CVE-2022-0204 (https://bugzilla.redhat.com/show_bug.cgi?id=2039807): A heap overflow vulnerability was found in bluez in versions prior to 5.63. An attacker with local network access could pass specially crafted files causing an application to halt or crash, leading to a denial of service. The GitHub advisory claims this can result in remote code execution, but RedHat's closed the bug as NOTABUG without explanation, but gave this a CVE anyway, but with a different impact than the advisory.
This is the patch: https://github.com/bluez/bluez/commit/591c546c536b42bef696d027f64aa22434f8c3f0 So, please cleanup.
Sorry, right, we need stabilization here
Now please cleanup :)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ce2e1c7de43ea080fbf8e1dea2af821993d8d6d6 commit ce2e1c7de43ea080fbf8e1dea2af821993d8d6d6 Author: Pacho Ramos <pacho@gentoo.org> AuthorDate: 2022-04-18 16:23:31 +0000 Commit: Pacho Ramos <pacho@gentoo.org> CommitDate: 2022-04-18 16:23:31 +0000 net-wireless/bluez: drop 5.62-r2, 5.62-r3, 5.63-r1 Bug: https://bugs.gentoo.org/835077 Signed-off-by: Pacho Ramos <pacho@gentoo.org> net-wireless/bluez/Manifest | 2 - net-wireless/bluez/bluez-5.62-r2.ebuild | 285 ----------- net-wireless/bluez/bluez-5.62-r3.ebuild | 295 ----------- net-wireless/bluez/bluez-5.63-r1.ebuild | 295 ----------- ...1-Revert-attrib-Make-use-of-bt_att_resend.patch | 188 ------- ...hog-Fix-read-order-of-attributes-rediffed.patch | 542 --------------------- ...while-uhid-device-has-not-been-c-rediffed.patch | 90 ---- .../bluez/files/bluez-5.62-fix-disconnecting.patch | 54 -- 8 files changed, 1751 deletions(-)
(In reply to John Helmert III from comment #0) > CVE-2022-0204 (https://bugzilla.redhat.com/show_bug.cgi?id=2039807): > > A heap overflow vulnerability was found in bluez in versions prior to 5.63. > An attacker with local network access could pass specially crafted files > causing an application to halt or crash, leading to a denial of service. > > The GitHub advisory claims this can result in remote code execution, > but RedHat's closed the bug as NOTABUG without explanation, but gave > this a CVE anyway, but with a different impact than the advisory. I asked about discrepancy between the impact in the bug and CVE on the bug (https://bugzilla.redhat.com/show_bug.cgi?id=2039807#c5) in March, then asked by mail on the 29th, then pinged again on April 8 and got no response to any of it.
I've pinged RedHat one more time, but I suppose we'll just GLSA and trust the Github advisory if I don't hear from them soon. GLSA request filed.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=84d576b12052186017c2b0197f8b202a48dd8f32 commit 84d576b12052186017c2b0197f8b202a48dd8f32 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-09-29 14:21:34 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-09-29 14:47:58 +0000 [ GLSA 202209-16 ] BlueZ: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/797712 Bug: https://bugs.gentoo.org/835077 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202209-16.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+)
GLSA released, all done!