Product name Confidentiality level

JNY-LX1 CONFIDENTIAL
Commercial Name
Total 9 pages
HUAWEI P40 lite

XXX Software Release Notes Vx.y

Prepared by JNY Team Date 2020-04-02

Reviewed by JNY Team Date 2020-04-02
Approved by JNY Team Date 2020-04-02

Huawei Technologies Co., Ltd.

All rights reserved

 Revision Record
Date Revision Change Description Author
version
2020-04-02 1.0 RN build wuqingxin
wx231819
 Table of Contents
1 Version Description..................................................................................................................4
2 New Features..........................................................................................................................4
3 Improvement from the Previous Version.................................................................................5
4 Known Limitations and Issues.................................................................................................5
5 Software Vulnerabilities Fixes..................................................................................................5
 XXX Software Release Notes CONFIDENTIAL

Vx.y
XXX Software Release Notes Vx.y

1 Version Description
Model JNY-LX1
10.0.1.167(C185E3R3P1)
Build number
10.0.1.167(C185E3R2P1)
Previous released number 10.0.1.117(C185E2R2P1)

IMEI SV 03
OS version Android 10

EMUI version 10.0.1

CPU Huawei Kirin 810

Android security patch 1 April 2020
Baseband version 21C20B080S000C000,21C20B080S000C000
4.14.116
Kernel Version android@localhost#1
Wed Apr 1 10:50:07 CST 2020
Version Type MR2

2 New Features
Index Feature Description
Optimize video playback experience.
1
Optimize system stability.
2
Incorporate Android April 2020 security patch to enhance the security of
3
mobile phone systems.
Add some Applications: MicrosoftBing.apk, Translator.apk, TrainPal.apk,
AliExpress.apk, Qwant.apk

MicrosoftBing.apk: Preinstall for all regions.

Translator.apk: Preinstall for all regions.

4
TrainPal.apk: Preinstall for UK, France, Germany, Italy, Spain except Altice,
France SFR(20810), France Orange(20801).

AliExpress.apk: Preinstall for all regions except Switzerland, France

SFR(20810), Portugal(26806), France Orange(20801).

Qwant.apk: Preinstall for France, Italy, Germany.

Page 4
 XXX Software Release Notes CONFIDENTIAL

Vx.y
3 Improvement from the Previous Version
Index Issue Description

1 NA

4 Known Limitations and Issues

Index Issue Description Remarks
wifi on, location off: when using huawei
web and searching for a location, the map
keeps loading and the phone doesn’t ask for
location to be turned on.
1 NA
wifi on, location on: when using huawei web
and searching for a location, the map opens but
I cannot use the direction as I am automatically
directed to "map" app to be installed. Even
when installed, the app still doesnt work.
When use the emoji keyboard, The upper part
2 NA
of the emoticon is blocked
Middle East non-Muslim alarm clock can’t be
3 enabled in the vertical mode while it can be NA
enable in landscape mode.
Phone number entered in mobile memo, cannot
4
be recognized

5 Software Vulnerabilities Fixes

Vulnerabilities information is available through CVE IDs in NVD (National Vulnerability Database) website:
http://web.nvd.nist.gov/view/vuln/search
#4 Google Security Patch：April.2020
Software/ Version CVE Vulnerability Description Impact
Module ID Description
name

Platform 9,10 CVE- In decrypt_1_2 of CryptoPlugin.cpp, there is a The fix is

202 possible out of bounds write due to stale pointer. designed to fix
0- This could lead to local escalation of privilege with the base pointer
007 no additional execution privileges needed. User used to set the
9 interaction is not needed for exploitation. destination.

Platform 9,10 CVE- In releaseSecureStops of DrmPlugin.cpp, there is a The fix is

202 possible out of bounds write due to a missing designed to add
0- bounds check. This could lead to local escalation of the missing
007 privilege with no additional execution privileges bounds check.
8 needed. User interaction is not needed for
exploitation.

Page 5
 XXX Software Release Notes CONFIDENTIAL

FPC
components
NA CVE-
202
Vx.y
In authorize_enroll of the FPC IRIS TrustZone app,
there is a possible out of bounds read due to a
The fix
designed to add
is

0- missing bounds check. This could lead to local bounds checks.

