Bug 23219 - bluez new security issues CVE-2016-9800, CVE-2016-9801, and CVE-2016-9804
Summary: bluez new security issues CVE-2016-9800, CVE-2016-9801, and CVE-2016-9804
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2018-06-22 20:53 CEST by David Walser
Modified: 2019-01-30 20:40 CET (History)
5 users (show)

See Also:
Source RPM: bluez-5.50-1.mga7.src.rpm
Status comment:


Description David Walser 2018-06-22 20:53:02 CEST
SUSE has issued an advisory on June 21:

Mageia 5 and Mageia 6 are also affected.

These sound like relatively minor issues (affecting a deprecated tool).
Comment 1 Marja Van Waes 2018-06-22 21:42:03 CEST
Assigning to the registered maintainer.

Assignee: bugsquad => shlomif
CC: (none) => marja11

Comment 2 katnatek 2018-11-10 22:58:59 CET
This will be in mageaia 6 as backport or security update?
bluez-5.50-1 also may fix a issue reported in spanish forums
Comment 3 David Walser 2018-11-10 23:10:14 CET
Security updates are done as updates, not backports.  It'll likely be patched if possible (if anyone ever decides to try to fix this) rather than updated, but we'll see.
Comment 4 David Walser 2018-12-26 03:40:34 CET
openSUSE has issued an advisory for this on December 23:

Whiteboard: (none) => MGA6TOO
Summary: bluez new security issues CVE-2016-9800 and CVE-2016-9804 => bluez new security issues CVE-2016-9800, CVE-2016-9801, and CVE-2016-9804

Comment 5 David Walser 2019-01-21 03:28:00 CET

Updated bluez packages fix security vulnerabilities:

A buffer overflow in pin_code_reply_dump function (CVE-2016-9800).

A buffer overflow in set_ext_ctrl function (CVE-2016-9801).

A buffer overflow in commands_dump function (CVE-2016-9804).


Updated packages in core/updates_testing:

from bluez-5.45-2.2.mga6.src.rpm

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)
Assignee: shlomif => qa-bugs

Comment 6 Herman Viaene 2019-01-23 15:23:06 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
Rumbled around and found out this laptop does not have bluetooth on board. At least it does not breakdown my wifi connection or anything else.

CC: (none) => herman.viaene

Comment 7 Len Lawrence 2019-01-23 20:00:23 CET
Re comment 6.
That's alright Herman.  I have several bluetooth sources and receivers so do usually test bluez.  Sometime this evening maybe for 64-bit.
Thanks for looking at it.

CC: (none) => tarazed25

Comment 8 katnatek 2019-01-23 21:02:38 CET
Mageia 6 XFCE, 32bit, installed, stop and launch the bluetooth applet
I don't detect issues.
Comment 9 Len Lawrence 2019-01-23 21:27:46 CET
Mageia 6, x86_64
Bluetooth already working before.  Stopped the panel applet.
Updated the five packages.
Started bluetooth from the panel and switched on an external bluetooth speaker and connected immediately.
It is also detecting somebody's smartphone and since I do not possess one it must be a neighbour's.
This looks good for 64-bits but there is a mobile printer that could be tested.  The bluetooth connection died some time ago in the middle of printing a page but it might be worth checking.
Comment 10 Len Lawrence 2019-01-23 21:42:25 CET
Following on from comment 9:
Nope, no response from the mobile printer - USB only.
@katnatek: adding the 32-bit OK for your and Herman's tests.

Whiteboard: (none) => MGA6-32-OK MGA-64-OK

Comment 11 Len Lawrence 2019-01-23 21:49:58 CET
Darn it.  Forgot to check the CVEs.  There are POC tests available.  Unfortunately the files are base64 encoded so some research is needed there.  The last time I tried anything like that a php script was used to decode the data.
Comment 12 Len Lawrence 2019-01-24 00:23:28 CET
Moved to another machine for pre-update testing.
Installed blueman then called blueman-applet - found local USB bluetooth adapter.

Found 10 POC at https://www.spinics.net/lists/linux-bluetooth/msg68892.html
"multiple buffer overflows and out-of-bound reads"
10 base64 encoded data files were provided which needed to be converted to useful data.
$ echo '<base64 data blob>' poc<n>.64
$ base64 -d poc<n>.64 > poc.<n>
Test procedure:
$ hcidump -a -r poc.<n>

oc.1   Generated a stream of messages - all "Unrecognized type 0"

poc.2   Lots of messages with "unknown type" but terminated gracefully.

poc.3   buffer overflow -> ABORT and core dump

poc.4   Various errors ending with unknown type.

poc.5   overflow -> ABORT

poc.6   A "Command rej" message, Unexpected syntax and several unknown types.

poc.7   double free or corruption -> ABORT

poc.8   Unexpected syntax but exited gracefully.

poc.9   A stack of "Unknown (type 00, len 0)"

poc.10  Various failures and several unknown types.

Under asan upstream all these tests aborted.

Updated the packages.

poc.1   Generated a stream of messages - all "Unrecognized type 0"
        Same as before.  Good.
poc.2   Lots of messages with "unknown type" but terminated gracefully.
        Same as before.  Good.
poc.3   Analysis succeeded.  Error: Unexpected syntax.
poc.4   One error: Parameter out of Mandatory Range - tidy exit.
poc.5   Packet analyzer had no trouble with this.
poc.6   Same as before.
        Unexpected syntax and unknown type.  Looks good.
poc.7   double free or corruption -> ABORT
        Not good.
poc.8   Same as before.
poc.9   Same as before.
poc.10  Failure - rejected (no reason provided)
        Segmentation fault (core dumped)
        Not good.

These tests seem to be filed against CVE-2016-980{0,1,4}.  Suse links to a couple of POC for 9804 and CVE-2016-7837 but comparison of file sizes indicates that these are the same as files used here.

There are two outright failures in this series, for 7 and 10.  ??
Comment 13 Len Lawrence 2019-01-24 03:14:37 CET
On second thoughts, noting David's remark about a deprecated tool maybe we should just pass this on the basis of the successful utility tests and 4:1 success with the POC.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Len Lawrence 2019-01-24 03:16:01 CET

Whiteboard: MGA6-32-OK MGA-64-OK => MGA6-32-OK MGA6-64-OK

Dave Hodgins 2019-01-26 05:24:40 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 14 Mageia Robot 2019-01-30 20:40:54 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.