Docs: Changes to source.android.com

- 171873304 Update documentation for types-only minor version package. by Android Partner Docs <noreply@android.com> - 171849317 Update CTS/CTS-Verifier downloads for CTS-Oct-2017 Releases by Android Partner Docs <noreply@android.com> - 171727609 Updating panic button to 8.0 by hvm <hvm@google.com> - 171724554 Fixing typo by hvm <hvm@google.com> - 171604727 Removed gerund form to match TOC bar on left. by cqn <cqn@google.com> - 171576699 Small editorial changes to make content more skimmable. by cqn <cqn@google.com> - 171546973 Add Clang toolchain to home News section by claym <claym@google.com> - 171540129 Corrected a typo from "has" to "have" in CTS public setup... by Android Partner Docs <noreply@android.com> - 171354973 Clean-up edits for consistency on the HCI Requirements do... by cqn <cqn@google.com> - 171242784 Explain Clang is lone supported toolchain going forward by claym <claym@google.com> - 171198827 Added researcher acknowledgement by Android Partner Docs <noreply@android.com> - 171178686 Added researcher acknowledgement by Android Partner Docs <noreply@android.com> - 171169962 Added missing " to jit-workflow.png by daroberts <daroberts@google.com> - 171167568 Announce KASAN+KCOV on the home page by daroberts <daroberts@google.com> - 171093616 Updated Researcher acknowledgement by Android Partner Docs <noreply@android.com> - 171086588 Add Building a Pixel kernel with KASAN +KCOV by daroberts <daroberts@google.com> - 171084549 Move CVE-2017-0710 to Google devices section by Android Partner Docs <noreply@android.com> - 171063850 Removed duped content that is now in /source/view-patches... by cqn <cqn@google.com> - 171061697 Create a /source/view-patches page so that the nav does n... by cqn <cqn@google.com> - 171050148 Update home page with October 2017 security release by daroberts <daroberts@google.com> - 171028732 Devsite localized content from translation request 5cdc34... by Android Partner Docs <noreply@android.com> - 170937091 Add tags for October security backport releases (these do... by Android Partner Docs <noreply@android.com> - 170911440 Remove CVE-2017-0605 from bulletin by Android Partner Docs <noreply@android.com> - 170883975 Add AOSP links to the Oct 2017 Android Security bulletin by daroberts <daroberts@google.com> - 170883918 Add AOSP links to Oct 2017 Pixel bulletin by daroberts <daroberts@google.com> PiperOrigin-RevId: 171873304 Change-Id: I51cdbbbf00bdf43374c06638a8db4f8e87dbcdf7
author: Android Partner Docs <noreply@android.com> 2017-10-11 14:15:38 -0700
committer: Clay Murphy <claym@google.com> 2017-10-11 19:19:53 -0700
commit: 640dc96c73017d3bd2e2c507adcff02046ccfd3f (patch)
tree: 25296dfcb38dae95ee022015e64e78bbe646ff9c /en/security
parent: 4ede9c52630a6da877e7ca9c1c3801a34ddb7179 (diff)
download: source.android.com-640dc96c73017d3bd2e2c507adcff02046ccfd3f.tar.gz
6 files changed, 83 insertions, 80 deletions
diff --git a/en/security/bulletin/2017-05-01.html b/en/security/bulletin/2017-05-01.html
index c92e4ffd..9fa83bc4 100644
--- a/en/security/bulletin/2017-05-01.html
+++ b/en/security/bulletin/2017-05-01.html
@@ -22,7 +22,7 @@
   -->
 
 
-<p><em>Published May 01, 2017 | Updated August 17, 2017</em></p>
+<p><em>Published May 01, 2017 | Updated October 03, 2017</em></p>
 
 <p>The Android Security Bulletin contains details of security vulnerabilities
 affecting Android devices. Alongside the bulletin, we have released a security
@@ -935,43 +935,6 @@ QC-CR#826589</a></td>
 <p>* Supported Google devices on Android 7.1.1 or later that have installed all
 available updates are not affected by this vulnerability.</p>
 
