Bug 21904 - bluez new security issue CVE-2016-7837
Summary: bluez new security issue CVE-2016-7837
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA5-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2017-10-20 21:45 CEST by David Walser
Modified: 2017-11-19 11:24 CET (History)
3 users (show)

See Also:
Source RPM: bluez-5.28-1.1.mga5.src.rpm
Status comment:


Description David Walser 2017-10-20 21:45:09 CEST
openSUSE has issued an advisory today (October 20):

The fix was included in 5.42 upstream, so Mageia 6 already has it.

The SUSE bug has a link to the commit that fixed it:
Comment 1 Marja Van Waes 2017-10-21 13:19:16 CEST
Assigning to the registered maintainer.

Assignee: bugsquad => shlomif
CC: (none) => marja11

Comment 2 David Walser 2017-11-10 22:50:43 CET
Patched package uploaded for Mageia 5.


Updated bluez packages fix security vulnerability:

Buffer overflow in parse_line function in the csr tool (CVE-2016-7837).


Updated packages in core/updates_testing:

from bluez-5.28-1.2.mga5.src.rpm

Assignee: shlomif => qa-bugs

Comment 3 Len Lawrence 2017-11-12 22:21:57 CET
Mageia 5 on x86_64

Tested bluez via blueman before updating, just bluez and lib64bluez3 installed.  Paired with a wireless speaker using the panel icon.  bluetoothctl running in a terminal.

Updated the packages and installed: 

Installed the blueman applet in the panel.
$ blueman-applet &
Detected the USB bluetooth adaptor.
Set it to be 'Always visible'.
The bt speaker was listed and it paired in trusted mode as soon as it was switched on.  Connected it to the audio sink and played a downloaded video from Voices of Music using mplayer-ruby via a home-made jukebox.
blueman reported two rates, one up and one down (?) 41 KB/s and 200 B/s.
Device added and connected successfully.

There is an HP bluetooth printer here but I have had little success in the past trying to run it wirelessly.  Shall try that later.

CC: (none) => tarazed25

Comment 4 Len Lawrence 2017-11-13 11:41:03 CET
Continuing from comment 3.
Added a bluetooth printer successfully and printed a test page.
Note to self: Sometime the Mageia wiki should be updated to reflect bluetooth support.
For the moment:
When adding a bluetooth cups printer via mcc -> hardware choose URI in search mode and specify bluetooth://<MAC address>/spp as the URI.
'hcitool scan' should return the MAC address if the printer is discoverable.  Remove the colons : from the string when typing the URI.
$ hcitool scan
Scanning ...
	30:8D:99:E7:87:F9	OJL411MY573F10P4

OJL411MY573F10P4 is the vendor identification for the HP Officejet 100 used here.
The URI would be 'bluetooth://308d99e787f9/spp'

In my case the CUPS identification for the printer is deneb.
$ lpr -Pdeneb report
printed a text file using the default Courier font.

This confirms that the update is OK for 64 bits.
Len Lawrence 2017-11-13 11:41:40 CET

Whiteboard: (none) => MGA5-64-OK

Lewis Smith 2017-11-18 21:13:32 CET

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2017-11-19 11:24:27 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.