Bug 29140 - bluez new security issues CVE-2020-26558 and CVE-2021-3588
Summary: bluez new security issues CVE-2020-26558 and CVE-2021-3588
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords: advisory, validated_update
: 29248 (view as bug list)
Depends on:
Reported: 2021-06-16 19:07 CEST by David Walser
Modified: 2021-07-19 14:04 CEST (History)
5 users (show)

See Also:
Source RPM: bluez-5.55-3.mga8.src.rpm
CVE: CVE-2020-26558, CVE-2021-3588
Status comment:


Description David Walser 2021-06-16 19:07:59 CEST
Ubuntu has issued an advisory today (June 16):

The issues are fixed upstream in 5.58.

Mageia 7 is also affected.
David Walser 2021-06-16 19:08:13 CEST

Status comment: (none) => Fixed upstream in 5.58
CC: (none) => nicolas.salguero

David Walser 2021-06-16 19:08:19 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2021-06-17 21:19:39 CEST
bluez is committed by various people, so having to assign this globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2021-06-18 15:37:01 CEST
Suggested advisory:

The updated packages fix security vulnerabilities:

Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time. (CVE-2020-26558)

The cli_feat_read_cb() function in src/gatt-database.c does not perform bounds checks on the 'offset' variable before using it as an index into an array for reading. (CVE-2021-3588)


Updated packages in 7/core/updates_testing:

from SRPM:

Updated packages in 8/core/updates_testing:

from SRPM:

Assignee: pkg-bugs => qa-bugs
Source RPM: bluez-5.55-2.mga8.src.rpm => bluez-5.55-3.mga8.src.rpm
CVE: (none) => CVE-2020-26558, CVE-2021-3588
Status comment: Fixed upstream in 5.58 => (none)

Comment 3 Len Lawrence 2021-06-19 01:12:30 CEST
mga8, x64

Not much likelihood of PoC for this.  Found none.

Updated the six packages and used blueman-assistant to add a BT audio device.  Needed two or three tries before it succeeded although the device and USB BT adaptor were found immediately.  BT and audio working fine together.
Switched off the device and then on and bluetooth connected immediately.

Had a go at pairing with an ancient Nokia classic but did not know the PIN number.
Tried the security PIN but that did not work.  Tried the default BT PIN 12345 which did not work either although the phone acknowledged the host adaptor.  Gave up on that.  Don't have any use for BT on a phone anyway.

Had a look at transfer settings hoping to send or receive data from a netbook but blueman seems to deal with receipts only, no way to send, so it is receive at both ends.

BT audio works anyway so giving it an OK.

CC: (none) => tarazed25
Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OK

Comment 4 Len Lawrence 2021-06-19 13:12:25 CEST
Additional comment regarding bluetooth printing.
Used the blueman applet to discover an HP Officejet 100 mobile printer.
Needed to install blueberry packages.
# hcitool scan
Scanning ...
	30:8D:99:E7:87:F9	OJL411MY573F10P4

When adding printer used the URI facility.
The uri is specified in terms of the MAC address:

Finished off in CUPS Administration and printed an A5 testpage.
Comment 5 Len Lawrence 2021-06-19 17:41:37 CEST
mga7, x64

Installed the five packages and updated them.
Installed blueman.
Found the bluetooth 4 adapter and searched for a nearby audio device.  It paired without a PIN and connected fine.  Found it in the pavuctrl menu after running paplay on a WAV file.  Switched off the audio device then on again.  The bluetooth connection resumed after a second or two.

Tried the Nokia 3110.  It showed up in the blueman list and the phone asked if it could connect to the host adaptor, which was correctly identified.  Pairing was initiated using the default PIN but failed.  At least there was an interchange.

The mobile HP printer was also detected as well as the Samsung TV.

This is as far as it goes for me.

Whiteboard: MGA7TOO MGA8-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK

Comment 6 Thomas Andrews 2021-06-20 15:13:42 CEST
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 7 Aurelien Oudelet 2021-06-22 21:05:34 CEST
This update is OK on this system:

System:    Host: mageia.local Kernel: 5.10.43-desktop-1.mga8 x86_64 bits: 64 compiler: gcc v: 10.3.0 
           Desktop: KDE Plasma 5.20.4 tk: Qt 5.15.2 wm: kwin_x11 dm: SDDM Distro: Mageia 8 mga8 
USB:       Hub: 1-0:1 info: Full speed (or root) Hub ports: 16 rev: 2.0 chip ID: 
           Device-3: 1-7:5 info: Intel AX200 Bluetooth type: Bluetooth driver: btusb rev: 2.0 
           chip ID: 8087:0029 

Audio Headset OK.

Advisory pushed.

Keywords: (none) => advisory
CC: (none) => ouaurelien

Comment 8 Mageia Robot 2021-06-23 19:14:58 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Comment 10 David Walser 2021-07-19 14:04:04 CEST
*** Bug 29248 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.