-
-<h3 id="eop-in-kernel-trace-subsystem">Elevation of privilege vulnerability in
-kernel trace subsystem</h3>
-
-<p>An elevation of privilege vulnerability in the kernel trace subsystem could
-enable a local malicious application to execute arbitrary code within the
-context of the kernel. This issue is rated as Critical due to the possibility
-of a local permanent device compromise, which may require reflashing the
-operating system to repair the device.</p>
-
-<table>
-  <col width="19%">
-  <col width="20%">
-  <col width="10%">
-  <col width="23%">
-  <col width="17%">
-  <tr>
-    <th>CVE</th>
-    <th>References</th>
-    <th>Severity</th>
-    <th>Updated Google devices</th>
-    <th>Date reported</th>
-  </tr>
-  <tr>
-    <td>CVE-2017-0605</td>
-    <td>A-35399704<br>
-        <a 
-href="https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=2161ae9a70b12cf18ac8e5952a20161ffbccb477">
-QC-CR#1048480</a></td>
-    <td>Critical</td>
-    <td>Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Pixel, Pixel XL, Pixel C, Android
-One, Nexus Player</td>
-    <td>Feb 15, 2017</td>
-  </tr>
-</table>
-
-
 <h3 id="vulnerabilities-in-qualcomm-components">Vulnerabilities in Qualcomm
 components</h3>
 
@@ -3060,6 +3023,7 @@ belongs. These prefixes map as follows:</p>
 <li>August 10, 2017: Bulletin revised to include additional AOSP link for
 CVE-2017-0493.</li>
 <li>August 17, 2017: Bulletin revised to update reference numbers.</li>
+<li>October 03, 2017: Bulletin revised to remove CVE-2017-0605.</li>
 </ul>
 </body>
 </html>
diff --git a/en/security/bulletin/2017-07-01.html b/en/security/bulletin/2017-07-01.html
index 19141843..cf74c941 100644
--- a/en/security/bulletin/2017-07-01.html
+++ b/en/security/bulletin/2017-07-01.html
@@ -687,13 +687,6 @@ kernel</a></td>
    <td>SCSI driver</td>
   </tr>
   <tr>
-   <td>CVE-2017-0710</td>
-   <td>A-34951864<a href="#asterisk">*</a></td>
-   <td>EoP</td>
-   <td>Moderate</td>
-   <td>TCB</td>
-  </tr>
-  <tr>
    <td>CVE-2017-7308</td>
    <td>A-36725304<br>
 <a href="//git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2b6867c2ce76c596676bec7d2d525af525fdc6e2">Upstream kernel</a>
@@ -1445,6 +1438,32 @@ site</a>.</p>
    <td>July 05, 2017</td>
   </tr>
 </table>
+
+<p>Google device updates also contain patches for these security
+vulnerabilities, if applicable:</p>
+
+<table>
+  <col width="17%">
+  <col width="19%">
+  <col width="9%">
+  <col width="14%">
+  <col width="39%">
+  <tr>
+   <th>CVE</th>
+   <th>References</th>
+   <th>Type</th>
+   <th>Severity</th>
+   <th>Component</th>
+  </tr>
+  <tr>
+   <td>CVE-2017-0710</td>
+   <td>A-34951864<a href="#asterisk">*</a></td>
+   <td>EoP</td>
+   <td>Moderate</td>
+   <td>TCB</td>
+  </tr>
+</table>
+
 <h2 id="acknowledgements">Acknowledgements</h2>
 <p>We would like to thank these researchers for their contributions:</p>
 
