86638 – af_bluetooth local root exploit (CAN-2005-0750)

Bug 86638 - af_bluetooth local root exploit (CAN-2005-0750)

Summary: af_bluetooth local root exploit (CAN-2005-0750)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Kernel (show other bugs)
Hardware:	All All

Importance:	High major (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	[linux < 2.4.30][ linux >= 2.6 < 2.6....
Keywords:

Duplicates (1):	87901 (view as bug list)
Depends on:
Blocks:

Reported:	2005-03-25 04:25 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified:	2009-05-03 15:05 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
CAN-2005-0750.patch (CAN-2005-0750.patch,719 bytes, patch) 2005-03-25 04:25 UTC, Sune Kloppenborg Jeppesen (RETIRED)	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-03-25 04:25:05 UTC

there is a local root exploit by integer underflow in the bluetooth handling,
triggerable by any user if you have bluetooth modules installed.

(I think using socket(AF_BLUETOOTH, -index, x); )

Marcel has posted below patch, I am not sure which bk tree that is it is
however.

CAN-2005-0750 as by Mark J Cox.

An actual exploit supposedly exist already.

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-03-25 04:25:50 UTC

Created attachment 54428 [details, diff]
CAN-2005-0750.patch

Comment 2 Thierry Carrez (RETIRED) gentoo-dev

2005-03-26 09:07:03 UTC

Patch posted in BK tree. New kernel release should follow.

Comment 3 Thierry Carrez (RETIRED) gentoo-dev

2005-03-26 09:18:04 UTC

Fixed in vanilla 2.6.11.6
http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11.6

Comment 4 Joshua Kinard gentoo-dev

2005-04-23 22:28:18 UTC

mips-sources fixed.

Comment 5 Daniel Drake (RETIRED) gentoo-dev

2005-04-27 13:43:23 UTC

Fixed in gentoo-sources-2.6.11-r6

Comment 6 Robert Paskowitz (RETIRED) gentoo-dev

2005-05-17 16:34:00 UTC

Another that can probably be closed now.
http://kiss.gentoo.org/dev/viewBug.php?BugID=86638

Comment 7 Thierry Carrez (RETIRED) gentoo-dev

2005-05-23 04:56:47 UTC

*** Bug 87901 has been marked as a duplicate of this bug. ***

Comment 8 Thierry Carrez (RETIRED) gentoo-dev

2005-05-23 04:59:04 UTC

This also affects the 2.4 series.

From solar :
grsec-sources-2.4.30 is in the tree as ~arch.

Note for other bumpers of 2.4.x series.
CAN-2004-1056.patch and linux-2.4.28-random-poolsize.patch have never 
been applied to mainline.

Comment 9 Tim Yamin (RETIRED) gentoo-dev

2005-08-20 11:22:34 UTC

rsbac-sources affected.

Comment 10 Tim Yamin (RETIRED) gentoo-dev

2005-11-26 02:34:57 UTC

All fixed, closing.