** Please note that this issue is SEMI-PUBLIC and no information should be disclosed until it is made public, see "Whiteboard" for a date ** Glenn Durfee of Google writes: The SDP parsing code blindly trusts string length fields in incoming SDP packets, exposing reliant applications to over-the-wireless memory manipulation attacks. An attacker need only send a malformed response to an SDP query to take advantage of this. This is most apparent in file bluez-libs-3.30/src/sdp.c, lines 988, 994, 1002 (see below). Also elsewhere in the code where input pointers are advanced without checking bytes remaining to be parsed. The root of the problem is that in bluez-libs-3.30/src/sdp.c:1125, the function sdp_extract_pdu() takes a buffer to parse (in) and a pointer to a length field (out), but it does not take an incoming length field (in). Attached is a patch to fix this issue. Basically I added a "bytesleft" argument to all of the SDP payload processing routines; length fields are checked against the number of remaining bytes to ensure the parser doesn't run past the end of the packet, or do crazy things like malloc two gigs of memory. This touches a lot of places, and changes the external API for SDP payload processing, but I don't see any other way to do this -- the parser MUST be aware of the incoming packet size in order for this to be secure. See: http://article.gmane.org/gmane.linux.bluez.devel/15809/ Jan Lieskovsky of RedHat writes: This issue already public, but the detailed information about its security impact not known publit yet, so please handle this as confidential. More details about security impact from Marcel Holtmann: ======================================================== It affects the SDP client functionality and I don't see how you can actually trigger it. The user has to first enter a trusted relationship with the remote device before unexpected SDP transaction will happen and then you can do more harm anyway. The exception is that the user has proximity tool running that scans every device in range, but such things are neither shipped with RHEL or Fedora. However today I realized that there is an issue with the SDP service record registration. As normal user you can register service records via an old Unix socket interface or via D-Bus. Both times you give the record in binary form and since hcid is running as root, this could allow a privilege escalation. All the information from that blog were in the original email from Google and that was also public. The post mentions that you could trigger this remotely. This is a hard stretch since you actually have to construct a scenario for it. BlueZ will not connect to other devices without trusting them by default. So that is impact=low. However the same parsing is used to create service records locally and hence you have a local privilege escalation. That hasn't been mentioned publicly at all. Even I overlooked it in my first review of the patches.
Petteri, 3.35 fixes this issue, and you can commit that to CVS. I would suppose (but I did not research it) that the 2.X branch is also affected. Marcel forwarded a patch, and we could try backporting it to the 2.X branch to fix this. However, how do you feel about pushing 3.35 to stable? I saw that HPPA already went the 3.X road, and stabled 3.30.
All details in here are public via https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2374 Petteri, patches are available at the bug linked above. Most of the codebase that is changed there only had cosmetic changes, so porting it to 2.25 seems feasible. Please let us know how you would like to proceed, either with taking the steps to stable, or update the old version.
Bumped to 3.36.
(In reply to comment #3) > Bumped to 3.36. > (In reply to comment #2) > All details in here are public via > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2374 > > Petteri, patches are available at the bug linked above. Most of the codebase > that is changed there only had cosmetic changes, so porting it to 2.25 seems > feasible. Please let us know how you would like to proceed, either with taking > the steps to stable, or update the old version. > About stabilization of 3.36, is it ok to call ALL arches that had 2.x branch stable, or just HPPA, which has 3.30 stable?
(In reply to comment #4) > > About stabilization of 3.36, is it ok to call ALL arches that had 2.x branch > stable, or just HPPA, which has 3.30 stable? > The ebuild dev-zero added is buggy.
The blocking bugs have been resolved, how do you feel about stabling this for all architectures now?
adding two new blocking bugs that dev-zero pointed out to me. Petteri, can you take a look at preparing this for stable?
Bug was updated: http://www.securityfocus.com/bid/30105/info
dev-zero, betelgeuse, what is your timeline for fixing the blockers?
ahem, blockers are gone for some time now...
Arches, please test and mark stable: Keywords: alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86 '=net-wireless/bluez-libs-3.3.6'
ppc stable (In reply to comment #11) > Arches, please test and mark stable: > Keywords: alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86 > '=net-wireless/bluez-libs-3.3.6' =net-wireless/bluez-libs-3.36 that is
(In reply to comment #12) > > =net-wireless/bluez-libs-3.36 that is > libs itself is of no use, but of course if it works fine with 2* bluez-utils then we should have marked it stable ages ago. For the 3* series you should also mark bluez-utils and bluez-gnome.
