Bug 27485 - blueman new security issue CVE-2020-15238
Summary: blueman new security issue CVE-2020-15238
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-10-29 16:51 CET by David Walser
Modified: 2020-11-08 15:15 CET (History)
6 users (show)

See Also:
Source RPM: blueman-2.1-0.beta1.1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-10-29 16:51:02 CET
Debian has issued an advisory on October 27:
https://www.debian.org/security/2020/dsa-4781

The issue is fixed upstream in 2.1.4.

Attention needs to be paid to the mitigation instructions in the CVE description as well.  I believe the correct changes were made in r1363060 by Jani, but these will need to be backported to Mageia 7.
David Walser 2020-10-29 16:51:23 CET

CC: (none) => geiger.david68210, jani.valimaa
Whiteboard: (none) => MGA7TOO

Comment 1 David Walser 2020-10-29 17:02:22 CET
Ubuntu has issued an advisory for this on October 27:
https://ubuntu.com/security/notices/USN-4605-1
Comment 2 David Walser 2020-10-30 20:55:19 CET
blueman-2.1.4-1.mga8 uploaded for Cauldron by David Geiger.

Source RPM: blueman-2.1.3-2.mga8.src.rpm => blueman-2.1-0.beta1.1.mga7.src.rpm
Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

Comment 3 David Walser 2020-10-31 14:04:56 CET
Updated package uploaded for Mageia 7 by David Geiger.

Advisory:
========================

Updated blueman package fixes security vulnerability:

Vaisha Bernard discovered that blueman did not properly sanitize input on the
D-Bus interface to blueman-mechanism. A local attacker could possibly use this
issue to escalate privileges and run arbitrary code or cause a denial of
service (CVE-2020-15238).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15238
https://ubuntu.com/security/notices/USN-4605-1
========================

Updated packages in core/updates_testing:
========================
blueman-2.1.4-1.mga7

from blueman-2.1.4-1.mga7.src.rpm

Assignee: bugsquad => qa-bugs

Comment 4 Len Lawrence 2020-10-31 19:10:26 CET
mga7, x64

Could not follow the description of the exploit after following the CVE link so skipped the PoC.

Updated blueman and connected to a bluetooth audio device immediately and it showed up in pulseaudio volume control.  Played a WAV file via sox.  Looks fine.

CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK

Comment 5 Thomas Andrews 2020-11-01 16:43:16 CET
Good enough for me. Validating. Advisory in Comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 6 Aurelien Oudelet 2020-11-02 20:01:49 CET
Advisory pushed to SVN.

CC: (none) => ouaurelien
Keywords: (none) => advisory

Comment 7 David Walser 2020-11-03 15:24:07 CET
(In reply to David Walser from comment #0)
> Attention needs to be paid to the mitigation instructions in the CVE
> description as well.  I believe the correct changes were made in r1363060 by
> Jani, but these will need to be backported to Mageia 7.

This wasn't done.

I think Ubuntu made this change in a subsequent update:
https://ubuntu.com/security/notices/USN-4605-2

Whiteboard: MGA7-64-OK => (none)
CC: (none) => qa-bugs
Assignee: qa-bugs => geiger.david68210
Keywords: advisory, validated_update => (none)

Comment 8 David GEIGER 2020-11-06 07:33:24 CET
(In reply to David Walser from comment #7)
> (In reply to David Walser from comment #0)
> > Attention needs to be paid to the mitigation instructions in the CVE
> > description as well.  I believe the correct changes were made in r1363060 by
> > Jani, but these will need to be backported to Mageia 7.
> 
> This wasn't done.

I really don't understand what is missing here?
Comment 9 David Walser 2020-11-06 11:07:20 CET
See the commit I referenced.
Comment 10 David GEIGER 2020-11-06 11:52:17 CET
The change for blueman-applet.service renamed to org.blueman.Applet.service is already done in release 2.1.4.
Comment 11 David Walser 2020-11-06 16:55:18 CET
Ahh yes the commit is in Mageia 7 after all.

Assignee: geiger.david68210 => qa-bugs
CC: qa-bugs => (none)
Keywords: (none) => advisory, validated_update

David Walser 2020-11-06 16:55:38 CET

Whiteboard: (none) => MGA7-64-OK

Comment 12 Mageia Robot 2020-11-08 15:15:56 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0402.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.