@@ -1503,7 +1522,7 @@ Ltd.</td>
   </tr>
   <tr>
    <td>CVE-2017-0665</td>
-   <td><a href="mailto:arnow117@gmail.com">Hanxiang Wen</a>, Mingjian Zhou (<a
+   <td><a href="mailto:zc1991@mail.ustc.edu.cn">Chi Zhang</a>,<a href="mailto:arnow117@gmail.com">Hanxiang Wen</a>, Mingjian Zhou (<a
 href="//twitter.com/Mingjian_Zhou">@Mingjian_Zhou</a>), and Xuxian Jiang
 of <a href="//c0reteam.org">C0RE Team</a></td>
   </tr>
@@ -1749,7 +1768,7 @@ site</a>.</p>
    <td>September 19, 2017</td>
    <td>Updated acknowledgements for CVE-2017-0710.</td>
   </tr>
-    <tr>
+  <tr>
    <td>1.5</td>
    <td>September 26, 2017</td>
    <td>Updated acknowledgements for CVE-2017-0681.</td>
diff --git a/en/security/bulletin/2017-09-01.html b/en/security/bulletin/2017-09-01.html
index 56c94f05..f4346d78 100644
--- a/en/security/bulletin/2017-09-01.html
+++ b/en/security/bulletin/2017-09-01.html
@@ -20,7 +20,7 @@
       See the License for the specific language governing permissions and
       limitations under the License.
   -->
-  <p><em>Published September 5, 2017 | Updated September 28, 2017</em></p>
+  <p><em>Published September 5, 2017 | Updated October 5, 2017</em></p>
 
 <p>The Android Security Bulletin contains details of security vulnerabilities
 affecting Android devices. Security patch levels of September 05, 2017 or later
@@ -1155,6 +1155,11 @@ Zhou (<a href="https://twitter.com/Mingjian_Zhou">@Mingjian_Zhou</a>), and
 Xuxian Jiang of <a href="http://c0reteam.org">C0RE Team</a></td>
   </tr>
   <tr>
+  <td>CVE-2017-0755</td>
+  <td>Dawei Peng of Alibaba Mobile Security Team
+  (<a href="http://weibo.com/u/5622360291">weibo: Vinc3nt4H</a>)</td>
+  </tr>
+  <tr>
    <td>CVE-2017-0775, CVE-2017-0774, CVE-2017-0771</td>
    <td>Elphet and Gong Guang of Alpha Team, Qihoo 360 Technology Co. Ltd.</td>
   </tr>
diff --git a/en/security/bulletin/2017-10-01.html b/en/security/bulletin/2017-10-01.html
index 6ca5f4f6..dce1e591 100644
--- a/en/security/bulletin/2017-10-01.html
+++ b/en/security/bulletin/2017-10-01.html
@@ -20,7 +20,7 @@
       See the License for the specific language governing permissions and
       limitations under the License.
   -->
-  <p><em>Published October 2, 2017</em></p>
+<p><em>Published October 2, 2017 | Updated October 3, 2017</em></p>
 
 <p>The Android Security Bulletin contains details of security vulnerabilities
 affecting Android devices. Security patch levels of October 05, 2017 or later
@@ -29,9 +29,9 @@ level, see <a href="https://support.google.com/pixelphone/answer/4457705#pixel_p
 Check &amp; update your Android version</a>.</p>
 
 <p>Android partners are notified of all issues at least a month before
-publication. Source code patches for these issues will be released
-to the Android Open Source Project (AOSP) repository in the next 48 hours.
-We will revise this bulletin with the AOSP links when they are available.</p>
+publication. Source code patches for these issues have been released to the
+Android Open Source Project (AOSP) repository and linked from this bulletin.
+This bulletin also includes links to patches outside of AOSP.</p>
 
