Don't see new vulnerabilities (CVE-2015-6616, CVE-2015-6617, CVE-2015-6619, CVE-2015-6633, CVE-2015-6634) in VTS

[Timon34]

In December 2015 Google released an update for OS Android, that fixes 19 vulnerabilities, including 5 critical, 12 high and 2 moderate. According to the security bulletin, critical vulnerability (CVE-2015-6616, CVE-2015-6617, CVE-2015-6619, CVE-2015-6633, CVE-2015-6634) contained in components for handling multimedia content and Android lets you remotely execute code with root privileges. CVE-2015-6616 and CVE-2015-6617 affects all versions of Android. Operation flaw allows an attacker to execute code via a speciall MMS-message or media file. Also eliminated the vulnerability at the core of Android, allows third-party applications to execute code with root privileges. In addition, fixed a number of privilege elevation vulnerability affecting other components of the OS, including Bluetooth and Wi-Fi, a library libstagefright, system application SystemUI and so on. These flaws were rated with high severity.

But current version v.12 of VTS don't know about such vulnerabilities. Are there any plans to add them?

[Timon34]

Here is full list of December flaws: Remote Code Execution Vulnerability in Mediaserver CVE-2015-6616 Critical Remote Code Execution Vulnerability in Skia CVE-2015-6617 Critical Elevation of Privilege in Kernel CVE-2015-6619 Critical Remote Code Execution Vulnerabilities in Display Driver CVE-2015-6633 CVE-2015-6634 Critical Remote Code Execution Vulnerability in Bluetooth CVE-2015-6618 High Elevation of Privilege Vulnerabilities in libstagefright CVE-2015-6620 High Elevation of Privilege Vulnerability in SystemUI CVE-2015-6621 High Elevation of Privilege Vulnerability in Native Frameworks Library CVE-2015-6622 High Elevation of Privilege Vulnerability in Wi-Fi CVE-2015-6623 High Elevation of Privilege Vulnerability in System Server CVE-2015-6624 High Information Disclosure Vulnerabilities in libstagefright CVE-2015-6626 CVE-2015-6631 CVE-2015-6632 High Information Disclosure Vulnerability in Audio CVE-2015-6627 High Information Disclosure Vulnerability in Media Framework CVE-2015-6628 High Information Disclosure Vulnerability in Wi-Fi CVE-2015-6629 High Elevation of Privilege Vulnerability in System Server CVE-2015-6625 Moderate Information Disclosure Vulnerability in SystemUI CVE-2015-6630 Moderate Additional info could be found here https://source.android.com/security/bulletin/2015-12-01.html

[Fuzion24]

@Timon34 Thanks for the update. We are aware of the Android security bulletins and have been actively working on incorporating a new test from this past bulletin. Feel free to take a stab at writing a test. Pull requests are welcome =)

[Fuzion24]

test was added for -6616

[Timon34]

There is need to add 10 new tests from February 2016 Security Bulletin http://source.android.com/security/bulletin/2016-02-01.html

Remote Code Execution Vulnerability in Broadcom Wi-Fi Driver CVE-2016-0801 CVE-2016-0802 Critical Remote Code Execution Vulnerability in Mediaserver CVE-2016-0803 CVE-2016-0804 Critical Elevation of Privilege Vulnerability in Qualcomm Performance Module CVE-2016-0805 Critical Elevation of Privilege Vulnerability in Qualcomm Wi-Fi Driver CVE-2016-0806 Critical Elevation of Privilege Vulnerability in the Debugger Daemon CVE-2016-0807 Critical Denial of Service Vulnerability in Minikin CVE-2016-0808 High Elevation of Privilege Vulnerability in Wi-Fi CVE-2016-0809 High Elevation of Privilege Vulnerability in Mediaserver CVE-2016-0810 High Information Disclosure Vulnerability in libmediaplayerservice CVE-2016-0811 High Elevation of Privilege Vulnerability in Setup Wizard CVE-2016-0812 CVE-2016-0813 Moderate

[Fuzion24]

@Timon34 thank you for this. Feel free to submit a pull request including checks for any one of these =)

[PJBorah]

	CVE-2016-6616