Headline
CVE-2019-10627: October Security Bulletin 2019 | Qualcomm
Integer overflow to buffer overflow vulnerability in PostScript image handling code used by the PostScript- and PDF-compatible interpreters due to incorrect buffer size calculation. in PostScript and PDF printers that use IPS versions prior to 2019.2 in PostScript and PDF printers that use IPS versions prior to 2019.2
Version 1.1****Published: 10/07/2019
This security bulletin is intended to help Qualcomm Technologies, Inc. (QTI) customers incorporate security updates in launched or upcoming devices. This document includes (i) a description of security vulnerabilities that have been addressed in QTI’s proprietary code and (ii) links to related code that has been contributed to Code Aurora Forum (CAF), a Linux Foundation Collaborative Project, to address security vulnerabilities for customers who incorporate Linux-based software from CAF into their devices.
Please reach out to [email protected] for any questions related to this bulletin.
Announcements
We have discontinued publication of the open source public bulletin at https://www.codeaurora.org/security-advisories/security-bulletins. Starting from September 2019, we will have one single monthly bulletin listing both open-source and closed-source vulnerabilities
Acknowledgements
We would like to thank these researchers for their contributions in reporting these issues to us.
CVE-2019-10486, CVE-2019-10503
Pengfei Ding(丁鹏飞) of Huawei Mobile Security Lab
CVE-2019-2302
Gengjia Chen (chengjia4574)
CVE-2019-10566, CVE-2019-2297
Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/overview/acknowledgements/ for individual credit information. For issues rated medium or lower, the individual credit information may appear in a future Android major release bulletin.
CVE-2019-10617
Michael Bourque
CVE-2019-10627
[email protected]
CVE-2019-2289
[email protected]
CVE-2019-2318
Wen Guanxing from Pangu LAB
This table summarizes security vulnerabilities that were addressed through proprietary software
Table of Vulnerabilities
Public ID
Security Rating
Technology Area
Date Reported
CVE-2018-13916
Critical
KERNEL
Internal
CVE-2019-10490
High
GPS HLOS Driver
Internal
CVE-2019-10617
High
Bluetooth HOST
4/16/2019
CVE-2019-10627
Critical
Printer Software
8/14/2019
CVE-2019-2251
Critical
Boot
Internal
CVE-2019-2271
Critical
Multi-Mode Call Processor
Internal
CVE-2019-2289
Critical
Multi-Mode Call Processor
12/27/2018
CVE-2019-2295
High
System Debug
Internal
CVE-2019-2303
High
GERAN
Internal
CVE-2019-2315
Critical
Content Protection
Internal
CVE-2019-2318
High
QTEE
12/10/2018
CVE-2019-2329
Critical
QTEE
Internal
CVE-2019-2335
High
Multi-Mode Call Processor
Internal
CVE-2019-2336
Critical
QTEE
Internal
CVE-2019-2339
Critical
QTEE
Internal
CVE-2018-13916
CVE ID
CVE-2018-13916
Title
Improper Validation of Array Index in Kernel
Description
Out-of-bounds memory access in Qurt kernel function when using the identifier to access Qurt kernel buffer to retrieve thread data.
Technology Area
KERNEL
Vulnerability Type
CWE-680 Integer Overflow to Buffer Overflow
Access Vector
Local
Security Rating
Critical
Date Reported
Internal
Customer Notified Date
01/07/2019
Affected Chipsets*
APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, IPQ8074, MDM9150, MDM9206, MDM9607, MDM9635M, MDM9640, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8976, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA8081, QCM2150, QCN7605, QCS404, QCS405, QCS605, QM215, SC8180X, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX55, SM8150, SM8250, Snapdragon_High_Med_2016, SXR1130, SXR2130
CVE-2019-10490
CVE ID
CVE-2019-10490
Title
Use After Free Issue in GPS Module
Description
Use after free issue in Xtra daemon shutdown due to static object instance getting freed from a multiple places
Technology Area
GPS HLOS Driver
Vulnerability Type
CWE-416 Use After Free
Access Vector
Local
Security Rating
High
Date Reported
Internal
Customer Notified Date
05/06/2019
Affected Chipsets*
APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9150, MDM9206, MDM9207C, MDM9607, MDM9650, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCS605, SDA660, SDA845, SDM450, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SM6150, SM7150, SM8150, SM8250, SXR2130
CVE-2019-10617
CVE ID
CVE-2019-10617
Title
Permissions, Privileges and Access control Issues in Bluetooth Host
Description
Low privilege users can access service configuration which contains registry data that admins uses to create or delete entries in the registry
Technology Area
Bluetooth HOST
Vulnerability Type
CWE-264 Permissions, Privileges, and Access Controls
Access Vector
Local
Security Rating
High
Date Reported
4/16/2019
Customer Notified Date
8/28/2019
Affected Chipsets*
QCA6174_9377
CVE-2019-10627
CVE ID
CVE-2019-10627
Title
Buffer overflow vulnerability in the PostScript- and PDF-compatible interpreters
Description
Integer overflow to buffer overflow vulnerability in PostScript image handling code used by the PostScript- and PDF-compatible interpreters due to incorrect buffer size calculation.
