Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 630838 (CVE-2017-1000250)

Summary: <net-wireless/bluez-5.47-r1: Information-disclosure flaw , aka BlueBorne.
Product: Gentoo Security Reporter: Nico Baggus <mlspamcb>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: arthur, gentoo, joost.ruis, leho, main.haarp, pacho
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000250
Whiteboard: B3 [noglsa cve]
Package list:
net-wireless/bluez-5.47-r1
Runtime testing required: ---

Description Nico Baggus 2017-09-12 18:53:16 UTC
Bluetooth stacks have various security flaws, Linux as well as Android as well as IOS as well as other devices.



Reproducible: Always

Actual Results:  
This isn't mentioned in a GLSA also not found in BZ.
Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-12 23:54:18 UTC
Thank you for the report, from URL:

All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an information disclosure vulnerability which allows remote attackers to obtain sensitive information from the bluetoothd process memory. This vulnerability lies in the processing of SDP search attribute requests.

From the 8 vulnerabilities, 2 of them involve Linux environments and one is kernel related, we treat kernel vulnerabilities in a different manner.

Gentoo Security Padawan
ChrisADR
Comment 3 Nico Baggus 2017-09-13 21:32:45 UTC
Armis was the company that published the bugs.
See
https://www.armis.com/blueborne/

Full Technical analysis: 
http://go.armis.com/blueborne-technical-paper
Comment 4 Simon 2017-09-14 08:07:51 UTC
@Christopher Díaz

> From the 8 vulnerabilities, 2 of them involve Linux environments and one is kernel related, we treat kernel vulnerabilities in a different manner.

What does this mean exactly?
How is this issue being addressed?
A fix has already been committed to the kernel https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e860d2c904d1a9f38a24eb44c9f34b8f915a6ea3

I'm unsure if there are also fixes needed for bluez
Comment 5 Fabian Köster 2017-09-14 08:44:25 UTC
> I'm unsure if there are also fixes needed for bluez

Yes, there is also a patch for Bluez:

https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=9e009647b14e810e06626dde7f1bb9ea3c375d09
Comment 6 Pacho Ramos gentoo-dev 2017-09-14 11:19:52 UTC
[master fa7241ddd13] net-wireless/bluez: Version bump.
 3 files changed, 267 insertions(+), 1 deletion(-)
 create mode 100644 net-wireless/bluez/bluez-5.47.ebuild

5.47 fixes this
Comment 7 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-14 13:51:09 UTC
@Maintainer please call for stabilization when ready or let us know.

(In reply to Simon from comment #4)
> What does this mean exactly?
> How is this issue being addressed?
> A fix has already been committed to the kernel
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/
> ?id=e860d2c904d1a9f38a24eb44c9f34b8f915a6ea3
> 
> I'm unsure if there are also fixes needed for bluez

Hi @Simon, 

Kernel vulnerabilities are addressed under "kernel" label, which is handled by the kernel-security team, bug 630840 was already filled before this one.

BlueBorne is a group of vulnerabilities that affect multiple devices, some of them include Android, Windows, and iPhone, those vulnerabilities are out of the scope from the Gentoo-security team, and most likely won't affect our systems.

On the other hand, as you can see, we already have the new version from bluez in portage (thanks to Pacho), we'll test it before to ensure that is safe and then release the GLSA once both issues are fixed.

Hope this is clearer,

Gentoo Security Padawan
ChrisADR
Comment 8 Pacho Ramos gentoo-dev 2017-09-14 14:12:52 UTC
it looks to still work ok for me
Comment 9 Pacho Ramos gentoo-dev 2017-09-15 09:35:41 UTC
-r1 contains a fixed init.d script
Comment 10 Simon 2017-09-17 07:58:45 UTC
(In reply to Christopher Díaz from comment #7)
> @Maintainer please call for stabilization when ready or let us know.
> 
> (In reply to Simon from comment #4)
> > What does this mean exactly?
> > How is this issue being addressed?
> > A fix has already been committed to the kernel
> > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/
> > ?id=e860d2c904d1a9f38a24eb44c9f34b8f915a6ea3
> > 
> > I'm unsure if there are also fixes needed for bluez
> 
> Hi @Simon, 
> 
> Kernel vulnerabilities are addressed under "kernel" label, which is handled
> by the kernel-security team, bug 630840 was already filled before this one.
> 
> BlueBorne is a group of vulnerabilities that affect multiple devices, some
> of them include Android, Windows, and iPhone, those vulnerabilities are out
> of the scope from the Gentoo-security team, and most likely won't affect our
> systems.
> 
> On the other hand, as you can see, we already have the new version from
> bluez in portage (thanks to Pacho), we'll test it before to ensure that is
> safe and then release the GLSA once both issues are fixed.
> 
> Hope this is clearer,
> 
> Gentoo Security Padawan
> ChrisADR

Thanks for the clarification!
I'll keep an eye on bug 630840
Comment 11 Markus Meier gentoo-dev 2017-09-18 04:30:02 UTC
arm stable
Comment 12 Pacho Ramos gentoo-dev 2017-09-18 21:46:35 UTC
amd64/x86 stable
Comment 13 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-22 07:35:43 UTC
hppa stable
Comment 14 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-23 13:56:15 UTC
ppc64 stable
Comment 15 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-24 16:20:15 UTC
ppc stable

Looks like last arch is done here.
Comment 16 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-24 17:22:35 UTC
Thank you all.

@Maintainers please remove vulnerable versions.

@Security please vote.

Gentoo Security Padawan
ChrisADR
Comment 17 Pacho Ramos gentoo-dev 2017-09-24 21:26:50 UTC
cleaned
Comment 18 Aaron Bauman (RETIRED) gentoo-dev 2017-09-24 21:30:24 UTC
GLSA Vote: No