SUSE has issued an advisory on June 21: http://lists.suse.com/pipermail/sle-security-updates/2018-June/004212.html Mageia 5 and Mageia 6 are also affected. These sound like relatively minor issues (affecting a deprecated tool).
Assigning to the registered maintainer.
Assignee: bugsquad => shlomifCC: (none) => marja11
This will be in mageaia 6 as backport or security update? bluez-5.50-1 also may fix a issue reported in spanish forums
Security updates are done as updates, not backports. It'll likely be patched if possible (if anyone ever decides to try to fix this) rather than updated, but we'll see.
openSUSE has issued an advisory for this on December 23: https://lists.opensuse.org/opensuse-updates/2018-12/msg00119.html
Whiteboard: (none) => MGA6TOOSummary: bluez new security issues CVE-2016-9800 and CVE-2016-9804 => bluez new security issues CVE-2016-9800, CVE-2016-9801, and CVE-2016-9804
Advisory: ======================== Updated bluez packages fix security vulnerabilities: A buffer overflow in pin_code_reply_dump function (CVE-2016-9800). A buffer overflow in set_ext_ctrl function (CVE-2016-9801). A buffer overflow in commands_dump function (CVE-2016-9804). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9800 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9801 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9804 http://lists.suse.com/pipermail/sle-security-updates/2018-June/004212.html https://lists.opensuse.org/opensuse-updates/2018-12/msg00119.html ======================== Updated packages in core/updates_testing: ======================== bluez-5.45-2.2.mga6 bluez-cups-5.45-2.2.mga6 bluez-hid2hci-5.45-2.2.mga6 libbluez3-5.45-2.2.mga6 libbluez-devel-5.45-2.2.mga6 from bluez-5.45-2.2.mga6.src.rpm
Version: Cauldron => 6Whiteboard: MGA6TOO => (none)Assignee: shlomif => qa-bugs
MGA6-32 MATE on IBM Thinkpad R50e No installation issues. Rumbled around and found out this laptop does not have bluetooth on board. At least it does not breakdown my wifi connection or anything else.
CC: (none) => herman.viaene
Re comment 6. That's alright Herman. I have several bluetooth sources and receivers so do usually test bluez. Sometime this evening maybe for 64-bit. Thanks for looking at it.
CC: (none) => tarazed25
Mageia 6 XFCE, 32bit, installed, stop and launch the bluetooth applet I don't detect issues.
Mageia 6, x86_64 Bluetooth already working before. Stopped the panel applet. Updated the five packages. Started bluetooth from the panel and switched on an external bluetooth speaker and connected immediately. It is also detecting somebody's smartphone and since I do not possess one it must be a neighbour's. This looks good for 64-bits but there is a mobile printer that could be tested. The bluetooth connection died some time ago in the middle of printing a page but it might be worth checking.
Following on from comment 9: Nope, no response from the mobile printer - USB only. @katnatek: adding the 32-bit OK for your and Herman's tests.
Whiteboard: (none) => MGA6-32-OK MGA-64-OK
Darn it. Forgot to check the CVEs. There are POC tests available. Unfortunately the files are base64 encoded so some research is needed there. The last time I tried anything like that a php script was used to decode the data.
Moved to another machine for pre-update testing. Installed blueman then called blueman-applet - found local USB bluetooth adapter. Found 10 POC at https://www.spinics.net/lists/linux-bluetooth/msg68892.html "multiple buffer overflows and out-of-bound reads" 10 base64 encoded data files were provided which needed to be converted to useful data. $ echo '<base64 data blob>' poc<n>.64 $ base64 -d poc<n>.64 > poc.<n> Test procedure: $ hcidump -a -r poc.<n> oc.1 Generated a stream of messages - all "Unrecognized type 0" poc.2 Lots of messages with "unknown type" but terminated gracefully. poc.3 buffer overflow -> ABORT and core dump poc.4 Various errors ending with unknown type. poc.5 overflow -> ABORT poc.6 A "Command rej" message, Unexpected syntax and several unknown types. poc.7 double free or corruption -> ABORT poc.8 Unexpected syntax but exited gracefully. poc.9 A stack of "Unknown (type 00, len 0)" poc.10 Various failures and several unknown types. Under asan upstream all these tests aborted. ---------------------------------------------------------------------------- Updated the packages. Afterwards. poc.1 Generated a stream of messages - all "Unrecognized type 0" Same as before. Good. poc.2 Lots of messages with "unknown type" but terminated gracefully. Same as before. Good. poc.3 Analysis succeeded. Error: Unexpected syntax. Good. poc.4 One error: Parameter out of Mandatory Range - tidy exit. Good. poc.5 Packet analyzer had no trouble with this. Good. poc.6 Same as before. Unexpected syntax and unknown type. Looks good. poc.7 double free or corruption -> ABORT Not good. poc.8 Same as before. Good. poc.9 Same as before. Good. poc.10 Failure - rejected (no reason provided) Segmentation fault (core dumped) Not good. These tests seem to be filed against CVE-2016-980{0,1,4}. Suse links to a couple of POC for 9804 and CVE-2016-7837 but comparison of file sizes indicates that these are the same as files used here. There are two outright failures in this series, for 7 and 10. ??
On second thoughts, noting David's remark about a deprecated tool maybe we should just pass this on the basis of the successful utility tests and 4:1 success with the POC. Validating.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
Whiteboard: MGA6-32-OK MGA-64-OK => MGA6-32-OK MGA6-64-OK
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0052.html
Status: NEW => RESOLVEDResolution: (none) => FIXED