007 information disclosure with System execution
7 privileges needed. User interaction is not needed
for exploitation.

FPC NA CVE- In get_auth_result of the FPC IRIS TrustZone app, The fix is
components 202 there is a possible out of bounds write due to a designed to add
0- missing bounds check. This could lead to local bounds checks.
007 escalation of privilege with System execution
6 privileges needed. User interaction is not needed
for exploitation.

FPC NA CVE- In set_shared_key of the FPC IRIS TrustZone app, The fix is
components 202 there is a possible out of bounds read due to a designed to add
0- missing bounds check. This could lead to local bounds checks.
007 information disclosure with System execution
5 privileges needed. User interaction is not needed
for exploitation.

Platform 8.0,8.1,9 CVE- In verifyIntentFiltersIfNeeded of The fix is

,10 202 PackageManagerService.java, there is a possible designed to
0- settings bypass allowing an app to become the revoke 'always'
007 default handler for arbitrary domains. This could web handler
4 lead to local escalation of privilege with User status when app
execution privileges needed. User interaction is no longer uses
not needed for exploitation. autoVerify.
Kernel NA CVE- In ml_ff_destroy of ff-memless.c, there is possible The fix is
201 memory corruption due to a use after free. This designed to clean
9- could lead to local escalation of privilege if a up an effect
195 malicious USB device is used, with no additional timer.
24 execution privileges needed. User interaction is
not needed for exploitation.

Kernel NA CVE- In many initialization functions of many drivers in The fix is

201 drivers/hid, there are possible out of bounds designed to
9- writes due to a missing check for an empty list. check if the
195 These could lead to local escalation of privilege if driver's input lists
32 using a malicious USB driver, with no additional are empty before
execution privileges needed. User interaction is using them.
not needed for exploitation.
Kernel NA CVE- In snd_timer_open of timer.c, there is a possible The fix is
201 code execution due to a use after free. This could designed to not
9- lead to local escalation of privilege with no re-use variables
198 additional execution privileges needed. User for temporary
07 interaction is not needed for exploitation. checks.

Platform 8.0,8.1,9 CVE- In rw_t2t_handle_tlv_detect_rsp of The fix is

,10 202 rw_t2t_ndef.cc, there is a possible out of bounds designed to add
0- write due to a missing bounds check. This could the missing
007 lead to remote code execution over NFC with no bounds check.
3 additional execution privileges needed. User
interaction is not needed for exploitation.

Page 6
 XXX Software Release Notes CONFIDENTIAL

Platform 8.0,8.1,9
,10
CVE-
202
In Vx.yrw_t2t_handle_tlv_detect_rsp of
rw_t2t_ndef.cc, there is a possible out of bounds
The fix
designed to add
is

0- write due to a missing bounds check. This could the missing

007 lead to remote code execution over NFC with no bounds check.
2 additional execution privileges needed. User
interaction is not needed for exploitation.

Platform 8.0,8.1,9 CVE- In rw_t2t_extract_default_locks_info of The fix is

,10 202 rw_t2t_ndef.cc, there is a possible out of bounds designed to add
0- write due to a missing bounds check. This could the missing
007 lead to remote code execution over NFC with no bounds check.
1 additional execution privileges needed. User
interaction is not needed for exploitation.

Platform 8.0,8.1,9 CVE- In rw_t2t_update_lock_attributes of The fix is

,10 202 rw_t2t_ndef.cc, there is a possible out of bounds designed to add
0- write due to a missing bounds check. This could the missing
007 lead to remote code execution over NFC with no bounds check.
0 additional execution privileges needed. User
interaction is not needed for exploitation.

MediaTek NA CVE- In mnld, there is a possible information disclosure The fix is

components 202 due to an exposed network socket. This could lead designed to
0- to remote information disclosure of the user's remove
009 location with no additional execution privileges externally
1 needed. User interaction is not needed for accessible
exploitation. sockets.