 <p>The most severe of these issues is a critical severity vulnerability in media
 framework that could enable a remote attacker using a specially crafted file to
@@ -121,7 +121,7 @@ additional permissions.</p>
   </tr>
   <tr>
     <td>CVE-2017-0806</td>
-    <td>A-62998805</td>
+    <td><a href="https://android.googlesource.com/platform/frameworks/base/+/b87c968e5a41a1a09166199bf54eee12608f3900">A-62998805</a></td>
     <td>EoP</td>
     <td>High</td>
     <td>6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0</td>
@@ -148,42 +148,42 @@ a privileged process.</p>
   </tr>
   <tr>
     <td>CVE-2017-0809</td>
-    <td>A-62673128</td>
+    <td><a href="https://android.googlesource.com/platform/frameworks/av/+/552a3b5df2a6876d10da20f72e4cc0d44ac2c790">A-62673128</a></td>
     <td>RCE</td>
     <td>Critical</td>
     <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0</td>
   </tr>
   <tr>
     <td>CVE-2017-0810</td>
-    <td>A-38207066</td>
+    <td><a href="https://android.googlesource.com/platform/external/libmpeg2/+/7737780815fe523ad7b0e49456eb75d27a30818a">A-38207066</a></td>
     <td>RCE</td>
     <td>Critical</td>
     <td>6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0</td>
   </tr>
   <tr>
     <td>CVE-2017-0811</td>
-    <td>A-37930177</td>
+    <td><a href="https://android.googlesource.com/platform/external/libhevc/+/25c0ffbe6a181b4a373c3c9b421ea449d457e6ed">A-37930177</a></td>
     <td>RCE</td>
     <td>Critical</td>
     <td>5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0</td>
   </tr>
   <tr>
     <td>CVE-2017-0812</td>
-    <td>A-62873231</td>
+    <td><a href="https://android.googlesource.com/device/google/dragon/+/7df7ec13b1d222ac3a66797fbe432605ea8f973f">A-62873231</a></td>
     <td>EoP</td>
     <td>High</td>
     <td>7.0, 7.1.1, 7.1.2, 8.0</td>
   </tr>
   <tr>
     <td>CVE-2017-0815</td>
-    <td>A-63526567</td>
+    <td><a href="https://android.googlesource.com/platform/frameworks/av/+/f490fc335772a9b14e78997486f4a572b0594c04">A-63526567</a></td>
     <td>ID</td>
     <td>Moderate</td>
     <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0</td>
   </tr>
   <tr>
     <td>CVE-2017-0816</td>
-    <td>A-63662938</td>
+    <td><a href="https://android.googlesource.com/platform/frameworks/av/+/f490fc335772a9b14e78997486f4a572b0594c04">A-63662938</a></td>
     <td>ID</td>
     <td>Moderate</td>
     <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0</td>
@@ -210,7 +210,8 @@ process.</p>
   </tr>
   <tr>
     <td>CVE-2017-14496</td>
-    <td>A-64575136</td>
+    <td><a href="https://android.googlesource.com/platform/external/dnsmasq/+/ff755ca73c98a1f2706fe86996e4bf6215054834">A-64575136</a>
+    [<a href="https://android.googlesource.com/platform/external/dnsmasq/+/68a974de72b5091ce608815a349daaeb05cdeab5">2</a>]</td>
     <td>RCE</td>
     <td>High</td>
     <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0</td>
@@ -502,6 +503,11 @@ Acknowledgements</a> page.</p>
    <td>October 2, 2017</td>
    <td>Bulletin published.</td>
   </tr>
+  <tr>
+   <td>1.1</td>
+   <td>October 3, 2017</td>
+   <td>Bulletin revised to include AOSP links.</td>
+  </tr>
 </table>
 </body>
 </html>
diff --git a/en/security/bulletin/pixel/2017-10-01.html b/en/security/bulletin/pixel/2017-10-01.html
index fd8eb49d..05e9d059 100644
--- a/en/security/bulletin/pixel/2017-10-01.html
+++ b/en/security/bulletin/pixel/2017-10-01.html
@@ -1,6 +1,6 @@
 <html devsite>
   <head>
-    <title>Pixel/Nexus Security Bulletin—October 2017</title>
+    <title>Pixel&hairsp;/&hairsp;Nexus Security Bulletin—October 2017</title>
     <meta name="project_path" value="/_project.yaml" />
     <meta name="book_path" value="/_book.yaml" />
   </head>
@@ -20,9 +20,9 @@
       See the License for the specific language governing permissions and
       limitations under the License.
   -->
-  <p><em>Published October 2, 2017</em></p>
+<p><em>Published October 2, 2017 | Updated October 3, 2017</em></p>
 
