Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 919383 (CVE-2023-45866)

Summary: <net-wireless/bluez-5.70-r1: Denial of service/privilege escalation
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: pacho
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/skysafe/reblog/tree/main/cve-2023-45866
See Also: https://bugs.gentoo.org/show_bug.cgi?id=712292
Whiteboard: B1 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 919864    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-12-07 02:12:07 UTC 
The gist here appears to be the same thing as before, but just actually flipping the protection from bug 712292 on by default this time. It was kept off for compatibility reasons by upstream and we didn't deviate.

Patch: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=25a471a83e02e1effb15d5a488b3f0085eaeb675.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-12-07 16:05:18 UTC 
I'll backport the patch tonight if that's alright.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-12-09 18:22:54 UTC 
commit 26f32e2abe9e0c412c98898f61b144a3f6e5fb76
Author: Sam James <sam@gentoo.org>
Date:   Sat Dec 9 18:05:05 2023 +0000

    net-wireless/bluez: backport CVE-2023-45866 fix

    Signed-off-by: Sam James <sam@gentoo.org>
Comment 3 Larry the Git Cow gentoo-dev 2023-12-16 09:15:25 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7eea4a6e371f176706880da4b1e0ef04fb5c3f7c

commit 7eea4a6e371f176706880da4b1e0ef04fb5c3f7c
Author:     Pacho Ramos <pacho@gentoo.org>
AuthorDate: 2023-12-16 09:14:54 +0000
Commit:     Pacho Ramos <pacho@gentoo.org>
CommitDate: 2023-12-16 09:15:19 +0000

    net-wireless/bluez: drop 5.68, 5.69, 5.70
    
    Bug: https://bugs.gentoo.org/919383
    Signed-off-by: Pacho Ramos <pacho@gentoo.org>

 net-wireless/bluez/Manifest                        |   2 -
 net-wireless/bluez/bluez-5.68.ebuild               | 294 ---------------------
 net-wireless/bluez/bluez-5.69.ebuild               | 285 --------------------
 net-wireless/bluez/bluez-5.70.ebuild               | 285 --------------------
 .../bluez/files/bluez-5.68-bap-dettach-io.patch    | 101 -------
 .../bluez/files/bluez-5.68-bap-ebusy-fix.patch     | 206 ---------------
 .../bluez/files/bluez-5.68-bap-nonzero.patch       |  27 --
 .../bluez/files/bluez-5.68-bap-resume.patch        | 187 -------------
 .../bluez/files/bluez-5.68-clang-midi.patch        |  83 ------
 .../files/bluez-5.68-heap-use-after-free.patch     |  41 ---
 .../bluez/files/bluez-5.68-monitor-decoding.patch  |  45 ----
 11 files changed, 1556 deletions(-)
Comment 4 Larry the Git Cow gentoo-dev 2024-01-05 12:10:35 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=87a5ad502549134412c395506282f7e0d2f07c69

commit 87a5ad502549134412c395506282f7e0d2f07c69
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-01-05 12:09:52 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-01-05 12:10:24 +0000

    [ GLSA 202401-03 ] BlueZ: Privilege Escalation
    
    Bug: https://bugs.gentoo.org/919383
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202401-03.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)