execution in Mediaserver	In the h263 decoder, a malformed mpeg4 file could lead to an out-of-bounds write in a privileged process due to a size mismatch between the frame header and the frame body.	CVE-2017-0722
Remote Code Execution in Mediaserver	In decoder/ih264d_format_conv.c in ih264d_fmt_conv_420sp_to_420sp (of libavc), a heap buffer overflow could occur due to an unchecked num_rows in the memcpy, which could lead to remote arbitrary code execution in privileged process.	CVE-2017-0723
Remote Code Execution in Mediaserver	In m4v_h263/dec/src/vop.cpp in DecodeShortHeader (of libstagefright), there is no check that the height and width are less than the total video size.	CVE-2017-0745
Denial of Service in Mediaserver	In decoder/impeg2d_dec_hdr.c in impeg2d_dec_seq_hdr (of libmpeg2), there is no check for a 0 value of u2_width or u2_height.	CVE-2017-0724
Denial of Service in Mediaserver	In libstagefright/MPEG4Extractor.cpp in MPEG4Extractor::parseMetaData (of libstagefright) a memory leak could lead to resouRemote Code Execution exhaustion which could lead to a remote temporary denial of service.	CVE-2017-0726
Denial of Service in Mediaserver	In the hevc software decoder, a malformed mpeg4 file could result in a null pointer dereference.	CVE-2017-0728
Elevation of Privilege in MediaDrmServer	There is a possible integer overflow in the clearkey plugin for the MediaDrmServer process.	CVE-2017-0729
Denial of Service in Mediaserver	In the h264 decoder, a malformed mpeg4 file could cause a crash.	CVE-2017-0730
Elevation of Privilege in Mediaserver	In the mpeg4 encoder, an app could set a zero width or height parameter causing a bad allocation, but change the width or height later. When the encoder is cleaned up, the wrong address is freed, which could to memory corruption and code execution.	CVE-2017-0731
Elevation of Privilege in Mediaserver	There is a vulnerability in mediaserver where an application could cause a hang in a mediaserver thread creating a graphics buffer. Another thread attempting to use that buffer could cause the reference count to be decremented and the buffer freed. When the creating thread resumes, it uses the buffer that has already been freed, which could lead to memory corruption and code execution.	CVE-2017-0732
Denial of Service in Mediaserver	In NuPlayerDecoder (of libmediaplayerservice), when processing bad input data, a CHECK abort could lead to a remote temporary denial of service.	CVE-2017-0733
Denial of Service in Mediaserver	In decoder/ih264d_dpb_mgr.c in ih264d_delete_st_node_or_make_lt (of libavc), a null pointer dereference could lead to a remote temporary denial of service.	CVE-2017-0734
Denial of Service in Mediaserver	In decoder/ih264d_parse_headers.c in ih264d_parse_sps (of libavc) a crafted media could cause an infinite loop due to improper input validation when changing resolutions which could lead to a remote temporary denial of service.	CVE-2017-0735
Denial of Service in Mediaserver	In decoder/ih264d_parse_headers.c in ih264d_parse_nal_unit (of libavc) a crafted media could lead to an infinite loop due to missing input validation which could lead to a remote temporary denial of service.	CVE-2017-0736
Denial of Service in Mediaserver	In decoder/ih264d_parse_headers.c in ih264d_parse_sps (of libavc), improper input validation could lead to remote temporary denial of service when the media stream changes resolution.	CVE-2017-0687
Elevation of Privilege in Mediaserver	In libgui.so, a missing bounds check could lead to an arbitrary write in a privileged process which could lead to an elevation of privilege.	CVE-2017-0737
Information Disclosure in Mediaserver	Inside audioserver the parameters of equalizer Effect_command is not properly checked and could cause an out-of-bounds read leading to information disclosure.	CVE-2017-0738
