Issue metadata
Sign in to add a comment
|
CrOS: Vulnerability reported in sys-kernel/chromeos-kernel-3_18 |
||||||||||||||||||||||
Issue descriptionAutomated analysis has detected that the following third party packages have had vulnerabilities publicly reported. NOTE: There may be several bugs listed below - in almost all cases, all bugs can be quickly addressed by upgrading to the latest version of the package. Package Name: sys-kernel/chromeos-kernel-3_18 Package Version: [cpe:/o:linux:linux_kernel:3.18] Advisory: CVE-2016-8413 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2016-8413 CVSS severity score: 2.6/10.0 Confidence: high Description: An information disclosure vulnerability in the Qualcomm camera driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32709702. References: QC-CR#518731. Advisory: CVE-2016-8416 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2016-8416 CVSS severity score: 2.6/10.0 Confidence: high Description: An information disclosure vulnerability in the Qualcomm video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32510746. References: QC-CR#1088206. Advisory: CVE-2016-8417 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2016-8417 CVSS severity score: 7.6/10.0 Confidence: high Description: An elevation of privilege vulnerability in the Qualcomm camera driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Moderate because it first requires compromising a privileged process and is mitigated by current platform configurations. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32342399. References: QC-CR#1088824. Advisory: CVE-2016-8477 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2016-8477 CVSS severity score: 2.6/10.0 Confidence: high Description: An information disclosure vulnerability in the Qualcomm camera driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32720522. References: QC-CR#1090007. Advisory: CVE-2016-8478 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2016-8478 CVSS severity score: 2.6/10.0 Confidence: high Description: An information disclosure vulnerability in the Qualcomm video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32511270. References: QC-CR#1088206. Advisory: CVE-2016-8479 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2016-8479 CVSS severity score: 9.3/10.0 Confidence: high Description: An elevation of privilege vulnerability in the Qualcomm GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31824853. References: QC-CR#1093687. Advisory: CVE-2017-0307 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-0307 CVSS severity score: 9.3/10.0 Confidence: high Description: An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.18. Android ID: A-33177895. References: N-CVE-2017-0307. Advisory: CVE-2017-0333 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-0333 CVSS severity score: 9.3/10.0 Confidence: high Description: An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.18. Android ID: A-33899363. References: N-CVE-2017-0333. Advisory: CVE-2017-0334 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-0334 CVSS severity score: 4.3/10.0 Confidence: high Description: An information disclosure vulnerability in the NVIDIA GPU driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user permission. Product: Android. Versions: Kernel-3.18. Android ID: A-33245849. References: N-CVE-2017-0334. Advisory: CVE-2017-0335 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-0335 CVSS severity score: 9.3/10.0 Confidence: high Description: An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.18. Android ID: A-33043375. References: N-CVE-2017-0335. Advisory: CVE-2017-0336 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-0336 CVSS severity score: 4.3/10.0 Confidence: high Description: An information disclosure vulnerability in the NVIDIA GPU driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user permission. Product: Android. Versions: Kernel-3.18. Android ID: A-33042679. References: N-CVE-2017-0336. Advisory: CVE-2017-0337 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-0337 CVSS severity score: 9.3/10.0 Confidence: high Description: An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.18. Android ID: A-31992762. References: N-CVE-2017-0337. Advisory: CVE-2017-0338 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-0338 CVSS severity score: 9.3/10.0 Confidence: high Description: An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.18. Android ID: A-33057977. References: N-CVE-2017-0338. Advisory: CVE-2017-0455 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-0455 CVSS severity score: 9.3/10.0 Confidence: high Description: An information disclosure vulnerability in the Qualcomm bootloader could help to enable a local malicious application to to execute arbitrary code within the context of the bootloader. This issue is rated as High because it is a general bypass for a bootloader level defense in depth or exploit mitigation technology. Product: Android. Versions: Kernel-3.18. Android ID: A-32370952. References: QC-CR#1082755. Advisory: CVE-2017-0456 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-0456 CVSS severity score: 7.6/10.0 