MediaTek NA CVE- In The fix is

components 202 com.mediatek.email.backuprestore.EmailBackupR designed to
0- estoreReceiver, there is a possible disclosure of remove the Email
009 emails due to a missing permission check. This Backup feature
0 could lead to local information disclosure with no and related code.
additional execution privileges needed. User
interaction is not needed for exploitation.
MediaTek NA CVE- In The fix is
components 202 com.mediatek.apst.target.receiver.DaemonReceiv designed to
0- er, there is possible access to private user data remove the
006 due to a permissions bypass. This could lead to vulnerable app.
5 remote information disclosure with no additional
execution privileges needed. User interaction is
not needed for exploitation.
MediaTek NA CVE- In the OMACP app, there is a possible disclosure of The fix is
components 202 provisioning data due to a missing permission designed to limit
0- check. This could lead to local information the provisioning
006 disclosure with no additional execution privileges data to access
4 needed. User interaction is not needed for only by
exploitation. preloaded
system apps that
declare the
required
permission.
Platform 8.0,8.1,9 CVE- In lookupName of resolve.c, there is a possible The fix is
,10 201 code execution due to a use after free. This could designed to
9- lead to local escalation of privilege with no ensure that
501 additional execution privileges needed. User aliased window

Page 7
XXX Software Release Notes CONFIDENTIAL

8 Vx.y
interaction is not needed for exploitation. functions are not
used within
aggregate
functions.
Notes:Android
8.1 - This patch is
provided for
completeness.Pa
rtners on 8.1
with an SPL of
2019-03-01 or
greater are
already patched
and do not need
to re-apply this
fix. Android 9 - To
fully patch
Android 9,
partners should
apply the original
fix and
supplemental
patch, both of
which are found
in the bulletin zip
file. This resolves
the previously
identified
functional
regression.
Android 8.0, 10 -
This patch did
not cause a
functional
regression and
has not changed
from the
previously
released version.
For partners who
have previously
applied and
retained this
patch there is no
action. For
Partners who
have not
previously
applied the patch
it is required as
part of SPL 2020-
04-01.These
instructions also
apply to CVE-
2019-8457 and
CVE-2019-9936
below.
Page 8
 XXX Software Release Notes CONFIDENTIAL

Platform 10 CVE-
202
Vx.y
In onOpActiveChanged and related methods of
AppOpsControllerImpl.java, there is a possible way
The
designed
fix is
to
0- to display an app overlaying other apps without prevent sending
008 the notification icon that it's overlaying. This could early termination
0 lead to local escalation of privilege with User of appop use.
execution privileges needed. User interaction is
needed for exploitation.
Platform 8.0,8.1,9 CVE- In finalize of AssetManager.java, there is possible The fix is
,10 202 memory corruption due to a double free. This designed to set
0- could lead to local escalation of privilege with no the pointer to
008 additional execution privileges needed. User zero after
1 interaction is not needed for exploitation. freeing.

Platform 10 CVE- There is a possible disclosure of RAM using a In device

201 shared crypto key due to improperly used crypto. configurations,
9- This could lead to local information disclosure with zram writeback
205 no additional execution privileges needed. User must be disabled.
6 interaction is not needed for exploitation. An example code
snippet can be
found in the zip
file.
Platform 8.0,8.1,9 CVE- In rtreenode of rtree.c, there is a possible out of The fix is
,10 201 bounds read due to a missing bounds check. This designed to
9- could lead to local information disclosure with no replace the fixed-
845 additional execution privileges needed. User size stack buffer
7 interaction is not needed for exploitation. with a
dynamically-
resized string.
Platform 10 CVE- In ExternalVibration of ExternalVibration.java, The fix is
202 there is a possible activation of an arbitrary intent designed to
0- due to unsafe deserialization. This could lead to remove excessive
008 local escalation of privilege to system_server with serialization of
2 no additional execution privileges needed. User Audio Attributes.
interaction is not needed for exploitation.

Platform 8.0,8.1,9 CVE- In fts5HashEntrySort of fts5_hash.c, there is a The fix is

,10 201 possible out of bounds read due to a missing designed to add
9- bounds check. This could lead to local information the missing
993 disclosure with no additional execution privileges bounds check.
6 needed. User interaction is not needed for
exploitation.

Page 9