(In reply to comment #13) > (In reply to comment #12) > > > > =net-wireless/bluez-libs-3.36 that is > > > > libs itself is of no use, but of course if it works fine with 2* bluez-utils > then we should have marked it stable ages ago. For the 3* series you should > also mark bluez-utils and bluez-gnome. ppc has bluez-utils-3.30 stable for about 3 months, bluez-gnome has no stable version on any architecture - so anything left for us? if so, please specify which versions you want to have marked as stable. Thanks!
(In reply to comment #14) > > ppc has bluez-utils-3.30 stable for about 3 months, bluez-gnome has no stable > version on any architecture - so anything left for us? if so, please specify > which versions you want to have marked as stable. Thanks! > Might as well mark 3.36 for utils too then and bluez-gnome-0.28. Please make sure obex data transfer works with bluez-gnome.
Sparc stable for: =net-wireless/bluez-libs-3.36 =net-wireless/bluez-utils-3.36 and =gnome-extra/gnome-vfs-obexftp-0.4 =app-mobilephone/obex-data-server-0.3 =net-wireless/bluez-gnome-0.28 obex data transfer works fine for both directions (mobile -> pc, pc -> mobile)
All three stable for HPPA.
(In reply to comment #15) > Might as well mark 3.36 for utils too then and bluez-gnome-0.28. Please make > sure obex data transfer works with bluez-gnome. ppc stable for utils, recent bluez-gnome has no ~ppc keyword.
alpha/ia64 keywords dropped, no hardware to test
(In reply to comment #19) > alpha/ia64 keywords dropped, no hardware to test > Just curious: I have changed profile from default 2007.0 to 2008.0 and suddenly "emerge -uDpv --newuse world" show quite a few packages, among others also bluez-libs. If anything below 3.30 is dangerous, why aren't lower versions masked ? System wanted to install version 2.25 and choked, so I pached the source and if something didn't push me to look here, I'd just file a bug and install it...
(In reply to comment #20) > > If anything below 3.30 is dangerous, why aren't lower versions masked ? > System wanted to install version 2.25 and choked, so I pached the source and > if something didn't push me to look here, I'd just file a bug and install it... > When arches are done, older versions are removed.
ppc64 done for -libs-3.36 and -utils-3.36
I only have a bluetooth adapter on an amd64 system, but 3.36 works fine on it since months. My emerge --info: Portage 2.1.6.4 (default/linux/amd64/2008.0/desktop, gcc-4.1.2, glibc-2.6.1-r0, 2.6.28-tuxonice-r1 x86_64) ================================================================= System uname: Linux-2.6.28-tuxonice-r1-x86_64-Intel-R-_Core-TM-2_Duo_CPU_T9300_@_2.50GHz-with-glibc2.2.5 Timestamp of tree: Wed, 28 Jan 2009 21:00:01 +0000 distcc 3.0 x86_64-pc-linux-gnu [disabled] ccache version 2.4 [enabled] app-shells/bash: 3.2_p39 dev-java/java-config: 1.3.7-r1, 2.1.6-r1 dev-lang/python: 2.5.2-r7 dev-util/ccache: 2.4-r7 dev-util/cmake: 2.4.8 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.63 sys-devel/automake: 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.27-r2 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe -march=nocona -fomit-frame-pointer" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config /var/lib/hsqldb" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-O2 -pipe -march=nocona -fomit-frame-pointer" DISTDIR="/usr/distfiles" FEATURES="autoaddcvs ccache collision-protect cvs distlocks fixpackages multilib-strict parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="ftp://ftp.free.fr/mirrors/ftp.gentoo.org" LANG="es_ES.UTF-8" LC_ALL="es_ES.UTF-8" LDFLAGS="-Wl,-O1" LINGUAS="es es_ES en_US" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/layman/sunrise /usr/local/portage/layman/java-overlay /usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X a52 aac acl acpi alsa amd64 amr avahi bash-completion berkdb bluetooth branding bzip2 cairo cdda cddb cdparanoia cdr cli consolekit cracklib crypt css cups daap dbus dell dirac divx djvu dts dvd dvdr dvdread dvi eds emboss emovix encode epiphany evo exif fam fbcondecor fbsplash ffmpeg flac fortran fuse galago gdbm gif glitz gmedia gnome gnome-keyring gpm gsm gstreamer gtk hal iconv ieee1394 ipv6 isdnlog java java6 jpeg jpeg2k kdeenablefinal kdehiddenvisibility kpathsea ladspa laptop latex lcms ldap libnotify lirc lzma mad midi mikmod mjpeg mmx mmxext mono moonlight mp3 mpeg mudflap multilib musepack musicbrainz nautilus ncurses network network-cron networkmanager nls nptl nptlonly ntp ogg opengl openmp pam pch pcre pdf perl png ppds pppd python qt3 qt3support qt4 quicktime readline realmedia reflection scanner schroedinger sdl session smp sms speex spell spl sse sse2 sse3 ssl ssse3 startup-notification svg sysfs t1lib tcpd theora threads tiff totem truetype unicode usb v4l2 vcd vhook vorbis wmf wmp x264 xattr xcb xft xinetd xml xorg xulrunner xv xvid zeroconf zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="es es_ES en_US" USERLAND="GNU" VIDEO_CARDS="nvidia nv" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
amd64,x86: Are you lacking hardware to test? I can mail you a bluetooth adapter or trustees are quite likely to sponsor if needed.