Technology Area
Printer Software
Vulnerability Type
CWE-680 Integer overflow to buffer overflow
Access Vector
Remote
Security Rating
Critical
Date Reported
8/14/2019
Customer Notified Date
9/24/2019
Affected Chipsets*
PostScript and PDF printers that use IPS versions prior to 2019.2
CVE-2019-2251
CVE ID
CVE-2019-2251
Title
Buffer Copy Without Checking Size of Input in Boot
Description
If a bitmap file is loaded from any un-authenticated source, there is a possibility that the bitmap can potentially cause stack buffer overflow.
Technology Area
Boot
Vulnerability Type
CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector
Local
Security Rating
Critical
Date Reported
Internal
Customer Notified Date
01/07/2019
Affected Chipsets*
APQ8016, APQ8096AU, APQ8098, MDM9205, MSM8996AU, MSM8998, Nicobar, QCS405, QCS605, SA6155P, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130
CVE-2019-2271
CVE ID
CVE-2019-2271
Title
Improper Validation of Array Index in NAS
Description
Buffer over read can happen while parsing downlink session management OTA messages if network sends un-intended values
Technology Area
Multi-Mode Call Processor
Vulnerability Type
CWE-126 Buffer Over-read, CWE-129 Improper Validation of Array Index
Access Vector
Remote
Security Rating
Critical
Date Reported
Internal
Customer Notified Date
04/01/2019
Affected Chipsets*
APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8976, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, SC8180X, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, Snapdragon_High_Med_2016, SXR1130, SXR2130
CVE-2019-2289
CVE ID
CVE-2019-2289
Title
Improper Authentication in NAS
Description
Lack of integrity check allows MODEM to accept any NAS messages which can result into authentication bypass of NAS
Technology Area
Multi-Mode Call Processor
Vulnerability Type
CWE-287 Improper Authentication
Access Vector
Remote
Security Rating
Critical
Date Reported
12/27/2018
Customer Notified Date
04/01/2019
Affected Chipsets*
APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8976, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, SC8180X, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, Snapdragon_High_Med_2016, SXR1130, SXR2130
CVE-2019-2295
CVE ID
CVE-2019-2295
Title
Untrusted Pointer Dereference in System Debug
Description
Information disclosure due to lack of address range check done on the SysDBG buffers in SDI code.
Technology Area
System Debug
Vulnerability Type
CWE-822 Untrusted Pointer Dereference
Access Vector
Local
Security Rating
High
Date Reported
Internal
Customer Notified Date
05/06/2019
Affected Chipsets*
APQ8009, APQ8017, APQ8053, MDM9205, MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8998, Nicobar, QCS404, QCS405, QCS605, QM215, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, Snapdragon_High_Med_2016, SXR1130
CVE-2019-2303
CVE ID
CVE-2019-2303
Title
Buffer Over-read Issue in GSNDCP Module
Description
SNDCP module may access array out side its boundary when it receives malformed XID message.
Technology Area
GERAN
Vulnerability Type
CWE-126 Buffer Over-read
Access Vector
Remote
Security Rating
High
Date Reported
Internal
Customer Notified Date
04/01/2019
Affected Chipsets*
APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8976, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, SC8180X, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, Snapdragon_High_Med_2016, SXR1130, SXR2130
CVE-2019-2315
CVE ID
CVE-2019-2315
Title
Permissions, Privileges and Access Controls Issue in Content Protection
Description
While invoking the API to copy from fd or local buffer to the secure buffer, Parameters being populated are from non secure environment.
