BlackBerry powered by Android Security Bulletin – May 2017

rgray

Just in case anyone was interested in what is not available from Verizon.

BlackBerry powered by Android Security Bulletin – May 2017

Purpose of this Bulletin

BlackBerry has released a security update to address multiple vulnerabilities in BlackBerry powered by Android smartphones. We recommend users update to the latest available software build. BlackBerry releases security bulletins to notify users of its Android smartphones about available security fixes; see BlackBerry.com/bbsirt for a complete list of monthly bulletins. This advisory is in response to the Android Security Bulletin (May 2017) and addresses issues in that bulletin that affect BlackBerry powered by Android smartphones.

Back to top ↑

Vulnerabilities Fixed in this Update

The following vulnerabilities have been remediated in this update:

Summary		Description		CVE
Remote code execution vulnerability in Mediaserver		A remote code execution vulnerability in Mediaserver could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing.		CVE-2017-0592 CVE-2017-0591 CVE-2017-0590 CVE-2017-0589 CVE-2017-0588 CVE-2017-0587
Elevation of privilege vulnerability in Framework API		An elevation of privilege vulnerability in the Framework APIs could enable a local malicious application to obtain access to custom permissions.		CVE-2017-0593
Elevation of privilege vulnerability in Mediaserver		An elevation of privilege vulnerability in Mediaserver could enable a local malicious application to execute arbitrary code within the context of a privileged process.		CVE-2017-0596 CVE-2017-0595 CVE-2017-0594
Elevation of privilege vulnerability in Audioserver		An elevation of privilege vulnerability in Audioserver could enable a local malicious application to execute arbitrary code within the context of a privileged process.		CVE-2017-0597
Information disclosure vulnerability in Framework API		An information disclosure vulnerability in the Framework APIs could enable a local malicious application to bypass operating system protections that isolate application data from other applications.		CVE-2017-0598
Denial of service vulnerability in Mediaserver		A remote denial of service vulnerability in Mediaserver could enable an attacker to use a specially crafted file to cause a device hang or reboot.		CVE-2017-0600 CVE-2017-0599
Information disclosure vulnerability in Bluetooth		An information disclosure vulnerability in Bluetooth could allow a local malicious application to bypass operating system protections that isolate application data from other applications.		CVE-2017-0602
Information disclosure vulnerability in OpenSSL & BoringSSL		An information disclosure vulnerability in OpenSSL & BoringSSL could enable a remote attacker to gain access to sensitive information.		CVE-2016-7056
Denial of service vulnerability in Mediaserver		A denial of service vulnerability in Mediaserver could enable an attacker to use a specially crafted file to cause a device hang or reboot.		CVE-2017-0603
Remote code execution vulnerability in GIFLIB		A remote code execution vulnerability in GIFLIB could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing.		CVE-2015-7555
Elevation of privilege vulnerability in kernel sound subsystem		An elevation of privilege vulnerability in the kernel sound subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel.		CVE-2016-9794
Elevation of privilege vulnerability in Qualcomm power driver		An elevation of privilege vulnerability in the kernel Qualcomm power driver could enable a local malicious application to execute arbitrary code within the context of the kernel.		CVE-2017-0604
Elevation of privilege vulnerability in kernel trace subsystem		An elevation of privilege vulnerability in the kernel trace subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel.		CVE-2017-0605
Remote code execution vulnerability in libxml2		A remote code execution vulnerability in libxml2 could enable an attacker to use a specially crafted file to execute arbitrary code within the context of an unprivileged process.		CVE-2016-5131
Elevation of privilege vulnerability in kernel performance subsystem		An elevation of privilege vulnerability in the kernel performance subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel.		CVE-2015-9004
Elevation of privilege vulnerability in Qualcomm sound driver		An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel.		CVE-2016-5853 CVE-2017-0611 CVE-2017-0610 CVE-2016-5859 CVE-2017-0609 CVE-2017-0608 CVE-2017-0607 CVE-2016-5867 CVE-2016-5860 CVE-2017-0606
Elevation of privilege vulnerability in Qualcomm ADSPRPC driver		An elevation of privilege vulnerability in the Qualcomm ADSPRPC driver could enable a local malicious application to execute arbitrary code within the context of the kernel.		CVE-2017-0465
