[Pkg-bluetooth-maintainers] Bug#847837: bluez: CVE-2016-9797 CVE-2016-9798 CVE-2016-9799 CVE-2016-9800 CVE-2016-9801 CVE-2016-9802 CVE-2016-9803 CVE-2016-9804 CVE-2016-9917 CVE-2016-9918

Salvatore Bonaccorso carnil at debian.org
Mon Dec 12 08:30:51 UTC 2016


Source: bluez
Version: 5.43-1
Severity: important
Tags: security upstream

Hi,

the following vulnerabilities were published for bluez.

CVE-2016-9797[0]:
| In BlueZ 5.42, a buffer over-read was observed in "l2cap_dump" function
| in "tools/parser/l2cap.c" source file. This issue can be triggered by
| processing a corrupted dump file and will result in hcidump crash.

CVE-2016-9798[1]:
| In BlueZ 5.42, a use-after-free was identified in "conf_opt" function
| in "tools/parser/l2cap.c" source file. This issue can be triggered by
| processing a corrupted dump file and will result in hcidump crash.

CVE-2016-9799[2]:
| In BlueZ 5.42, a buffer overflow was observed in "pklg_read_hci"
| function in "btsnoop.c" source file. This issue can be triggered by
| processing a corrupted dump file and will result in btmon crash.

CVE-2016-9800[3]:
| In BlueZ 5.42, a buffer overflow was observed in "pin_code_reply_dump"
| function in "tools/parser/hci.c" source file. The issue exists because
| "pin" array is overflowed by supplied parameter due to lack of boundary
| checks on size of the buffer from frame "pin_code_reply_cp *cp"
| parameter.

CVE-2016-9801[4]:
| In BlueZ 5.42, a buffer overflow was observed in "set_ext_ctrl"
| function in "tools/parser/l2cap.c" source file when processing
| corrupted dump file.

CVE-2016-9802[5]:
| In BlueZ 5.42, a buffer over-read was identified in "l2cap_packet"
| function in "monitor/packet.c" source file. This issue can be triggered
| by processing a corrupted dump file and will result in btmon crash.

CVE-2016-9803[6]:
| In BlueZ 5.42, an out-of-bounds read was observed in "le_meta_ev_dump"
| function in "tools/parser/hci.c" source file. This issue exists because
| 'subevent' (which is used to read correct element from 'ev_le_meta_str'
| array) is overflowed.

CVE-2016-9804[7]:
| In BlueZ 5.42, a buffer overflow was observed in "commands_dump"
| function in "tools/parser/csr.c" source file. The issue exists because
| "commands" array is overflowed by supplied parameter due to lack of
| boundary checks on size of the buffer from frame "frm->ptr" parameter.
| This issue can be triggered by processing a corrupted dump file and
| will result in hcidump crash.

CVE-2016-9917[8]:
| In BlueZ 5.42, a buffer overflow was observed in "read_n" function in
| "tools/hcidump.c" source file. This issue can be triggered by
| processing a corrupted dump file and will result in hcidump crash.

CVE-2016-9918[9]:
| In BlueZ 5.42, an out-of-bounds read was identified in "packet_hexdump"
| function in "monitor/packet.c" source file. This issue can be triggered
| by processing a corrupted dump file and will result in btmon crash.

Although the description mentions only up to 5.42 5.43 is as well
still vulnerable to those since no changes were done to those AFAICS.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-9797
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9797
[1] https://security-tracker.debian.org/tracker/CVE-2016-9798
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9798
[2] https://security-tracker.debian.org/tracker/CVE-2016-9799
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9799
[3] https://security-tracker.debian.org/tracker/CVE-2016-9800
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9800
[4] https://security-tracker.debian.org/tracker/CVE-2016-9801
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9801
[5] https://security-tracker.debian.org/tracker/CVE-2016-9802
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9802
[6] https://security-tracker.debian.org/tracker/CVE-2016-9803
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9803
[7] https://security-tracker.debian.org/tracker/CVE-2016-9804
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9804
[8] https://security-tracker.debian.org/tracker/CVE-2016-9917
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9917
[9] https://security-tracker.debian.org/tracker/CVE-2016-9918
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9918

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore



More information about the Pkg-bluetooth-maintainers mailing list