Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 919383 (CVE-2023-45866) - <net-wireless/bluez-5.70-r1: Denial of service/privilege escalation
Summary: <net-wireless/bluez-5.70-r1: Denial of service/privilege escalation
Status: RESOLVED FIXED
Alias: CVE-2023-45866
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: https://github.com/skysafe/reblog/tre...
Whiteboard: B1 [glsa+]
Keywords:
Depends on: 919864
Blocks:
  Show dependency tree
 
Reported: 2023-12-07 02:12 UTC by Sam James
Modified: 2024-01-05 12:11 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-12-07 02:12:07 UTC 
The gist here appears to be the same thing as before, but just actually flipping the protection from bug 712292 on by default this time. It was kept off for compatibility reasons by upstream and we didn't deviate.

Patch: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=25a471a83e02e1effb15d5a488b3f0085eaeb675.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-12-07 16:05:18 UTC 
I'll backport the patch tonight if that's alright.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-12-09 18:22:54 UTC 
commit 26f32e2abe9e0c412c98898f61b144a3f6e5fb76
Author: Sam James <sam@gentoo.org>
Date:   Sat Dec 9 18:05:05 2023 +0000

    net-wireless/bluez: backport CVE-2023-45866 fix

    Signed-off-by: Sam James <sam@gentoo.org>
Comment 3 Larry the Git Cow gentoo-dev 2023-12-16 09:15:25 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7eea4a6e371f176706880da4b1e0ef04fb5c3f7c

commit 7eea4a6e371f176706880da4b1e0ef04fb5c3f7c
Author:     Pacho Ramos <pacho@gentoo.org>
AuthorDate: 2023-12-16 09:14:54 +0000
Commit:     Pacho Ramos <pacho@gentoo.org>
CommitDate: 2023-12-16 09:15:19 +0000

    net-wireless/bluez: drop 5.68, 5.69, 5.70
    
    Bug: https://bugs.gentoo.org/919383
    Signed-off-by: Pacho Ramos <pacho@gentoo.org>

 net-wireless/bluez/Manifest                        |   2 -
 net-wireless/bluez/bluez-5.68.ebuild               | 294 ---------------------
 net-wireless/bluez/bluez-5.69.ebuild               | 285 --------------------
 net-wireless/bluez/bluez-5.70.ebuild               | 285 --------------------
 .../bluez/files/bluez-5.68-bap-dettach-io.patch    | 101 -------
 .../bluez/files/bluez-5.68-bap-ebusy-fix.patch     | 206 ---------------
 .../bluez/files/bluez-5.68-bap-nonzero.patch       |  27 --
 .../bluez/files/bluez-5.68-bap-resume.patch        | 187 -------------
 .../bluez/files/bluez-5.68-clang-midi.patch        |  83 ------
 .../files/bluez-5.68-heap-use-after-free.patch     |  41 ---
 .../bluez/files/bluez-5.68-monitor-decoding.patch  |  45 ----
 11 files changed, 1556 deletions(-)
Comment 4 Larry the Git Cow gentoo-dev 2024-01-05 12:10:35 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=87a5ad502549134412c395506282f7e0d2f07c69

commit 87a5ad502549134412c395506282f7e0d2f07c69
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-01-05 12:09:52 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-01-05 12:10:24 +0000

    [ GLSA 202401-03 ] BlueZ: Privilege Escalation
    
    Bug: https://bugs.gentoo.org/919383
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202401-03.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)