Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 458752

Summary: Kernel : Bluetooth HIDP "hidp_setup_hid()" Information Disclosure Vulnerability (CVE-2013-0349)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: KernelAssignee: Gentoo Kernel Security <security-kernel>
Status: RESOLVED OBSOLETE    
Severity: normal CC: kernel
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/52340/
Whiteboard:
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-02-22 14:51:33 UTC 
From $URL :

Description
A vulnerability has been reported in Linux Kernel, which can be exploited by malicious, local users 
to gain knowledge of potentially sensitive information.

The vulnerability is caused due to an error in the HIDP Bluetooth implementation within the 
"hidp_setup_hid()" function (net/bluetooth/hidp/core.c) as the HID device name, physical location, 
and unique identifier variables may not be properly NULL terminated when handling long strings. 
This can be exploited to disclose memory content via a specially crafted program executing a 
ioctl(HIDPCONNADD) call.

Successful exploitation requires that the kernel is built with Bluetooth stack and HIDP support.

The vulnerability is reported in versions prior to 3.7.6, 3.4.29, 3.2.38, and 3.0.62


Solution
Update to version 3.7.6, 3.4.29, 3.2.38, or 3.0.62

Provided and/or discovered by
Anderson Lizardo

Original Advisory
Kernel.org:
http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.7.6
http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.4.29
http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.2.38
http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.0.62
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2018-04-04 18:33:22 UTC 
There are no longer any 2.x or <3.7.6 kernels available in the repository with the exception of sys-kernel/xbox-sources which is unsupported by security.