Bug 29694

Summary: bluez new security issues CVE-2021-41229 and CVE-2021-43400
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, nicolas.salguero, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: bluez-5.55-3.2.mga8.src.rpm CVE: CVE-2021-41229, CVE-2021-43400
Status comment:

Description David Walser 2021-11-25 01:09:35 CET 
Ubuntu has issued an advisory on November 23:
https://ubuntu.com/security/notices/USN-5155-1

The issues are fixed upstream in 5.62.
David Walser 2021-11-25 01:09:52 CET

Status comment: (none) => Fixed upstream in 5.62
CC: (none) => nicolas.salguero

Comment 1 Nicolas Salguero 2021-11-25 09:24:31 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

BlueZ is a Bluetooth protocol stack for Linux. In affected versions a vulnerability exists in sdp_cstate_alloc_buf which allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash. (CVE-2021-41229)

An issue was discovered in gatt-database.c in BlueZ 5.61. A use-after-free can occur when a client disconnects during D-Bus processing of a WriteValue call. (CVE-2021-43400)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41229
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43400
https://ubuntu.com/security/notices/USN-5155-1
========================

Updated packages in core/updates_testing:
========================
bluez-5.55-3.3.mga8
bluez-cups-5.55-3.3.mga8
bluez-hid2hci-5.55-3.3.mga8
bluez-mesh-5.55-3.3.mga8
lib(64)bluez3-5.55-3.3.mga8
lib(64)bluez-devel-5.55-3.3.mga8

from SRPM:
bluez-5.55-3.3.mga8.src.rpm

CVE: (none) => CVE-2021-41229, CVE-2021-43400
Assignee: bugsquad => qa-bugs
Status: NEW => ASSIGNED
Status comment: Fixed upstream in 5.62 => (none)

Comment 2 Len Lawrence 2021-11-25 18:29:52 CET 
mga8, x64

BlueZ stack installed - USB BT audio device working.  Added an HP Officejet 100 mobile printer and printed A5 and A4 test pages via CUPS.

Updated the six packages using qarepo and MageiaUpdate.  rfkill prompt came up immediately - all it needed was the root password.  BT audio speaker connected immediately.  Printed an ODT document from LibreOffice on the bluetooth printer without any reconfiguration.

Sample of applications requiring lib64bluez3:
anyremote
ardour
blueman
guitarix
gypsy
kodi

blueman was used originally to add the BT widget in the Mate panel and manage bluetooth services.  None of the others is installed.  Installed ardour without any idea what it was.  
Ran a trace on ardour6 and opened an empty project in the vain hope that some bluetooth plugin might register but there was nothing.

However, bluetooth continues to work, with no regressions.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 3 Thomas Andrews 2021-11-27 00:04:50 CET 
Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2021-12-01 22:25:08 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 4 Mageia Robot 2021-12-02 17:50:45 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0532.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED