Bug 31018

Summary: bluez security issue(s) (lp#1977968) (CVE-2022-3917[67]) missing one additional fix
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: bluez-5.55-3.6.mga8.src.rpm CVE:
Status comment:

Description David Walser 2022-10-24 17:51:35 CEST 
+++ This bug was initially created as a clone of Bug #30556 +++

Ubuntu has issued an advisory on June 15:
https://ubuntu.com/security/notices/USN-5481-1

The issues are fixed upstream in 5.60.

Debian-LTS has issued an advisory for this today (October 24):
https://www.debian.org/lts/security/2022/dla-3157

We already included three of the four commits in Bug 30556, but there was an additional commit in 5.61 for this:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=e21680c9355a0f9d5ef6d4a5ae032de274e87b37

and there are now CVEs for this.
Comment 1 David Walser 2022-10-26 19:00:45 CEST 
There's also CVE-2016-9803, which was apparently never fixed upstream, so we can fix that too since SUSE has a fix:
https://lists.suse.com/pipermail/sle-security-updates/2022-October/012661.html
Comment 2 Nicolas Salguero 2022-11-02 13:39:58 CET 
For Mga8, I added the missing commit in SVN.

I cannot find, for the moment, the patch for CVE-2016-9803.
Comment 4 Nicolas Salguero 2022-11-02 14:14:09 CET 
Thanks for the link!

After trying to apply the patch, either on Cauldron or on Mga8, I got the error saying that the patch was already applied.  Reading the code confirms the fact that the code already contains the fix for CVE-2016-9803.
Comment 5 Nicolas Salguero 2022-11-02 14:20:45 CET 
Suggested advisory:
========================

The updated packages add one additional fix for security vulnerabilities.

References:
https://ubuntu.com/security/notices/USN-5481-1
https://www.debian.org/lts/security/2022/dla-3157
========================

Updated packages in core/updates_testing:
========================
bluez-5.55-3.7.mga8
bluez-cups-5.55-3.7.mga8
bluez-hid2hci-5.55-3.7.mga8
bluez-mesh-5.55-3.7.mga8
lib(64)bluez3-5.55-3.7.mga8
lib(64)bluez-devel-5.55-3.7.mga8

from SRPM:
bluez-5.55-3.7.mga8.src.rpm

Assignee: nicolas.salguero => qa-bugs
CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED

Comment 6 Herman Viaene 2022-11-04 15:26:47 CET 
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
This laptop should have a working bluetooth (Broadcom wifi), but I cann't get it to work. bluetoothd runs, bur 
# bluetoothctl 
Waiting to connect to bluetoothd...
and Godot is still not there.....
Giving up for others with a working setup. Here no other impact on the system.

CC: (none) => herman.viaene

Comment 7 Len Lawrence 2022-11-04 15:42:15 CET 
mga8, x64
Updated these without issues.
# systemctl restart bluetooth
Used the blueman icon to restore the connection to  a bluetooth speaker.
pavucontrol to configure the audio connection and all was well.

It is not always this easy but seems to be OK this time.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 8 Thomas Andrews 2022-11-04 22:55:22 CET 
Validating. Advisory in Comment 5.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-11-08 15:52:55 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 9 Mageia Robot 2022-11-08 20:45:47 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0411.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED