Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 101557 - net-wireless/bluez-utils<= 2.19 security vulnerability
Summary: net-wireless/bluez-utils<= 2.19 security vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Gentoo Security
URL:
Whiteboard: C0 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2005-08-06 10:10 UTC by Henryk Plötz
Modified: 2005-08-17 09:43 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Henryk Plötz 2005-08-06 10:10:46 UTC
There is a security vulnerability in bluez-utils 2.16 through 2.18 (I only
tested 2.18, but the CVS logs indicate that the problem exists at least since
2.16) which allows for remote command execution (over the air) with root
privileges and bypassing of the Bluetooth PIN.

The vulnerability occurs when the pin helper is called and thus exists only when
"security user" is set in hcid.conf (which is the default in Gentoo Linux, but
not in the upstream package). The attacker also needs to get his device name
into the device name cache and I'm not sure how to do this in general so it
might be harder to exploit in a default installation. 

However, upstream has released a fixed bluez-utils-2.19 (which also needs
bluez-libs-2.19, unfortunately) and I think Gentoo include this version ASAP.
Should this not be possible then at least the existing version ought to be
patched. The difference between the vulnerable and the non-vulnerable version
is:
http://cvs.sourceforge.net/viewcvs.py/bluez/utils/hcid/security.c?r1=1.31&r2=1.34

Reproducible: Always
Steps to Reproduce:
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-08-06 11:45:28 UTC
liquidx or mobile/pda herds: please apply patch or bump to 2.19
Comment 2 Henrik Brix Andersen 2005-08-08 10:19:43 UTC
liquidx: are you around to handle this? If I do not hear from you by tomorrow, I
will handle the bump so we can get it marked stable on all affected archs.
Comment 3 Henrik Brix Andersen 2005-08-09 11:59:23 UTC
I have added net-wireless/bluez-libs-2.19 and net-wireless/bluez-utils-2.19,
which address the issue of this bug report.

I will mark them stable on x86 tomorrow if no additional bug reports tick in.
Other archs: please follow.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-08-10 00:55:52 UTC
I asked for a CAN number to MITRE.
Comment 5 Henrik Brix Andersen 2005-08-10 03:49:03 UTC
Stable on x86.
Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev 2005-08-10 08:09:24 UTC
ppc stable
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-08-12 00:25:02 UTC
======================================================
Candidate: CAN-2005-2547
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2547
Reference: MLIST:[bluez-devel] 20050804 Possible security vulnerability in hcid
when calling pin helper
Reference:
URL:http://sourceforge.net/mailarchive/forum.php?thread_id=7893206&forum_id=1881
Reference: CONFIRM:https://bugs.gentoo.org/show_bug.cgi?id=101557
Reference:
CONFIRM:http://cvs.sourceforge.net/viewcvs.py/bluez/utils/hcid/security.c?r1=1.31&r2=1.34

security.c in hcid for BlueZ 2.18 and earlier allows remote attackers
to execute arbitrary commands via shell metacharacters in the
Bluetooth device name when invoking the PIN helper.
Comment 8 Carlos Silva (RETIRED) gentoo-dev 2005-08-12 03:56:21 UTC
amd64 stable
Comment 9 Henrik Brix Andersen 2005-08-12 04:06:17 UTC
What about hppa?
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-08-12 08:22:00 UTC
You're right, we missed hppa.
hppa, sparc : please test and mark stable.
Comment 11 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-08-13 00:33:13 UTC
Stable on hppa.
Comment 12 Sune Kloppenborg Jeppesen gentoo-dev 2005-08-15 09:47:58 UTC
sparc please test and mark stable ASAP, thx. 
Comment 13 Gustavo Zacarias (RETIRED) gentoo-dev 2005-08-17 06:14:29 UTC
sparc stable.
didn't get the chance to properly test it, but it should be fine, hopefully i'll
get the bt kit by this weekend, play with it and leave it be or mask it.
Comment 14 Sune Kloppenborg Jeppesen gentoo-dev 2005-08-17 09:43:15 UTC
GLSA 200508-09