The cli_feat_read_cb() function in src/gatt-database.c does not perform bounds checks on the 'offset' variable before using it as an index into an array for reading.
bluez $ git tag --contains 3a40bef49
Actually, an Intel advisory seems to indicate 5.57 fixes a couple more CVEs:
Description: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access.
Description: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time.
(In reply to John Helmert III from comment #1)
> Actually, an Intel advisory seems to indicate 5.57 fixes a couple more CVEs:
Forgot to actually link the advisory:
The bug has been referenced in the following commit(s):
Author: Pacho Ramos <email@example.com>
AuthorDate: 2021-06-23 07:52:09 +0000
Commit: Pacho Ramos <firstname.lastname@example.org>
CommitDate: 2021-06-23 07:53:39 +0000
net-wireless/bluez: Drop old
Package-Manager: Portage-3.0.19, Repoman-3.0.3
Signed-off-by: Pacho Ramos <email@example.com>
net-wireless/bluez/Manifest | 2 -
net-wireless/bluez/bluez-5.55.ebuild | 299 ---------------------
net-wireless/bluez/bluez-5.56-r1.ebuild | 296 --------------------
.../bluez/files/bluez-5.56-avdtp-disconnects.patch | 41 ---
4 files changed, 638 deletions(-)