-<p>The Pixel/ Nexus Security Bulletin contains details of security vulnerabilities
+<p>The Pixel&hairsp;/&hairsp;Nexus Security Bulletin contains details of security vulnerabilities
 and functional improvements affecting
 <a href="https://support.google.com/pixelphone/answer/4457705#pixel_phones&nexus_devices">
 supported Google Pixel and Nexus devices</a> (Google devices). For
@@ -56,16 +56,14 @@ Google Developer site</a>.</p>
 </ul>
 
 <h2 id="patches">Security patches</h2>
-Vulnerabilities are
-grouped under the component that they affect. There is a description of the
-issue and a table with the CVE, associated references,
+Vulnerabilities are grouped under the component that they affect. There is a
+description of the issue and a table with the CVE, associated references,
 <a href="#type">type of vulnerability</a>,
 <a href="/security/overview/updates-resources.html#severity">severity</a>,
 and updated Android Open Source Project (AOSP) versions (where applicable).
-When available, we link the public
-change that addressed the issue to the bug ID, like the AOSP change list. When
-multiple changes relate to a single bug, additional references are linked to
-numbers following the bug ID.</p>
+When available, we link the public change that addressed the issue to the bug
+ID, like the AOSP change list. When multiple changes relate to a single bug,
+additional references are linked to numbers following the bug ID.</p>
 
