Ubuntu has issued an advisory today (June 16): https://ubuntu.com/security/notices/USN-4989-1 The issues are fixed upstream in 5.58. Mageia 7 is also affected.
Status comment: (none) => Fixed upstream in 5.58CC: (none) => nicolas.salguero
Whiteboard: (none) => MGA7TOO
bluez is committed by various people, so having to assign this globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time. (CVE-2020-26558) The cli_feat_read_cb() function in src/gatt-database.c does not perform bounds checks on the 'offset' variable before using it as an index into an array for reading. (CVE-2021-3588) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26558 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3588 https://ubuntu.com/security/notices/USN-4989-1 ======================== Updated packages in 7/core/updates_testing: ======================== bluez-5.54-1.2.mga7 bluez-cups-5.54-1.2.mga7 bluez-hid2hci-5.54-1.2.mga7 lib(64)bluez3-5.54-1.2.mga7 lib(64)bluez-devel-5.54-1.2.mga7 from SRPM: bluez-5.54-1.2.mga7.src.rpm Updated packages in 8/core/updates_testing: ======================== bluez-5.55-3.1.mga8 bluez-cups-5.55-3.1.mga8 bluez-hid2hci-5.55-3.1.mga8 bluez-mesh-5.55-3.1.mga8 lib(64)bluez3-5.55-3.1.mga8 lib(64)bluez-devel-5.55-3.1.mga8 from SRPM: bluez-5.55-3.1.mga8.src.rpm
Assignee: pkg-bugs => qa-bugsSource RPM: bluez-5.55-2.mga8.src.rpm => bluez-5.55-3.mga8.src.rpmStatus: NEW => ASSIGNEDCVE: (none) => CVE-2020-26558, CVE-2021-3588Status comment: Fixed upstream in 5.58 => (none)
mga8, x64 Not much likelihood of PoC for this. Found none. Updated the six packages and used blueman-assistant to add a BT audio device. Needed two or three tries before it succeeded although the device and USB BT adaptor were found immediately. BT and audio working fine together. Switched off the device and then on and bluetooth connected immediately. Had a go at pairing with an ancient Nokia classic but did not know the PIN number. Tried the security PIN but that did not work. Tried the default BT PIN 12345 which did not work either although the phone acknowledged the host adaptor. Gave up on that. Don't have any use for BT on a phone anyway. Had a look at transfer settings hoping to send or receive data from a netbook but blueman seems to deal with receipts only, no way to send, so it is receive at both ends. BT audio works anyway so giving it an OK.
CC: (none) => tarazed25Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OK
Additional comment regarding bluetooth printing. Used the blueman applet to discover an HP Officejet 100 mobile printer. Needed to install blueberry packages. # hcitool scan Scanning ... 30:8D:99:E7:87:F9 OJL411MY573F10P4 When adding printer used the URI facility. The uri is specified in terms of the MAC address: bluetooth://308d99e787f9 Finished off in CUPS Administration and printed an A5 testpage.
mga7, x64 Installed the five packages and updated them. Installed blueman. Found the bluetooth 4 adapter and searched for a nearby audio device. It paired without a PIN and connected fine. Found it in the pavuctrl menu after running paplay on a WAV file. Switched off the audio device then on again. The bluetooth connection resumed after a second or two. Tried the Nokia 3110. It showed up in the blueman list and the phone asked if it could connect to the host adaptor, which was correctly identified. Pairing was initiated using the default PIN but failed. At least there was an interchange. The mobile HP printer was also detected as well as the Samsung TV. This is as far as it goes for me.
Whiteboard: MGA7TOO MGA8-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
This update is OK on this system: System: Host: mageia.local Kernel: 5.10.43-desktop-1.mga8 x86_64 bits: 64 compiler: gcc v: 10.3.0 Desktop: KDE Plasma 5.20.4 tk: Qt 5.15.2 wm: kwin_x11 dm: SDDM Distro: Mageia 8 mga8 USB: Hub: 1-0:1 info: Full speed (or root) Hub ports: 16 rev: 2.0 chip ID: <snip> Device-3: 1-7:5 info: Intel AX200 Bluetooth type: Bluetooth driver: btusb rev: 2.0 chip ID: 8087:0029 Audio Headset OK. Advisory pushed.
Keywords: (none) => advisoryCC: (none) => ouaurelien
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0281.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
This update also fixed CVE-2021-0129: https://www.debian.org/lts/security/2021/dla-2692 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FGEHNTYN7DOZBN7IPNNCVSIU2JNPC226/
*** Bug 29248 has been marked as a duplicate of this bug. ***