Technology Area
Content Protection
Vulnerability Type
CWE-264 Permissions, Privileges, and Access Controls
Access Vector
Local
Security Rating
Critical
Date Reported
Internal
Customer Notified Date
04/01/2019
Affected Chipsets*
APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9650, MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, QCS404, QCS605, QM215, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SM6150, SM7150, SM8150, Snapdragon_High_Med_2016, SXR1130, SXR2130
CVE-2019-2318
CVE ID
CVE-2019-2318
Title
Buffer Over-read Issue in QTEE
Description
Non Secure Kernel can cause Trustzone to do an arbitrary memory read which will result into DOS
Technology Area
QTEE
Vulnerability Type
CWE-126 Buffer Over-read
Access Vector
Local
Security Rating
High
Date Reported
12/10/2018
Customer Notified Date
04/01/2019
Affected Chipsets*
APQ8017, APQ8053, APQ8096, APQ8096AU, IPQ8074, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, QCA8081, QM215, SDM429, SDM439, SDM450, SDM632, Snapdragon_High_Med_2016
CVE-2019-2329
CVE ID
CVE-2019-2329
Title
Use After Free Issue in QTEE
Description
Use after free issue in cleanup routine due to missing pointer sanitization for a failed start of a trusted application.
Technology Area
QTEE
Vulnerability Type
CWE-416 Use After Free
Access Vector
Local
Security Rating
Critical
Date Reported
Internal
Customer Notified Date
04/01/2019
Affected Chipsets*
MDM9205, QCS404, QCS605, SDA845, SDM670, SDM710, SDM845, SDX55, SM6150, SM7150, SM8150, SXR1130, SXR2130
CVE-2019-2335
CVE ID
CVE-2019-2335
Title
Loop with Unreachable Exit Condition in NAS
Description
While processing Attach Reject message, Valid exit condition is not met resulting into an infinite loop
Technology Area
Multi-Mode Call Processor
Vulnerability Type
CWE-835 Loop with Unreachable Exit Condition (‘Infinite Loop’)
Access Vector
Remote
Security Rating
High
Date Reported
Internal
Customer Notified Date
04/01/2019
Affected Chipsets*
APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8976, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, SC8180X, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX55, SM6150, SM7150, SM8150, SM8250, Snapdragon_High_Med_2016, SXR1130, SXR2130
CVE-2019-2336
CVE ID
CVE-2019-2336
Title
Use After Free Issue in QTEE
Description
Subsequent use of the CBO listener may result in further memory corruption due to use after free issue.
Technology Area
QTEE
Vulnerability Type
CWE-416 Use After Free
Access Vector
Local
Security Rating
Critical
Date Reported
Internal
Customer Notified Date
04/01/2019
Affected Chipsets*
MDM9205, QCS404, SDX55, SM6150, SM7150, SM8150, SXR2130
CVE-2019-2339
CVE ID
CVE-2019-2339
Title
Improper Restriction of Operation Within the Bounds of Memory in QTEE
Description
Out of bound access due to lack of check of whiltelist array size while reading the image elf segments.
Technology Area
QTEE
Vulnerability Type
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Access Vector
Local
Security Rating
Critical
Date Reported
Internal
Customer Notified Date
04/01/2019
Affected Chipsets*
MDM9205, QCS404, QCS605, SDA845, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130, SXR2130
* Data is generated only at the time of bulletin creation
This table summarizes security vulnerabilities that were addressed through open source software located at the corresponding open source project links
Table of Vulnerabilities
Public ID
Security Rating
Technology Area
Date Reported
CVE-2019-10486
Medium
Multimedia
11/21/2018
CVE-2019-10503
Medium
Multimedia
12/15/2018
CVE-2019-10535
High
WLAN HOST
Internal
CVE-2019-10563
Medium
WLAN HOST
Internal
CVE-2019-10565
Medium
Camera Driver
Internal
CVE-2019-10566
Medium
WLAN HOST
09/05/2018
CVE-2019-2266
Medium
Camera Driver
Internal
CVE-2019-2268
High
WLAN HOST
Internal
CVE-2019-2297
Medium
WLAN HOST
10/30/2018
CVE-2019-2302
Medium
WLAN HOST
08/15/2018
CVE-2019-10486
CVE ID
CVE-2019-10486
Title
Time-of-check Time-of-use Race Condition in Camera
Description
Race condition due to the lack of resource lock which will be concurrently modified in the memcpy statement leads to out of bound access
Technology Area
Multimedia
Vulnerability Type
CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
Access Vector
