Summary: | <net-wireless/bluez-5.47-r1: Information-disclosure flaw , aka BlueBorne. | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Nico Baggus <mlspamcb> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | arthur, gentoo, joost.ruis, leho, main.haarp, pacho |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000250 | ||
Whiteboard: | B3 [noglsa cve] | ||
Package list: |
net-wireless/bluez-5.47-r1
|
Runtime testing required: | --- |
Description
Nico Baggus
2017-09-12 18:53:16 UTC
Actual content... http://www.eweek.com/security/bluetooth-blueborne-flaws-expose-billions-of-devices-to-security-risks Thank you for the report, from URL: All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an information disclosure vulnerability which allows remote attackers to obtain sensitive information from the bluetoothd process memory. This vulnerability lies in the processing of SDP search attribute requests. From the 8 vulnerabilities, 2 of them involve Linux environments and one is kernel related, we treat kernel vulnerabilities in a different manner. Gentoo Security Padawan ChrisADR Armis was the company that published the bugs. See https://www.armis.com/blueborne/ Full Technical analysis: http://go.armis.com/blueborne-technical-paper @Christopher Díaz > From the 8 vulnerabilities, 2 of them involve Linux environments and one is kernel related, we treat kernel vulnerabilities in a different manner. What does this mean exactly? How is this issue being addressed? A fix has already been committed to the kernel https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e860d2c904d1a9f38a24eb44c9f34b8f915a6ea3 I'm unsure if there are also fixes needed for bluez > I'm unsure if there are also fixes needed for bluez Yes, there is also a patch for Bluez: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=9e009647b14e810e06626dde7f1bb9ea3c375d09 [master fa7241ddd13] net-wireless/bluez: Version bump. 3 files changed, 267 insertions(+), 1 deletion(-) create mode 100644 net-wireless/bluez/bluez-5.47.ebuild 5.47 fixes this @Maintainer please call for stabilization when ready or let us know. (In reply to Simon from comment #4) > What does this mean exactly? > How is this issue being addressed? > A fix has already been committed to the kernel > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/ > ?id=e860d2c904d1a9f38a24eb44c9f34b8f915a6ea3 > > I'm unsure if there are also fixes needed for bluez Hi @Simon, Kernel vulnerabilities are addressed under "kernel" label, which is handled by the kernel-security team, bug 630840 was already filled before this one. BlueBorne is a group of vulnerabilities that affect multiple devices, some of them include Android, Windows, and iPhone, those vulnerabilities are out of the scope from the Gentoo-security team, and most likely won't affect our systems. On the other hand, as you can see, we already have the new version from bluez in portage (thanks to Pacho), we'll test it before to ensure that is safe and then release the GLSA once both issues are fixed. Hope this is clearer, Gentoo Security Padawan ChrisADR it looks to still work ok for me -r1 contains a fixed init.d script (In reply to Christopher Díaz from comment #7) > @Maintainer please call for stabilization when ready or let us know. > > (In reply to Simon from comment #4) > > What does this mean exactly? > > How is this issue being addressed? > > A fix has already been committed to the kernel > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/ > > ?id=e860d2c904d1a9f38a24eb44c9f34b8f915a6ea3 > > > > I'm unsure if there are also fixes needed for bluez > > Hi @Simon, > > Kernel vulnerabilities are addressed under "kernel" label, which is handled > by the kernel-security team, bug 630840 was already filled before this one. > > BlueBorne is a group of vulnerabilities that affect multiple devices, some > of them include Android, Windows, and iPhone, those vulnerabilities are out > of the scope from the Gentoo-security team, and most likely won't affect our > systems. > > On the other hand, as you can see, we already have the new version from > bluez in portage (thanks to Pacho), we'll test it before to ensure that is > safe and then release the GLSA once both issues are fixed. > > Hope this is clearer, > > Gentoo Security Padawan > ChrisADR Thanks for the clarification! I'll keep an eye on bug 630840 arm stable amd64/x86 stable hppa stable ppc64 stable ppc stable Looks like last arch is done here. Thank you all. @Maintainers please remove vulnerable versions. @Security please vote. Gentoo Security Padawan ChrisADR cleaned GLSA Vote: No |