Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 797712 (CVE-2020-26558, CVE-2021-0129, CVE-2021-3588)

Summary: <net-wireless/bluez-5.57: multiple vulnerabilities (CVE-2020-26558, CVE-2021-{0129,3588})
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: pacho
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/bluez/bluez/issues/70
Whiteboard: B4 [glsa+]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-23 02:45:21 UTC
CVE-2021-3588:

The cli_feat_read_cb() function in src/gatt-database.c does not perform bounds checks on the 'offset' variable before using it as an index into an array for reading.


Patch: https://github.com/bluez/bluez/commit/3a40bef49

bluez $ git tag --contains 3a40bef49
5.56
5.57
5.58

Please cleanup.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-23 02:49:55 UTC
Actually, an Intel advisory seems to indicate 5.57 fixes a couple more CVEs:

CVE-2021-0129:

Description: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access.

CVE-2020-26558:

Description: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-23 02:55:43 UTC
(In reply to John Helmert III from comment #1)
> Actually, an Intel advisory seems to indicate 5.57 fixes a couple more CVEs:

Forgot to actually link the advisory:

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00517.html
Comment 3 Larry the Git Cow gentoo-dev 2021-06-23 07:53:45 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dc88877a2411735d828da371cd8b72b2173625f5

commit dc88877a2411735d828da371cd8b72b2173625f5
Author:     Pacho Ramos <pacho@gentoo.org>
AuthorDate: 2021-06-23 07:52:09 +0000
Commit:     Pacho Ramos <pacho@gentoo.org>
CommitDate: 2021-06-23 07:53:39 +0000

    net-wireless/bluez: Drop old
    
    Bug: https://bugs.gentoo.org/797712
    Package-Manager: Portage-3.0.19, Repoman-3.0.3
    Signed-off-by: Pacho Ramos <pacho@gentoo.org>

 net-wireless/bluez/Manifest                        |   2 -
 net-wireless/bluez/bluez-5.55.ebuild               | 299 ---------------------
 net-wireless/bluez/bluez-5.56-r1.ebuild            | 296 --------------------
 .../bluez/files/bluez-5.56-avdtp-disconnects.patch |  41 ---
 4 files changed, 638 deletions(-)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-23 21:22:35 UTC
Thank you!
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:21:28 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:29:38 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 17:37:36 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 17:45:40 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 17:53:45 UTC Comment hidden (obsolete)
Comment 10 NATTkA bot gentoo-dev 2021-07-29 18:01:39 UTC Comment hidden (obsolete)
Comment 11 NATTkA bot gentoo-dev 2021-07-29 18:10:00 UTC
Package list is empty or all packages have requested keywords.
Comment 12 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-27 01:40:42 UTC
GLSA request filed
Comment 13 Larry the Git Cow gentoo-dev 2022-09-29 14:48:45 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=84d576b12052186017c2b0197f8b202a48dd8f32

commit 84d576b12052186017c2b0197f8b202a48dd8f32
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-09-29 14:21:34 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-09-29 14:47:58 +0000

    [ GLSA 202209-16 ] BlueZ: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/797712
    Bug: https://bugs.gentoo.org/835077
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202209-16.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)
Comment 14 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-29 14:49:51 UTC
GLSA released, all done!