Elevation of privilege vulnerability in Qualcomm Secure Execution Environment Communicator driver		An elevation of privilege vulnerability in the Qualcomm Secure Execution Environment Communicator driver could enable a local malicious application to execute arbitrary code within the context of the kernel.		CVE-2017-0614 CVE-2017-0613 CVE-2017-0612
Elevation of privilege vulnerability in Qualcomm pin controller driver		An elevation of privilege vulnerability in the Qualcomm pin controller driver could enable a local malicious application to execute arbitrary code within the context of the kernel.		CVE-2017-0619
Elevation of privilege vulnerability in Qualcomm Secure Channel Manager Driver		An elevation of privilege vulnerability in the Qualcomm Secure Channel Manager driver could enable a local malicious application to execute arbitrary code within the context of the kernel.		CVE-2017-0620
Elevation of privilege vulnerability in Qualcomm sound codec driver		An elevation of privilege vulnerability in the Qualcomm sound codec driver could enable a local malicious application to execute arbitrary code within the context of the kernel.		CVE-2016-5862
Elevation of privilege vulnerability in kernel voltage regulator driver		An elevation of privilege vulnerability in the kernel voltage regulator driver could enable a local malicious application to execute arbitrary code within the context of the kernel.		CVE-2014-9940
Elevation of privilege vulnerability in Qualcomm camera driver		An elevation of privilege vulnerability in the Qualcomm camera driver could enable a local malicious application to execute arbitrary code within the context of the kernel.		CVE-2017-0621
Elevation of privilege vulnerability in Qualcomm networking driver		An elevation of privilege vulnerability in the Qualcomm networking driver could enable a local malicious application to execute arbitrary code within the context of the kernel.		CVE-2016-5868
Elevation of privilege vulnerability in kernel networking subsystem		An elevation of privilege vulnerability in the kernel networking subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel.		CVE-2017-7184
Elevation of privilege vulnerability in Goodix touchscreen driver		An elevation of privilege vulnerability in the Goodix touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel.		CVE-2017-0622
Information disclosure vulnerability in Qualcomm crypto engine driver		An information disclosure vulnerability in the Qualcomm crypto engine driver could enable a local malicious application to access data outside of its permission levels.		CVE-2017-0626
Information disclosure vulnerability in kernel UVC driver		An information disclosure vulnerability in the kernel UVC driver could enable a local malicious application to access data outside of its permission levels.		CVE-2017-0627
Information disclosure vulnerability in kernel trace subsystem		An information disclosure vulnerability in the kernel trace subsystem could enable a local malicious application to access data outside of its permission levels.		CVE-2017-0630
Information disclosure vulnerability in Qualcomm camera driver		An information disclosure vulnerability in the Qualcomm camera driver could enable a local malicious application to access data outside of its permission levels.		CVE-2017-0631 CVE-2017-0629 CVE-2017-0628
Information disclosure vulnerability in Qualcomm sound driver		An information disclosure vulnerability in the Qualcomm sound driver could enable a local malicious application to access data outside of its permission levels.		CVE-2016-5347
Information disclosure vulnerability in Qualcomm sound codec driver		An information disclosure vulnerability in the Qualcomm sound codec driver could enable a local malicious application to access data outside of its permission levels.		CVE-2017-0632 CVE-2016-5858
Information disclosure vulnerability in Broadcom Wi-Fi driver		An information disclosure vulnerability in the Broadcom Wi-Fi driver could enable a local malicious component to access data outside of its permission levels.		CVE-2017-0633
Information disclosure vulnerability in Synaptics touchscreen driver		An information disclosure vulnerability in the Synaptics touchscreen driver could enable a local malicious application to access data outside of its permission levels.		CVE-2017-0634
Vulnerabilities in Qualcomm component		Multiple vulnerabilities in Qualcomm components		CVE-2014-9958
Vulnerabilities in Qualcomm component		Multiple vulnerabilities in Qualcomm components		CVE-2014-9959

DickLewis

Thanks, checking often, hoping by now we would be seeing the May update release.

It's already been 10 days, I realize Verizon has to "test" the OS, but this is getting annoying.