Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 712292 (CVE-2020-0556, INTEL-SA-00352) - <net-wireless/bluez-5.54: Denial of service/privilege escalation (CVE-2020-0556/INTEL-SA-00352)
Summary: <net-wireless/bluez-5.54: Denial of service/privilege escalation (CVE-2020-05...
Status: RESOLVED FIXED
Alias: CVE-2020-0556, INTEL-SA-00352
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: https://www.intel.com/content/www/us/...
Whiteboard: B1 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-03-12 23:05 UTC by Sam James
Modified: 2023-12-07 02:12 UTC (History)
3 users (show)

See Also:
Package list:
net-wireless/bluez-5.54 amd64 arm arm64 hppa ppc ppc64 x86 dev-libs/ell-0.28 amd64 arm arm64 hppa ppc ppc64 x86 net-wireless/iwd-1.5 amd64 arm arm64 ppc ppc64 x86
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-12 23:05:55 UTC 
Description:
"Improper access control in subsystem for BlueZ before version 5.53 may allow an unauthenticated user to potentially enable escalation of privilege and denial of service via adjacent access."

Patches for <5.53:
https://patchwork.kernel.org/patch/11428317/
https://patchwork.kernel.org/patch/11428319/
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-15 01:35:06 UTC 
Looks like patches didn't make it into 5.53 release.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-15 01:38:12 UTC 
(In reply to Thomas Deutschmann from comment #1)
> Looks like patches didn't make it into 5.53 release.


NOTE: As pointed out [0] on oss-security, these patches do not seem to have landed in time for 5.53, contrary to the advisory(!)

I have verified this claim by downloading the tarball and checking for the patches but they do not seem to apply.

Note that maintainers can still apply the linked patches.

[0] https://www.openwall.com/lists/oss-security/2020/03/13/2
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-15 01:38:44 UTC 
(In reply to sam_c (Security Padawan) from comment #2)
> (In reply to Thomas Deutschmann from comment #1)
> > Looks like patches didn't make it into 5.53 release.
> 
> 
> NOTE: As pointed out [0] on oss-security, these patches do not seem to have
> landed in time for 5.53, contrary to the advisory(!)
> 
> I have verified this claim by downloading the tarball and checking for the
> patches but they do not seem to apply.
> 
> Note that maintainers can still apply the linked patches.
> 
> [0] https://www.openwall.com/lists/oss-security/2020/03/13/2

s/apply/have been applied/.
Comment 4 Pacho Ramos gentoo-dev 2020-03-20 15:12:24 UTC 
We can try to stabilize 5.54 I think
Comment 5 Stabilization helper bot gentoo-dev 2020-03-20 16:01:14 UTC 
An automated check of this bug failed - repoman reported dependency errors (193 lines truncated): 

> dependency.bad net-wireless/bluez/bluez-5.54.ebuild: DEPEND: amd64(default/linux/amd64/17.0) ['>=dev-libs/ell-0.28']
> dependency.bad net-wireless/bluez/bluez-5.54.ebuild: RDEPEND: amd64(default/linux/amd64/17.0) ['>=dev-libs/ell-0.28']
> dependency.bad net-wireless/bluez/bluez-5.54.ebuild: DEPEND: amd64(default/linux/amd64/17.0/desktop) ['>=dev-libs/ell-0.28']
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-20 16:04:53 UTC 
(In reply to Pacho Ramos from comment #4)
> We can try to stabilize 5.54 I think

Yes please, they've updated the advisory now, so 5.5.4 is the first fixed version.
Comment 7 Ben Kohler gentoo-dev 2020-03-20 18:17:16 UTC 
Current stable net-wireless/iwd-1.4 depends on ~ell-0.27, can we add iwd-1.5 stabilization to this list? No known blockers for iwd stable
Comment 8 Pacho Ramos gentoo-dev 2020-03-20 22:49:46 UTC 
sure
Comment 9 Agostino Sarubbo gentoo-dev 2020-03-21 16:25:41 UTC 
amd64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-03-21 16:48:15 UTC 
arm stable
Comment 11 Agostino Sarubbo gentoo-dev 2020-03-21 16:50:05 UTC 
ppc stable
Comment 12 Agostino Sarubbo gentoo-dev 2020-03-21 16:50:46 UTC 
ppc64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2020-03-21 16:51:22 UTC 
x86 stable
Comment 14 Rolf Eike Beer archtester 2020-03-23 21:12:53 UTC 
dropped to ~hppa
Comment 15 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-23 21:27:53 UTC 
(updating whiteboard)
Comment 16 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-25 15:16:50 UTC 
New GLSA request filed.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2020-03-25 15:36:04 UTC 
This issue was resolved and addressed in
 GLSA 202003-49 at https://security.gentoo.org/glsa/202003-49
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 18 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-25 15:36:42 UTC 
Re-opening for remaining architectures.
Comment 19 Mart Raudsepp gentoo-dev 2020-03-29 11:03:53 UTC 
arm64 stable
Comment 20 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-29 17:53:12 UTC 
@maintainer(s), please cleanup
Comment 21 Pacho Ramos gentoo-dev 2020-04-01 23:26:54 UTC 
cleanup done
Comment 22 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-01 23:29:42 UTC 
Tree clean, GLSA done, closing.