Local
Security Rating
Medium
Date Reported
11/21/2018
Customer Notified Date
07/01/2019
Affected Chipsets*
APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8939, MSM8953, MSM8996AU, MSM8998, Nicobar, QCN7605, QCS405, QCS605, QM215, SDA660, SDA845, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, SDM710, SDM845, SDX20, SDX24, SM6150, SM7150, SM8150
Patch*
- https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=fd2c48332615395428b67d139dd752679d2129ec
- https://source.codeaurora.org/quic/la/kernel/msm-4.9/commit/?id=2fbd882b26a945e1c9d87a5a25b75d183866d42b
CVE-2019-10503
CVE ID
CVE-2019-10503
Title
Improper Validation of Array Index in Camera
Description
Out-of-bounds access can occur in camera driver due to improper validation of array index
Technology Area
Multimedia
Vulnerability Type
CWE-129 Improper Validation of Array Index
Access Vector
Local
Security Rating
Medium
Date Reported
12/15/2018
Customer Notified Date
07/01/2019
Affected Chipsets*
APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, QCN7605, SDA660, SDM450, SDM630, SDM636, SDM660, SDX20
Patch*
- https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=24f72e500ddcffbd9d54180b19ff905f035f6e23
- https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=d929c539a8e52d0764331b2d0a9ac0267264f320
CVE-2019-10535
CVE ID
CVE-2019-10535
Title
Use of Out-of-range Pointer Offset in WLAN HOST
Description
Improper validation for loop variable received from firmware can lead to out of bound access in WLAN function while iterating through loop
Technology Area
WLAN HOST
Vulnerability Type
CWE-823 Use of Out-of-range Pointer Offset
Access Vector
Local
Security Rating
High
Date Reported
Internal
Customer Notified Date
07/01/2019
Affected Chipsets*
APQ8053, APQ8096AU, APQ8098, MDM9640, MSM8996AU, MSM8998, QCA6574AU, QCN7605, QCS405, QCS605, SDA845, SDM845, SDX20
Patch*
- https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=3aaa4c007a6afb6ff6dd82b4ad99968bac837c87
CVE-2019-10563
CVE ID
CVE-2019-10563
Title
Buffer Over-read Issue in WLAN HOST
Description
Buffer over-read can occur in fast message handler due to improper input validation while processing a message from firmware
Technology Area
WLAN HOST
Vulnerability Type
CWE-126 Buffer Over-read
Access Vector
Local
Security Rating
Medium
Date Reported
Internal
Customer Notified Date
07/01/2019
Affected Chipsets*
APQ8053, APQ8096AU, MSM8996AU, MSM8998, QCN7605, QCS405, QCS605, SDA660, SDM636, SDM660, SDX20, SDX24
Patch*
- https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=468ffaac90d93623bbc2f8f6743c4e4e0b9a53f5
CVE-2019-10565
CVE ID
CVE-2019-10565
Title
Double Free Issue in Camera Driver
Description
Double free issue can happen when sensor power settings is freed by some thread while another thread try to access.
Technology Area
Camera Driver
Vulnerability Type
CWE-415 Double Free
Access Vector
Local
Security Rating
Medium
Date Reported
Internal
Customer Notified Date
07/01/2019
Affected Chipsets*
APQ8053, MDM9206, MDM9207C, MDM9607, MSM8905, MSM8909, MSM8909W, QCN7605, QCS405, QCS605, SDM845, SDX24, SXR1130
Patch*
- https://source.codeaurora.org/quic/la/kernel/msm-4.9/commit/?id=373c29df48f28a0a5e64fbd948d5539b39e4a28f
- https://source.codeaurora.org/quic/la/kernel/msm-4.9/commit/?id=3325e66fd28060cb1d92fa66d553837296d13003
CVE-2019-10566
CVE ID
CVE-2019-10566
Title
Buffer Copy Without Checking Size of Input in WLAN HOST
Description
Buffer overflow can occur in wlan module if supported rates or extended rates element length is greater than max rate set length
Technology Area
WLAN HOST
Vulnerability Type
CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector
Local
Security Rating
Medium
Date Reported
09/05/2018
Customer Notified Date
07/01/2019
Affected Chipsets*
APQ8017, APQ8053, APQ8096AU, MDM9206, MDM9207C, MDM9607, MDM9650, MSM8905, MSM8996AU, Nicobar, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCN7605, QCS405, QCS605, SDA845, SDM670, SDM710, SDM845, SDX20, SM6150, SM8150, SM8250, SXR2130
Patch*
- https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=561e3ed2aec2b6425b89e732e5479106bc696950
- https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=48bbfadd209b0171de7c411851c44c1d7468f961
CVE-2019-2266
CVE ID
