[Secure-testing-team] Bug#847837: bluez: CVE-2016-9797 CVE-2016-9798 CVE-2016-9799 CVE-2016-9800 CVE-2016-9801 CVE-2016-9802 CVE-2016-9803 CVE-2016-9804 CVE-2016-9917 CVE-2016-9918
Salvatore Bonaccorso
carnil at debian.org
Mon Dec 12 08:30:51 UTC 2016
Source: bluez
Version: 5.43-1
Severity: important
Tags: security upstream
Hi,
the following vulnerabilities were published for bluez.
CVE-2016-9797[0]:
| In BlueZ 5.42, a buffer over-read was observed in "l2cap_dump" function
| in "tools/parser/l2cap.c" source file. This issue can be triggered by
| processing a corrupted dump file and will result in hcidump crash.
CVE-2016-9798[1]:
| In BlueZ 5.42, a use-after-free was identified in "conf_opt" function
| in "tools/parser/l2cap.c" source file. This issue can be triggered by
| processing a corrupted dump file and will result in hcidump crash.
CVE-2016-9799[2]:
| In BlueZ 5.42, a buffer overflow was observed in "pklg_read_hci"
| function in "btsnoop.c" source file. This issue can be triggered by
| processing a corrupted dump file and will result in btmon crash.
CVE-2016-9800[3]:
| In BlueZ 5.42, a buffer overflow was observed in "pin_code_reply_dump"
| function in "tools/parser/hci.c" source file. The issue exists because
| "pin" array is overflowed by supplied parameter due to lack of boundary
| checks on size of the buffer from frame "pin_code_reply_cp *cp"
| parameter.
CVE-2016-9801[4]:
| In BlueZ 5.42, a buffer overflow was observed in "set_ext_ctrl"
| function in "tools/parser/l2cap.c" source file when processing
| corrupted dump file.
CVE-2016-9802[5]:
| In BlueZ 5.42, a buffer over-read was identified in "l2cap_packet"
| function in "monitor/packet.c" source file. This issue can be triggered
| by processing a corrupted dump file and will result in btmon crash.
CVE-2016-9803[6]:
| In BlueZ 5.42, an out-of-bounds read was observed in "le_meta_ev_dump"
| function in "tools/parser/hci.c" source file. This issue exists because
| 'subevent' (which is used to read correct element from 'ev_le_meta_str'
| array) is overflowed.
CVE-2016-9804[7]:
| In BlueZ 5.42, a buffer overflow was observed in "commands_dump"
| function in "tools/parser/csr.c" source file. The issue exists because
| "commands" array is overflowed by supplied parameter due to lack of
| boundary checks on size of the buffer from frame "frm->ptr" parameter.
| This issue can be triggered by processing a corrupted dump file and
| will result in hcidump crash.
CVE-2016-9917[8]:
| In BlueZ 5.42, a buffer overflow was observed in "read_n" function in
| "tools/hcidump.c" source file. This issue can be triggered by
| processing a corrupted dump file and will result in hcidump crash.
CVE-2016-9918[9]:
| In BlueZ 5.42, an out-of-bounds read was identified in "packet_hexdump"
| function in "monitor/packet.c" source file. This issue can be triggered
| by processing a corrupted dump file and will result in btmon crash.
Although the description mentions only up to 5.42 5.43 is as well
still vulnerable to those since no changes were done to those AFAICS.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-9797
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9797
[1] https://security-tracker.debian.org/tracker/CVE-2016-9798
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9798
[2] https://security-tracker.debian.org/tracker/CVE-2016-9799
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9799
[3] https://security-tracker.debian.org/tracker/CVE-2016-9800
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9800
[4] https://security-tracker.debian.org/tracker/CVE-2016-9801
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9801
[5] https://security-tracker.debian.org/tracker/CVE-2016-9802
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9802
[6] https://security-tracker.debian.org/tracker/CVE-2016-9803
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9803
[7] https://security-tracker.debian.org/tracker/CVE-2016-9804
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9804
[8] https://security-tracker.debian.org/tracker/CVE-2016-9917
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9917
[9] https://security-tracker.debian.org/tracker/CVE-2016-9918
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9918
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Secure-testing-team
mailing list