Spurious CVE-2015-6616 on Cyanogenmod 11.0

[HenkPoley]

Got the result that cm-11-20160523-NIGHTLY-crespo (Android 4.4.4 on Nexus S) is vulnerable to CVE-2015-6616. So I checked if CVE-2015-6616 is applied in cm-11.0 nightly:

ANDROID-24630158 is applied in cm-11.0: CyanogenMod/android_frameworks_av@c4f36d3

ANDROID-23882800 is applied in cm-11.0: CyanogenMod/android_frameworks_av@9b2a7f2

ANDROID-17769851 is applied in cm-11.0: CyanogenMod/android_frameworks_av@5873008

ANDROID-24441553 is applied in cm-11.0: CyanogenMod/android_frameworks_av@fbf2cec

ANDROID-24157524 should not be necessary in cm-11.0

Maybe your check is incorrect (on older Android) ?

[SteadyQuad]

see here: #128

[m00head]

This issue can now be closed because #128 has been merged.

[xpduyson]

Just checked today with my self-build cm-11.0 with lasted Lineage OS source, still vulnerable to CVE-2015-6616.

All needed patch for 4.4.4 are merged:
ANDROID-24630158: https://review.lineageos.org/63085
ANDROID-23882800: https://review.lineageos.org/63088
ANDROID-17769851: https://review.lineageos.org/63089
ANDROID-24441553: https://review.lineageos.org/63083

[SteadyQuad]

The latest official apk on https://github.com/AndroidVTS/android-vts/releases seems to be from december 2015, so that one won't have the CVE-2015-6616 fix from #128 . I'm not aware of any recent builds, but you can build the apk yourself from source with the build instructions at: https://github.com/AndroidVTS/android-vts/blob/master/Readme.md

[z3ntu]

A prebuilt APK with #128 is available at #38 (comment)