 <h3 id="framework">Framework</h3>
 
@@ -84,14 +82,15 @@ numbers following the bug ID.</p>
   </tr>
   <tr>
     <td>CVE-2017-0807</td>
-    <td>A-35056974</td>
+    <td>A-35056974<a href="#asterisk">*</a></td>
     <td>EoP</td>
     <td>High</td>
     <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2</td>
   </tr>
   <tr>
     <td>CVE-2017-0808</td>
-    <td>A-62301183</td>
+    <td><a href="https://android.googlesource.com/platform/libcore/+/809681f310663288e83587089abb7715c68f6924">A-62301183</a>
+    [<a href="https://android.googlesource.com/platform/libcore/+/100a8006a7baab1bb62820eb62577c0b0849fbc3">2</a>]</td>
     <td>ID</td>
     <td>Moderate</td>
     <td>7.0, 7.1.1, 7.1.2, 8.0</td>
@@ -115,14 +114,14 @@ numbers following the bug ID.</p>
   </tr>
   <tr>
     <td>CVE-2017-0813</td>
-    <td>A-36531046</td>
+    <td><a href="https://android.googlesource.com/platform/frameworks/av/+/7fa3f552a6f34ed05c15e64ea30b8eed53f77a41">A-36531046</a></td>
     <td>DoS</td>
     <td>Moderate</td>
     <td>7.0, 7.1.1, 7.1.2</td>
   </tr>
   <tr>
     <td rowspan="2">CVE-2017-0814</td>
-    <td rowspan="2">A-62800140</td>
+    <td rowspan="2"><a href="https://android.googlesource.com/platform/external/tremolo/+/eeb4e45d5683f88488c083ecf142dc89bc3f0b47">A-62800140</a></td>
     <td>ID</td>
     <td>Moderate</td>
     <td>7.0, 7.1.1, 7.1.2, 8.0</td>
@@ -134,14 +133,14 @@ numbers following the bug ID.</p>
   </tr>
   <tr>
     <td>CVE-2017-0817</td>
-    <td>A-63522430</td>
+    <td><a href="https://android.googlesource.com/platform/frameworks/av/+/d834160d9759f1098df692b34e6eeb548f9e317b">A-63522430</a></td>
     <td>ID</td>
     <td>Moderate</td>
     <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0</td>
   </tr>
   <tr>
     <td rowspan="2">CVE-2017-0818</td>
-    <td rowspan="2">A-63581671</td>
+    <td rowspan="2"><a href="https://android.googlesource.com/platform/frameworks/av/+/d07f5c14e811951ff9b411ceb84e7288e0d04aaf">A-63581671</a></td>
     <td>NSI</td>
     <td>NSI</td>
     <td>7.0, 7.1.1, 7.1.2, 8.0</td>
@@ -153,7 +152,7 @@ numbers following the bug ID.</p>
   </tr>
   <tr>
     <td rowspan="2">CVE-2017-0819</td>
-    <td rowspan="2">A-63045918</td>
+    <td rowspan="2"><a href="https://android.googlesource.com/platform/external/libhevc/+/87fb7909c49e6a4510ba86ace1ffc83459c7e1b9">A-63045918</a></td>
     <td>NSI</td>
     <td>NSI</td>
     <td>7.0, 7.1.1, 7.1.2, 8.0</td>
@@ -165,7 +164,7 @@ numbers following the bug ID.</p>
   </tr>
   <tr>
     <td rowspan="2">CVE-2017-0820</td>
-    <td rowspan="2">A-62187433</td>
+    <td rowspan="2"><a href="https://android.googlesource.com/platform/frameworks/av/+/8a3a2f6ea7defe1a81bb32b3c9f3537f84749b9d">A-62187433</a></td>
     <td>NSI</td>
     <td>NSI</td>
     <td>7.0, 7.1.1, 7.1.2, 8.0</td>
@@ -194,14 +193,14 @@ numbers following the bug ID.</p>
   </tr>
   <tr>
     <td>CVE-2017-0822</td>
-    <td>A-63787722</td>
+    <td><a href="https://android.googlesource.com/platform/frameworks/base/+/c574568aaede7f652432deb7707f20ae54bbdf9a">A-63787722</a></td>
     <td>EoP</td>
     <td>Moderate</td>
     <td>6.0.1, 7.0, 7.1.1, 7.1.2, 8.0</td>
   </tr>
   <tr>
     <td>CVE-2017-0823</td>
-    <td>A-37896655</td>
+    <td><a href="https://android.googlesource.com/platform/hardware/ril/+/cd5f15f588a5d27e99ba12f057245bfe507f8c42">A-37896655</a></td>
     <td>ID</td>
     <td>Moderate</td>
     <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2</td>
@@ -670,6 +669,11 @@ are not required for declaring a security patch level.
    <td>October 2, 2017</td>
    <td>Bulletin published.</td>
   </tr>
+  <tr>
+   <td>1.1</td>
+   <td>October 3, 2017</td>
+   <td>Bulletin revised to include AOSP links.</td>
+  </tr>
 </table>
 </body>
 </html>
diff --git a/en/security/overview/acknowledgements.html b/en/security/overview/acknowledgements.html
index d444a357..2179f646 100644
--- a/en/security/overview/acknowledgements.html
+++ b/en/security/overview/acknowledgements.html
@@ -153,6 +153,11 @@ href="http://c0reteam.org/">C0RE Team</a></td>
    <td>CVE-2017-0397, CVE-2017-0405, CVE-2017-0410, CVE-2017-0826</td>
   </tr>
   <tr>
+  <td>Dawei Peng of Alibaba Mobile Security Team
+    (<a href="http://weibo.com/u/5622360291">weibo: Vinc3nt4H</a>)</td>
+  <td>CVE-2017-0755</td>
+  </tr>
+  <tr>
    <td>Daxing Guo (<a href="https://twitter.com/freener0">@freener0</a>) of
 Xuanwu Lab, Tencent</td>
    <td>CVE-2017-0386, CVE-2017-0553, CVE-2017-0585, CVE-2017-0706</td>
author	Android Partner Docs <noreply@android.com>	2017-10-11 14:15:38 -0700
committer	Clay Murphy <claym@google.com>	2017-10-11 19:19:53 -0700
commit	640dc96c73017d3bd2e2c507adcff02046ccfd3f (patch)
tree	25296dfcb38dae95ee022015e64e78bbe646ff9c /en/security
parent	4ede9c52630a6da877e7ca9c1c3801a34ddb7179 (diff)
download	source.android.com-640dc96c73017d3bd2e2c507adcff02046ccfd3f.tar.gz