(In reply to comment #24) > amd64,x86: Are you lacking hardware to test? I can mail you a bluetooth adapter > or trustees are quite likely to sponsor if needed. > I am an AMD64 arch tester and Bluetooth works fine with these since months on my amd64 system (sorry, but my x86 doesn't have bluetooth adapter): Portage 2.1.6.4 (default/linux/amd64/2008.0/desktop, gcc-4.1.2, glibc-2.8_p20080602-r1, 2.6.28-tuxonice-r1 x86_64) ================================================================= System uname: Linux-2.6.28-tuxonice-r1-x86_64-Intel-R-_Core-TM-2_Duo_CPU_T9300_@_2.50GHz-with-glibc2.2.5 Timestamp of tree: Sat, 14 Feb 2009 20:10:13 +0000 distcc 3.0 x86_64-pc-linux-gnu [disabled] ccache version 2.4 [enabled] app-shells/bash: 3.2_p39 dev-java/java-config: 2.1.6-r1 dev-lang/python: 2.5.2-r7 dev-util/ccache: 2.4-r7 dev-util/cmake: 2.4.8 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.63 sys-devel/automake: 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.27-r2 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe -march=nocona -fomit-frame-pointer" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config /var/lib/hsqldb" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-O2 -pipe -march=nocona -fomit-frame-pointer" DISTDIR="/usr/distfiles" FEATURES="autoaddcvs ccache collision-protect cvs distlocks fixpackages multilib-strict parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="ftp://ftp.free.fr/mirrors/ftp.gentoo.org" LANG="es_ES.UTF-8" LC_ALL="es_ES.UTF-8" LDFLAGS="-Wl,-O1" LINGUAS="es es_ES en_US" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/layman/sunrise /usr/local/portage/layman/wschlich-testing /usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X a52 aac acl acpi alsa amd64 amr avahi bash-completion berkdb bluetooth branding bzip2 cairo cdda cddb cdparanoia cdr cli consolekit cracklib crypt css cups daap dbus dell dirac divx djvu dts dvd dvdr dvdread dvi eds emboss emovix encode epiphany evo exif fam fbcondecor fbsplash ffmpeg flac fortran fuse galago gdbm gif glitz gmedia gnome gnome-keyring gpm gsm gstreamer gtk hal iconv ieee1394 ipv6 isdnlog java java6 jpeg jpeg2k kdeenablefinal kdehiddenvisibility kpathsea laptop latex lcms ldap libnotify lzma mad midi mikmod mjpeg mmx mmxext mono moonlight mp3 mpeg mudflap multilib musepack musicbrainz nautilus ncurses network network-cron networkmanager nls nptl nptlonly ntp ogg opengl openmp pam pch pcre pdf perl png ppds pppd python qt3 qt3support qt4 quicktime readline realmedia reflection scanner schroedinger sdl session smp sms speex spell spl sse sse2 sse3 ssl ssse3 startup-notification svg sysfs t1lib tcpd theora threads tiff totem truetype unicode usb v4l2 vcd vorbis wmf wmp x264 xattr xcb xft xinetd xml xorg xulrunner xv xvid zeroconf zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="es es_ES en_US" USERLAND="GNU" VIDEO_CARDS="nvidia nv" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
(In reply to comment #24) > amd64,x86: Are you lacking hardware to test? I can mail you a bluetooth adapter > or trustees are quite likely to sponsor if needed. my amd64 laptop has a bluetooth adaptor - but I haven't gotten it running yet. I'll have some time next week, probably you can help me set it up...
Could you please do this as the current stable has problems compiling with current stable according to bug reports.
Why are the trustees on this?
(In reply to comment #28) > Why are the trustees on this? see comment #24
*** Bug 260491 has been marked as a duplicate of this bug. ***
amd64 done.
x86 stable
glsa request filed.
GLSA 200903-29