Univention Bugzilla – Bug 55340
bluez: Multiple issues (5.0)
Last modified: 2022-10-26 16:32:15 CEST
New Debian bluez 5.50-1.2~deb10u3 fixes: This update addresses the following issues: * information leak in service_attr_req() in sdpd-request.c via a crafted CSTATE (CVE-2019-8921) * heap-based buffer overflow via crafted request (CVE-2019-8922) * memory leak in the SDP protocol (CVE-2021-41229) * use-after-free in gatt-database.c (CVE-2021-43400) * heap-based buffer overflow in the implementation of the gatt protocol (CVE-2022-0204) * BlueZ allows physically proximate attackers to obtain sensitive information because profiles/audio/avrcp.c does not validate params_len (CVE-2022-39176) * BlueZ allows physically proximate attackers to cause a denial of service because malformed and invalid capabilities can be processed in profiles/audio/avdtp.c (CVE-2022-39177)
--- mirror/ftp/pool/main/b/bluez/bluez_5.50-1.2~deb10u2.dsc +++ apt/ucs_5.0-0-errata5.0-2/source/bluez_5.50-1.2~deb10u3.dsc @@ -1,3 +1,35 @@ +5.50-1.2~deb10u3 [Sat, 22 Oct 2022 18:39:32 +0200] Sylvain Beucler <beuc@debian.org>: + + * Non-maintainer upload by the LTS Security Team. + * CVE-2019-8921: SDP infoleak, the vulnerability lies in the handling of + a SVC_ATTR_REQ by the SDP implementation of BlueZ. By crafting a + malicious CSTATE, it is possible to trick the server into returning + more bytes than the buffer actually holds, resulting in leaking + arbitrary heap data. + * CVE-2019-8922: SDP Heap Overflow; this vulnerability lies in the SDP + protocol handling of attribute requests as well. By requesting a huge + number of attributes at the same time, an attacker can overflow the + static buffer provided to hold the response. + * CVE-2021-41229: sdp_cstate_alloc_buf allocates memory which will + always be hung in the singly linked list of cstates and will not be + freed. This will cause a memory leak over time. The data can be a very + large object, which can be caused by an attacker continuously sending + sdp packets and this may cause the service of the target device to + crash. (Closes: #1000262) + * CVE-2021-43400: a use-after-free in gatt-database.c can occur when a + client disconnects during D-Bus processing of a WriteValue + call. (Closes: #998626) + * CVE-2022-0204: a heap overflow vulnerability was found in bluez. An + attacker with local network access could pass specially crafted files + causing an application to halt or crash, leading to a denial of + service. (Closes: #1003712) + * CVE-2022-39176: BlueZ allows physically proximate attackers to obtain + sensitive information because profiles/audio/avrcp.c does not validate + params_len. + * CVE-2022-39177: BlueZ allows physically proximate attackers to cause a + denial of service because malformed and invalid capabilities can be + processed in profiles/audio/avdtp.c. + 5.50-1.2~deb10u2 [Wed, 04 Aug 2021 21:18:19 +0200] Salvatore Bonaccorso <carnil@debian.org>: * Non-maintainer upload by the Security Team. <http://piuparts.knut.univention.de/5.0-2/#5783600677329399304>
OK: yaml OK: announce_errata OK: patch OK: piuparts [5.0-2] 4e27268e38 Bug #55340: bluez 5.50-1.2~deb10u3 doc/errata/staging/bluez.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) [5.0-2] b5a8f39b69 Bug #55340: bluez 5.50-1.2~deb10u3 doc/errata/staging/bluez.yaml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+)
<https://errata.software-univention.de/#/?erratum=5.0x470>