Information Disclosure in Mediaserver	In decoder/ihevcd_nal.c in ihevcd_nal_remv_emuln_bytes (of libhevc), an out-of-bounds read could lead to information disclosure.	CVE-2017-0739
Remote Code Execution in Broadcom WiFi	After the patch for CVE-2016-0802 (ANDROID-25306181), if a device had updated the kernel but not the bcm4354 firmware, there were still possible out-of-bounds memory writes if the chip sent a ETHER_TYPE_BRCM packet to the host with a malformed length.	CVE-2017-0740
Elevation of Privilege in Kernel File System	Unvalidated input parameters In the F2FS module could allow for kernel memory corruption, which could result in arbitrary code execution in the TCB.	CVE-2017-0750
Elevation of Privilege in Kernel	In msm/kernel/trace/trace.c, there is insufficient locking when accessing savedcmd that could result in a use after free, leading to escalation of privilege.	CVE-2017-0749
Elevation of Privilege in Qualcomm IPA Driver	An integer overflow in the reference counter variables in the ipa driver could cause a potential use after free leading to elevation of privilege.	CVE-2017-0746
Elevation of Privilege Elevation of Privilege in Qualcomm Component	The qseecomd process has CAP_SYS_ADMIN and CAP_NET_RAW capabilities which are not necessary.	CVE-2017-0747
Elevation of Privilege Elevation of Privilege in Qualcomm Video Driver	In the /dev/graphics/fb0 driver when running a 32-bit kernel, there is an out-of-bounds write that could lead to escalation of privilege.	CVE-2017-9678
Elevation of Privilege Elevation of Privilege in Qualcomm MobiCore Driver	Reading from /sys/kernel/debug/trustonic_tee/info, on devices where it exists, could lead to an escalation of privilege, due to insufficient locking.	CVE-2017-9691
Elevation of Privilege in Qualcomm USB Driver	In rndis_qc_bind_config_vendor and related functions, access to the _rndis_qc variable is not protected by a lock. There is a possible use after free vulnerability that could lead to escalation of privilege.	CVE-2017-9684
Information Disclosure in Qualcomm GPU Driver	There is an improper locking causing use after free issue in kgsl device which could lead to information disclosure.	CVE-2017-9682
Information Disclosure in Qualcomm SoC Driver	In the qbt1000 driver, a user space string is copied into local buffer without ensuring that it is properly NULL terminated.	CVE-2017-9679
Information Disclosure in Qualcomm SoC Driver	Uninitialized variables in the qbt1000 driver could lead to information disclosure.	CVE-2017-9680
Information Disclosure in Qualcomm Audio Driver	In the audio driver, a missing return value check together with an uninitialized local variable could lead to information disclosure.	CVE-2017-0748
Information Disclosure in Qualcomm Radio Driver	The function iris_vidioc_s_ext_ctrls directly dereferences a user-passed pointer as a string, which could lead to information disclosure.	CVE-2017-9681
Information Disclosure in Qualcomm Networking Driver	In __wlan_hdd_change_station, the length of params->ext_capab has insufficient checks, which could lead to information disclosure due to an out-of-bounds read.	CVE-2017-9693
Information Disclosure in Qualcomm Networking Driver	In __wlan_hdd_cfg80211_extscan_set_bssid_hotlist, the policy used to enfoRemote Code Execution the size of the attributes for nla_parse does not include an entry for QCA_WLAN_VENDOR_ATTR_EXTSCAN_BSSID_HOTLIST_PARAMS_LOST_AP_SAMPLE_SIZE, which could lead to a possible out-of-bounds read and information disclosure.	CVE-2017-9694
Elevation of Privilege in Qualcomm QCE Driver	Multiple IOCTLs within the QCE driver use a non-validated field provided by the user.	CVE-2017-0751

If you own an Android device from BlackBerry and are not seeing the system update message, you can check manually by heading into Settings -> About phone -> System updates and checking manually. Look for the following Android security patch level August 5, 2017 or later.