[Pkg-bluetooth-maintainers] Bug#847837: bluez: CVE-2016-9797 CVE-2016-9798 CVE-2016-9799 CVE-2016-9800 CVE-2016-9801 CVE-2016-9802 CVE-2016-9803 CVE-2016-9804 CVE-2016-9917 CVE-2016-9918

Moritz Mühlenhoff jmm at inutil.org
Sat Sep 30 09:55:16 UTC 2017 

On Mon, Dec 12, 2016 at 09:30:51AM +0100, Salvatore Bonaccorso wrote:
> Source: bluez
> Version: 5.43-1
> Severity: important
> Tags: security upstream
> 
> Hi,
> 
> the following vulnerabilities were published for bluez.
> 
> CVE-2016-9797[0]:
> | In BlueZ 5.42, a buffer over-read was observed in "l2cap_dump" function
> | in "tools/parser/l2cap.c" source file. This issue can be triggered by
> | processing a corrupted dump file and will result in hcidump crash.
> 
> CVE-2016-9798[1]:
> | In BlueZ 5.42, a use-after-free was identified in "conf_opt" function
> | in "tools/parser/l2cap.c" source file. This issue can be triggered by
> | processing a corrupted dump file and will result in hcidump crash.
> 
> CVE-2016-9799[2]:
> | In BlueZ 5.42, a buffer overflow was observed in "pklg_read_hci"
> | function in "btsnoop.c" source file. This issue can be triggered by
> | processing a corrupted dump file and will result in btmon crash.
> 
> CVE-2016-9800[3]:
> | In BlueZ 5.42, a buffer overflow was observed in "pin_code_reply_dump"
> | function in "tools/parser/hci.c" source file. The issue exists because
> | "pin" array is overflowed by supplied parameter due to lack of boundary
> | checks on size of the buffer from frame "pin_code_reply_cp *cp"
> | parameter.
> 
> CVE-2016-9801[4]:
> | In BlueZ 5.42, a buffer overflow was observed in "set_ext_ctrl"
> | function in "tools/parser/l2cap.c" source file when processing
> | corrupted dump file.
> 
> CVE-2016-9802[5]:
> | In BlueZ 5.42, a buffer over-read was identified in "l2cap_packet"
> | function in "monitor/packet.c" source file. This issue can be triggered
> | by processing a corrupted dump file and will result in btmon crash.
> 
> CVE-2016-9803[6]:
> | In BlueZ 5.42, an out-of-bounds read was observed in "le_meta_ev_dump"
> | function in "tools/parser/hci.c" source file. This issue exists because
> | 'subevent' (which is used to read correct element from 'ev_le_meta_str'
> | array) is overflowed.
> 
> CVE-2016-9804[7]:
> | In BlueZ 5.42, a buffer overflow was observed in "commands_dump"
> | function in "tools/parser/csr.c" source file. The issue exists because
> | "commands" array is overflowed by supplied parameter due to lack of
> | boundary checks on size of the buffer from frame "frm->ptr" parameter.
> | This issue can be triggered by processing a corrupted dump file and
> | will result in hcidump crash.
> 
> CVE-2016-9917[8]:
> | In BlueZ 5.42, a buffer overflow was observed in "read_n" function in
> | "tools/hcidump.c" source file. This issue can be triggered by
> | processing a corrupted dump file and will result in hcidump crash.
> 
> CVE-2016-9918[9]:
> | In BlueZ 5.42, an out-of-bounds read was identified in "packet_hexdump"
> | function in "monitor/packet.c" source file. This issue can be triggered
> | by processing a corrupted dump file and will result in btmon crash.
> 
> Although the description mentions only up to 5.42 5.43 is as well
> still vulnerable to those since no changes were done to those AFAICS.

Hi Nobuhiro,
did you have a chance to review whether these (partly or fully)
are fixed in your 5.47-1 upload?

Cheers,
        Moritz

More information about the Pkg-bluetooth-maintainers mailing list