Bug 34123 - bluez new security issues CVE-2023-44431, CVE-2023-5158[09], CVE-2023-5159[246]
Summary: bluez new security issues CVE-2023-44431, CVE-2023-5158[09], CVE-2023-5159[246]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2025-03-20 16:04 CET by Nicolas Salguero
Modified: 2025-03-26 04:44 CET (History)
4 users (show)

See Also:
Source RPM: bluez-5.79-1.mga9.src.rpm
CVE: CVE-2023-44431, CVE-2023-51580, CVE-2023-51589, CVE-2023-51592, CVE-2023-51594, CVE-2023-51596
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Nicolas Salguero 2025-03-20 16:05:42 CET

Status comment: (none) => Fixed upstream in 5.80, according to Fedora
CVE: (none) => CVE-2023-44431, CVE-2023-51580, CVE-2023-51589, CVE-2023-51592, CVE-2023-51594, CVE-2023-51596
Source RPM: (none) => bluez-5.79-1.mga9.src.rpm

Comment 1 Lewis Smith 2025-03-20 21:29:24 CET 
version: 5.80 is already in Cauldron thanks to DavidG.
Can you please do M9 too?

Assignee: bugsquad => geiger.david68210

Comment 2 Nicolas Salguero 2025-03-24 15:12:15 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

BlueZ Audio Profile AVRCP Stack-based Buffer Overflow Remote Code Execution Vulnerability. (CVE-2023-44431)

BlueZ Audio Profile AVRCP avrcp_parse_attribute_list Out-Of-Bounds Read Information Disclosure Vulnerability. (CVE-2023-51580)

BlueZ Audio Profile AVRCP parse_media_element Out-Of-Bounds Read Information Disclosure Vulnerability. (CVE-2023-51589)

BlueZ Audio Profile AVRCP parse_media_folder Out-Of-Bounds Read Information Disclosure Vulnerability. (CVE-2023-51592)

BlueZ OBEX Library Out-Of-Bounds Read Information Disclosure Vulnerability. (CVE-2023-51594)

BlueZ Phone Book Access Profile Heap-based Buffer Overflow Remote Code Execution Vulnerability. (CVE-2023-51596)

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6KKJVC5RPR5AMR4ZTMHWP7TATS4SY47/
========================

Updated packages in core/updates_testing:
========================
bluez-5.80-1.mga9
bluez-cups-5.80-1.mga9
bluez-hid2hci-5.80-1.mga9
bluez-mesh-5.80-1.mga9
lib(64)bluez3-5.80-1.mga9
lib(64)bluez-devel-5.80-1.mga9

from SRPM:
bluez-5.80-1.mga9.src.rpm

Assignee: geiger.david68210 => qa-bugs
Status comment: Fixed upstream in 5.80, according to Fedora => (none)
Status: NEW => ASSIGNED

katnatek 2025-03-24 18:54:18 CET

Keywords: (none) => advisory

Comment 3 Len Lawrence 2025-03-24 22:32:41 CET 
mga9, x64
Before updating could find no PoC via the Mitre CVE site.
Blueman was working fine.
Clean update.
Immediate connection to Bose portable speaker via Blueman on Mate.
$ bluetoothctl
hci0 new_settings: powered connectable discoverable bondable ssp br/edr le secure-conn wide-band-speech 
Agent registered
[CHG] Controller AC:82:47:4E:7B:26 Pairable: yes
[Bose SLIII]> 

Bluetooth audio working well.

CC: (none) => tarazed25

Comment 4 Herman Viaene 2025-03-25 10:46:05 CET 
MGA9-64 Plasma Wayland on Compaq H000SB
No installation issues.
Ref bug 32604 for testing.
# systemctl  restart bluetooth
# systemctl -l status bluetooth
● bluetooth.service - Bluetooth service
     Loaded: loaded (/usr/lib/systemd/system/bluetooth.service; disabled; preset: enabled)
     Active: active (running) since Tue 2025-03-25 10:09:10 CET; 14s ago
       Docs: man:bluetoothd(8)
   Main PID: 73145 (bluetoothd)
     Status: "Running"
      Tasks: 1 (limit: 8806)
     Memory: 908.0K
        CPU: 235ms
     CGroup: /system.slice/bluetooth.service
             └─73145 /usr/libexec/bluetooth/bluetoothd

Mar 25 10:09:10 mach3.hviaene.thuis bluetoothd[73145]: Endpoint registered: sender=:1.53 path=/MediaEndpoint/A2DPSink/sbc
Mar 25 10:09:10 mach3.hviaene.thuis bluetoothd[73145]: Endpoint registered: sender=:1.53 path=/MediaEndpoint/A2DPSource/sbc
Mar 25 10:09:10 mach3.hviaene.thuis bluetoothd[73145]: Endpoint registered: sender=:1.53 path=/MediaEndpoint/A2DPSink/sbc_xq_453
Mar 25 10:09:10 mach3.hviaene.thuis bluetoothd[73145]: Endpoint registered: sender=:1.53 path=/MediaEndpoint/A2DPSource/sbc_xq_453
Mar 25 10:09:10 mach3.hviaene.thuis bluetoothd[73145]: Endpoint registered: sender=:1.53 path=/MediaEndpoint/A2DPSink/sbc_xq_512
Mar 25 10:09:10 mach3.hviaene.thuis bluetoothd[73145]: Endpoint registered: sender=:1.53 path=/MediaEndpoint/A2DPSource/sbc_xq_512
Mar 25 10:09:10 mach3.hviaene.thuis bluetoothd[73145]: Endpoint registered: sender=:1.53 path=/MediaEndpoint/A2DPSink/sbc_xq_552
Mar 25 10:09:10 mach3.hviaene.thuis bluetoothd[73145]: Endpoint registered: sender=:1.53 path=/MediaEndpoint/A2DPSource/sbc_xq_552
Mar 25 10:09:10 mach3.hviaene.thuis bluetoothd[73145]: Endpoint registered: sender=:1.53 path=/MediaEndpoint/A2DPSink/faststream
Mar 25 10:09:10 mach3.hviaene.thuis bluetoothd[73145]: Endpoint registered: sender=:1.53 path=/MediaEndpoint/A2DPSource/faststream

Using bluetooth device maneger I can see my Nokia 1 smartphone (old device, bluetooth always on) and connect.
Sending file works OK.
Together with Len's above, good to go.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA9-64-OK

Comment 5 Thomas Andrews 2025-03-25 16:26:01 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 Mageia Robot 2025-03-26 04:44:16 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0115.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.