Confidence: high Description: An elevation of privilege vulnerability in the Qualcomm IPA driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33106520. References: QC-CR#1099598. Advisory: CVE-2017-0457 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-0457 CVSS severity score: 7.6/10.0 Confidence: high Description: An elevation of privilege vulnerability in the Qualcomm ADSPRPC driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31695439. References: QC-CR#1086123, QC-CR#1100695. Advisory: CVE-2017-0458 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-0458 CVSS severity score: 7.6/10.0 Confidence: high Description: An elevation of privilege vulnerability in the Qualcomm camera driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32588962. References: QC-CR#1089433. Advisory: CVE-2017-0459 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-0459 CVSS severity score: 2.6/10.0 Confidence: high Description: An information disclosure vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32644895. References: QC-CR#1091939. Advisory: CVE-2017-0460 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-0460 CVSS severity score: 7.6/10.0 Confidence: high Description: An elevation of privilege vulnerability in the Qualcomm networking driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31252965. References: QC-CR#1098801. Advisory: CVE-2017-0461 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-0461 CVSS severity score: 2.6/10.0 Confidence: high Description: An information disclosure vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32073794. References: QC-CR#1100132. Advisory: CVE-2017-0463 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-0463 CVSS severity score: 7.6/10.0 Confidence: high Description: An elevation of privilege vulnerability in the Qualcomm networking driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33277611. References: QC-CR#1101792. Advisory: CVE-2017-0464 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-0464 CVSS severity score: 7.6/10.0 Confidence: high Description: An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32940193. References: QC-CR#1102593. Advisory: CVE-2017-0507 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-0507 CVSS severity score: 9.3/10.0 Confidence: high Description: An elevation of privilege vulnerability in the kernel ION subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31992382. Advisory: CVE-2017-0508 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-0508 CVSS severity score: 9.3/10.0 Confidence: high Description: An elevation of privilege vulnerability in the kernel ION subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.18. Android ID: A-33940449. Advisory: CVE-2017-0516 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-0516 CVSS severity score: 7.6/10.0 Confidence: high Description: An elevation of privilege vulnerability in the Qualcomm input hardware driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32341680. References: QC-CR#1096301. Advisory: CVE-2017-0518 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-0518 CVSS severity score: 7.6/10.0 Confidence: high Description: An elevation of privilege vulnerability in the Qualcomm fingerprint sensor driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32370896. References: QC-CR#1086530. Advisory: CVE-2017-0519 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-0519 CVSS severity score: 7.6/10.0 Confidence: high Description: An elevation of privilege vulnerability in the Qualcomm fingerprint sensor driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32372915. References: QC-CR#1086530. Advisory: CVE-2017-0520 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-0520 CVSS severity score: 7.6/10.0 Confidence: high Description: An elevation of privilege vulnerability in the Qualcomm crypto engine driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31750232. References: QC-CR#1082636. Advisory: CVE-2017-0521 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-0521 CVSS severity score: 7.6/10.0 Confidence: high Description: An elevation of privilege vulnerability in the Qualcomm camera driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32919951. References: QC-CR#1097709. Advisory: CVE-2017-0524 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-0524 CVSS severity score: 7.6/10.0 Confidence: high Description: An elevation of privilege vulnerability in the Synaptics touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33002026. Advisory: CVE-2017-0525 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-0525 CVSS severity score: 7.6/10.0 Confidence: high Description: An elevation of privilege vulnerability in the Qualcomm IPA driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33139056. References: QC-CR#1097714.
,
Mar 10 2017
,
Mar 14 2017
Guessing severity high based on contents of report and impact stable, though please adjust these labels if the reported issues don't apply to us. Thanks!
,
Mar 14 2017
CVEs marked QC- are in ualcomm code and do not apply. Other problems will be fixed with the bugs as described, with patches pulled either from Android or from upstream.
CVE-2016-8413 A-32709702 QC-CR#518731
CVE-2016-8416 A-32510746 QC-CR#1088206
CVE-2016-8417 A-32342399 QC-CR#1088824
CVE-2016-8477 A-32720522 QC-CR#1090007
CVE-2016-8478 A-32511270 QC-CR#1088206
CVE-2016-8479 A-31824853 QC-CR#1093687
CVE-2017-0307 A-33177895 N-CVE-2017-0307
b/36116833
upstream 9ac0934bbe52
3.18 and older
3.18: applies cleanly from upstream
3.14: cherry-pick from 3.10 CL:414972
3.10: already applied w/ different context CL:414972
CVE-2017-0333 A-33899363 N-CVE-2017-0333
b/36117306
dragon 212850f06fa03defcbdee18b7c06fdf4b4b93ca2
3.18 and older
3.18: clean cherry-pick
upstream and 4.4 completely different
CVE-2017-0334 A-33245849 N-CVE-2017-0334
b/36116297
dragon 90559a13448189a8967e5ded47a1b9dee0f11ea8
chrome-os-partner:60725
3.18: conflict in drivers/gpu/drm/tegra/drm.c
[ too risky; won't fix ]
all releases
CVE-2017-0335 A-33043375 N-CVE-2017-0335
b/36116785
dragon 90a09b9c9960fa26ddbdb8380fbac5ead2d2f938
up to 3.18, upstream and 4.4 not affected
clean cherry-pick to 3.18
CVE-2017-0336 A-33042679 N-CVE-2017-0336
b/36116447
dragon 90a09b9c9960fa26ddbdb8380fbac5ead2d2f938 (same)
CVE-2017-0337 A-31992762 N-CVE-2017-0337
b/36116834
chrome-os-partner:60663
dragon fb655322e54e1d4077ba95afdae1fad8c7f72d5c
clean cherry-pick to 3.18
chromeos not affected (android only problem)
CVE-2017-0338 A-33057977 N-CVE-2017-0338
b/36117307
dragon 90a09b9c9960fa26ddbdb8380fbac5ead2d2f938 (again)
CVE-2017-0455 A-32370952 QC-CR#1082755
CVE-2017-0456 A-33106520 QC-CR#1099598
CVE-2017-0457 A-31695439 QC-CR#1086123, QC-CR#1100695
CVE-2017-0458 A-32588962 QC-CR#1089433
CVE-2017-0459 A-32644895 QC-CR#1091939
CVE-2017-0460 A-31252965 QC-CR#1098801
CVE-2017-0461 A-32073794 QC-CR#1100132
CVE-2017-0463 A-33277611 QC-CR#1101792
CVE-2017-0464 A-32940193 QC-CR#1102593
CVE-2017-0507 A-31992382 b/36116788 needs fix
msm/dragon 03c26a1d8c8687131da151c2e4bd5a04d08e0dec
3.18: minor conflicts
CVE-2017-0508 A-33940449 b/36117400 needs fix
dragon 3ac8b4d121a6fb7a7b0e6397e27ebd2fe171b690
applies cleanly
CVE-2017-0516 A-32341680 QC-CR#1096301
CVE-2017-0518 A-32370896 QC-CR#1086530
CVE-2017-0519 A-32372915 QC-CR#1086530
CVE-2017-0520 A-31750232 QC-CR#1082636
CVE-2017-0521 A-32919951 QC-CR#1097709
CVE-2017-0524 A-33002026 Synaptics touchscreen, not in chromeos
CVE-2017-0525 A-33139056 QC-CR#1097714
,
Mar 20 2017
,
Mar 21 2017
,
Mar 23 2017
,
Mar 24 2017
Your change meets the bar and is auto-approved for M58. Please go ahead and merge the CL to branch 3029 manually. Please contact milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 24 2017
Necessary merges already complete with per-CVE bugs; no further merges necessary. Removing labels.
,
Jun 27 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 1 2017
,
Jan 22 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by vakh@chromium.org
, Mar 10 2017Owner: groeck@chromium.org