CVE-2019-2266
Title
Use After Free Issue in Camera
Description
Possible double free issue in kernel while handling the camera sensor and its sub modules power sequence
Technology Area
Camera Driver
Vulnerability Type
CWE-416 Use After Free
Access Vector
Local
Security Rating
Medium
Date Reported
Internal
Customer Notified Date
07/01/2019
Affected Chipsets*
APQ8053, IPQ4019, IPQ8064, MDM9206, MDM9207C, MDM9607, MSM8909, MSM8909W, Nicobar, QCA9980, QCS405, QCS605, SDM845, SDX24, SM7150, SM8150
Patch*
- https://source.codeaurora.org/quic/la/kernel/msm-4.9/commit/?id=d0d2418a6bdcd28267a59038b7ece35e7360ee8a
- https://source.codeaurora.org/quic/la/kernel/msm-4.9/commit/?id=373c29df48f28a0a5e64fbd948d5539b39e4a28f
CVE-2019-2268
CVE ID
CVE-2019-2268
Title
Buffer Over-read in WLAN
Description
Possible OOB read issue in P2P action frames while handling WLAN management frame
Technology Area
WLAN HOST
Vulnerability Type
CWE-126 Buffer Over-read
Access Vector
Remote
Security Rating
High
Date Reported
Internal
Customer Notified Date
03/04/2019
Affected Chipsets*
APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9650, MSM8996AU, MSM8998, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCS405, QCS605, SDA660, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SM6150
Patch*
- https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=3090f483b342bbb120a70cacbbd47244a3ad97b9
- core/hdd/src/wlan_hdd_p2p.c
- https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=4b6895a945ff9dbe733c5108cc688417bfb666d9
CVE-2019-2297
CVE ID
CVE-2019-2297
Title
Integer Overflow to Buffer Overflow in WLAN
Description
Buffer overflow can occur while processing non-standard NAN message from user space.
Technology Area
WLAN HOST
Vulnerability Type
CWE-680 Integer Overflow to Buffer Overflow
Access Vector
Local
Security Rating
Medium
Date Reported
10/30/2018
Customer Notified Date
07/01/2019
Affected Chipsets*
APQ8009, APQ8017, APQ8053, APQ8064, APQ8096AU, IPQ4019, IPQ8064, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCN7605, QCS405, QCS605, SDA660, SDA845, SDM636, SDM660, SDM845, SDX20, SDX24, SM8150
Patch*
- https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qca-wifi-host-cmn/commit/?id=e5c289648f5454d7aaa3e8967f158cb0d31943ea
- https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=02a273d3a9e38ba830fbff02829d904d2fdd1aec
CVE-2019-2302
CVE ID
CVE-2019-2302
Title
Buffer Copy Without Checking Size of Input in WLAN
Description
While processing vendor command which contains corrupted channel count, an integer overflow occurs and finally will lead to heap overflow.
Technology Area
WLAN HOST
Vulnerability Type
CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’), CWE-680 Integer Overflow to Buffer Overflow
Access Vector
Local
Security Rating
Medium
Date Reported
08/15/2018
Customer Notified Date
04/01/2019
Affected Chipsets*
APQ8017, APQ8053, APQ8096AU, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909, MSM8909W, MSM8976, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCN7605, QCS405, QCS605, SDA845, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SM6150, SM8150
Patch*
- https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=9c2c22372f35c5e9fdea4962f02083f879226400
- https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=768de6006b04f3286e10d4aa74fb2a95d39784fa
* Data is generated only at the time of bulletin creation
Industry Coordination
Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:
- Consideration of security protections such as SELinux not enforced on some platforms
- Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel
Version History
Version
Date
Comments
1.1
October 7, 2019
Details for CVE-2019-10617 and CVE-2019-10627 added
1.0
October 7, 2019
Bulletin Published
All Qualcomm products mentioned herein are products of Qualcomm Technologies, Inc. and/or its subsidiaries.
Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other countries. Other product and brand names may be trademarks or registered trademarks of their respective owners.
This technical data may be subject to U.S. and international export, re-export, or transfer (“export”) laws. Diversion contrary to U.S. and international law is strictly prohibited.
See all of our security bulletins