Bug 27486

Summary: bluez new security issue CVE-2020-27153
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: nicolas.salguero, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: bluez-5.54-1.mga7.src.rpm CVE: CVE-2020-27153
Status comment:

Description David Walser 2020-10-29 16:54:53 CET 
Debian-LTS has issued an advisory on October 21:
https://www.debian.org/lts/security/2020/dla-2410

The issue is fixed upstream in 5.55.
David Walser 2020-10-29 16:55:02 CET

CC: (none) => nicolas.salguero

Comment 1 David Walser 2020-10-29 16:55:53 CET 
If there's a fix for Bug 27314, we'd want to include that too.

Assignee: bugsquad => shlomif

Comment 2 David Walser 2020-10-29 17:22:36 CET 
SUSE has issued an advisory for this on October 26:
https://lists.suse.com/pipermail/sle-security-updates/2020-October/007623.html
Comment 3 David Walser 2020-11-11 00:49:14 CET 
openSUSE has issued an advisory for this on November 9:
https://lists.opensuse.org/opensuse-security-announce/2020-11/msg00036.html
Comment 4 Nicolas Salguero 2020-11-13 09:19:07 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

In BlueZ before 5.55, a double free was found in the gatttool disconnect_cb() routine from shared/att.c. A remote attacker could potentially cause a denial of service or code execution, during service discovery, due to a redundant disconnect MGMT event. (CVE-2020-27153)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27153
https://www.debian.org/lts/security/2020/dla-2410
https://lists.suse.com/pipermail/sle-security-updates/2020-October/007623.html
https://lists.opensuse.org/opensuse-security-announce/2020-11/msg00036.html
========================

Updated packages in core/updates_testing:
========================
bluez-5.54-1.1.mga7
bluez-cups-5.54-1.1.mga7
bluez-hid2hci-5.54-1.1.mga7
lib(64)bluez3-5.54-1.1.mga7
lib(64)bluez-devel-5.54-1.1.mga7

from SRPM:
bluez-5.54-1.1.mga7.src.rpm

Status: NEW => ASSIGNED
CVE: (none) => CVE-2020-27153
Assignee: shlomif => qa-bugs

Comment 5 Aurelien Oudelet 2020-11-13 18:16:48 CET 
Mageia 7 Plasma x86_64
This update installs:
bluez-5.54-1.1.mga7
bluez-cups-5.54-1.1.mga7
bluez-hid2hci-5.54-1.1.mga7
lib(64)bluez3-5.54-1.1.mga7

Installation OK.
Reboot is fine.
Using a Bluetooth Headphone is OK:
Unpairing it then Pairing it are OK.
Play some music through this device is OK.

Pairing smartphone is OK.
M7 system plays sounds from my Xiaomi Smartphone while receiving notifications.
Audio phone calls through Bluetooth is OK too.

MGA7-64-OK
Validating this update. Packages and Advisory in Comment 4.
Advisory pushed to SVN.

(In reply to David Walser from comment #1)
> If there's a fix for Bug 27314, we'd want to include that too.
Reported upstream for Bluez 5.55.
https://github.com/bluez/bluez/issues/51

CC: (none) => ouaurelien, sysadmin-bugs
Whiteboard: (none) => MGA7-64-OK
Keywords: (none) => advisory, validated_update

Comment 6 Mageia Robot 2020-11-13 22:22:11 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0419.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED