====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN278
_____________________________________________________________________

DATE                : 18/05/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Android running Samsung Qmage codec for Android
                                      Skia library.

=====================================================================
https://kb.cert.org/vuls/id/366027/
_____________________________________________________________________


Samsung Qmage codec for Android Skia library does not properly validate
image files

Vulnerability Note VU#366027
Original Release Date: 2020-05-14 | Last Revised: 2020-05-15


Overview

The Samsung Qmage codec used in the Android Skia library does not
properly validate image files. A number of memory corruption
vulnerabilities allow an attacker to execute arbitrary code by causing a
vulnerable system to parse a Qmage file.


Description

The Samsung May 2020 Android Security Update notes that "a possible
memory overwrite vulnerability in Quram qmg library allows possible
remote arbitrary code execution." Samsung identifies this vulnerability
as SVE-2020-16747, more commonly known as CVE-2020-8899. Google Project
Zero performed extensive fuzz testing on the Qmage (or Quram, or qmg)
code that Samsung added to the Android Skia library and identified 5218
uniquely crashing test cases. At least one of these memory corruption
vulnerabilities can be exploited by sending a specially crafted MMS
message to a vulnerable system.


Samsung notes that versions O(8.X), P(9.0), Q(10.0) are affected.



Impact


Exploitation of this vulnerability permits a remote, unauthenticated
attacker to execute arbitrary code on a vulnerable system.


Solution


Apply an update

Samsung has released fixes in the May 2020 Android Security Update.


Vendor Information


Samsung

Updated:  May 14, 2020

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this
vulnerability.


Vendor Information

We are not aware of further vendor information regarding this
vulnerability.


Vendor References

    https://security.samsungmobile.com/securityUpdate.smsb


CVSS Metrics

Group           Score 	Vector
Base            10      AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal        7.8     E:POC/RL:OF/RC:ND
Environmental   7.8     CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND


References

    https://bugs.chromium.org/p/project-zero/issues/detail?id=2002
    https://security.samsungmobile.com/securityUpdate.smsb
    https://www.youtube.com/watch?v=nke8Z3G4jnc


Acknowledgements

This vulnerability was published by Mateusz Jurczyk at Google Project
Zero.


This document was written by Eric Hatleback.

Other Information
CVE IDs:                CVE-2020-8899
Date Public:            2020-01-28
Date First Published:   2020-05-14
Date Last Updated:      2020-05-15 14:53 UTC
Document Revision:      12


=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================