Bug 30015

Summary: bluez new security issue CVE-2022-0204
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: bluez-5.55-3.3.mga8.src.rpm CVE: CVE-2022-0204
Status comment:

Description David Walser 2022-02-08 22:19:10 CET 
Ubuntu has issued an advisory today (February 8):
https://ubuntu.com/security/notices/USN-5275-1

The issue is fixed upstream in 5.63.
David Walser 2022-02-08 22:19:27 CET

Status comment: (none) => Fixed upstream in 5.63
CC: (none) => nicolas.salguero
Whiteboard: (none) => MGA8TOO

Comment 1 Nicolas Salguero 2022-02-09 09:26:25 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Ziming Zhang discovered that BlueZ incorrectly handled memory write operations in its gatt server. A remote attacker could possibly use this to cause BlueZ to crash leading to a denial of service, or potentially remotely execute code. (CVE-2022-0204)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0204
https://ubuntu.com/security/notices/USN-5275-1
========================

Updated packages in core/updates_testing:
========================
bluez-hid2hci-5.55-3.4.mga8
bluez-cups-5.55-3.4.mga8
lib(64)bluez3-5.55-3.4.mga8
lib(64)bluez-devel-5.55-3.4.mga8
bluez-mesh-5.55-3.4.mga8
bluez-5.55-3.4.mga8

from SRPM:
bluez-5.55-3.4.mga8.src.rpm

Status comment: Fixed upstream in 5.63 => (none)
CVE: (none) => CVE-2022-0204
Status: NEW => ASSIGNED
Whiteboard: MGA8TOO => (none)
Assignee: bugsquad => qa-bugs

Comment 2 Herman Viaene 2022-02-09 16:20:37 CET 
MGA8-64 Plasma on Lenovo B50 in Dutch.
No installation issues
Ref bug 25969, connecting to my own Nokia 1 smartphonegets setup OK, bt fle transfer is not possible.
Tried the sam exerciseto my wife's Galaxy A 12, and file transfer works OK.
Good enough for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 3 Thomas Andrews 2022-02-11 15:39:57 CET 
Validating. Advisory in Comment 1.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-02-12 17:26:32 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 4 Mageia Robot 2022-02-12 18:32:50 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0058.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED