New issue
Advanced search Search tips

Issue 700331 link

Starred by 1 user
Status: WontFix
Owner:
groeck@chromium.org
Closed: Mar 2017
Cc:
chromeos-kernel-security-bug-access@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug-Security



Sign in to add a comment

CrOS: Vulnerability reported in sys-kernel/chromeos-kernel-3_18

Project Member Reported by vomit.go...@appspot.gserviceaccount.com, Mar 10 2017 
Automated analysis has detected that the following third party packages have had vulnerabilities publicly reported. 

NOTE: There may be several bugs listed below - in almost all cases, all bugs can be quickly addressed by upgrading to the latest version of the package.

Package Name: sys-kernel/chromeos-kernel-3_18
Package Version: [cpe:/o:linux:linux_kernel:3.18]

Advisory: CVE-2017-0527
  Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-0527
  CVSS severity score: 7.6/10.0
  Confidence: high
  Description:

An elevation of privilege vulnerability in the HTC Sensor Hub Driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33899318.
Advisory: CVE-2017-0528
  Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-0528
  CVSS severity score: 9.3/10.0
  Confidence: high
  Description:

An elevation of privilege vulnerability in the kernel security subsystem could enable a local malicious application to to execute code in the context of a privileged process. This issue is rated as High because it is a general bypass for a kernel level defense in depth or exploit mitigation technology. Product: Android. Versions: Kernel-3.18. Android ID: A-33351919.
Advisory: CVE-2017-0531
  Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-0531
  CVSS severity score: 2.6/10.0
  Confidence: high
  Description:

An information disclosure vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32877245. References: QC-CR#1087469.
Advisory: CVE-2017-0533
  Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-0533
  CVSS severity score: 2.6/10.0
  Confidence: high
  Description:

An information disclosure vulnerability in the Qualcomm video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32509422. References: QC-CR#1088206.
Advisory: CVE-2017-0534
  Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-0534
  CVSS severity score: 2.6/10.0
  Confidence: high
  Description:

An information disclosure vulnerability in the Qualcomm video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32508732. References: QC-CR#1088206.
Advisory: CVE-2017-0536
  Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-0536
  CVSS severity score: 2.6/10.0
  Confidence: high
  Description:

An information disclosure vulnerability in the Synaptics touchscreen driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33555878.
Advisory: CVE-2017-0537
  Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-0537
  CVSS severity score: 2.6/10.0
  Confidence: high
  Description:

An information disclosure vulnerability in the kernel USB gadget driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-31614969.

Comment 1 by vakh@chromium.org, Mar 10 2017

Components: OS>Kernel
Owner: groeck@chromium.org

Comment 2 by groeck@chromium.org, Mar 10 2017

Status: Assigned (was: Untriaged)

Comment 3 by tsepez@chromium.org, Mar 14 2017

Labels: Security_Impact-Stable M-57 Security_Severity-High
Setting severity high and impact stable.  Please reset these labels if the issues do not impact us.  Thanks!

Comment 4 by groeck@chromium.org, Mar 14 2017

Labels: -Security_Impact-Stable -Security_Severity-High -M-57
Status: WontFix (was: Assigned)
CVE-2017-0527	b/36117402			A-33899318		HTC sensor hub driver; Android / tegra specific																						
CVE-2017-0528	b/36116839			A-33351919		security subsystem; android configuration issue																						
CVE-2017-0531				A-32877245		QC-CR#1087469																						
CVE-2017-0533				A-32509422		QC-CR#1088206																						
CVE-2017-0534				A-32508732		QC-CR#1088206																						
CVE-2017-0536				A-33555878		Synaptics touchscreen driver; android specific																						
CVE-2017-0537	b/36117313			A-31614969	Android CL:769669	USB gadget driver (use after free); limited impact, android specific, rejected upstream	

None relevant for chromeos. Setting to WontFix and dropping impact/severity labels.
Project Member

Comment 5 by sheriffbot@chromium.org, Jun 21 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment