Your message dated Tue, 21 Feb 2006 13:47:11 -0800 with message-id <[EMAIL PROTECTED]> and subject line Bug#351881: fixed in bluez-hcidump 1.30-1 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---Package: bluez-hcidump Severity: important Tags: security This was posted to the VulnWatch list, I'm not sure whether it can only be abused to interfere with the sniffing of Bluetooth traffic or whether more harm can be done. If it's the former, it's probably harmless, but please check. Cheers, Moritz [Software affected] hcidump [Version] 1.29 (may be other) [Impact] Denial of Service (may be more) [Credits] Pierre Betouin - [EMAIL PROTECTED] - Bug found with BSS v0.6 GPL fuzzer (Bluetooh Stack Smasher) BSS could be downloaded on http://www.secuobs.com/news/05022006-bluetooth10.shtml [Vendor] was notified [Original advisory] http://www.secuobs.com/news/05022006-bluetooth9.shtml#english http://www.secuobs.com/news/05022006-bluetooth9.shtml#french [PoC] download it on http://www.secuobs.com/news/05022006-bluetooth8.shtml [PoC usage] # ./hcidump-crash 00:80:09:XX:XX:XX L2CAP packet sent (15) Buffer: 08 01 0B 00 41 41 41 41 41 41 41 41 41 41 41 # hcidump HCI sniffer - Bluetooth packet analyzer ver 1.29 device: hci0 snap_len: 1028 filter: 0xffffffff < HCI Command: Create Connection (0x01|0x0005) plen 13 > HCI Event: Command Status (0x0f) plen 4 > HCI Event: Connect Complete (0x03) plen 11 < HCI Command: Write Link Policy Settings (0x02|0x000d) plen 4 < ACL data: handle 41 flags 0x02 dlen 19 L2CAP(s): debug : code=8 Echo req: dlen 12 L2CAP(s): debug : code=0 code 0x00 ident 0 len 0 (...) L2CAP(s): debug : code=0 code 0x00 ident 0 len 0 segmentation fault [Affected code location] l2cap.c [Affected code] while (frm->len >= L2CAP_CMD_HDR_SIZE) { if (!p_filter(FILT_L2CAP)) { p_indent(level, frm); printf("L2CAP(s): "); } switch (hdr->code) { l2cap_cmd_hdr *hdr = frm->ptr; frm->ptr += L2CAP_CMD_HDR_SIZE; frm->len -= L2CAP_CMD_HDR_SIZE; (...) default: if (p_filter(FILT_L2CAP)) break; printf("code 0x%2.2x ident %d len %d\n", hdr->code, hdr->ident, btohs(hdr->len)); raw_dump(level, frm); } frm->ptr += btohs(hdr->len); frm->len -= btohs(hdr->len); -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.14-2-686 Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)
--- End Message ---
--- Begin Message ---Source: bluez-hcidump Source-Version: 1.30-1 We believe that the bug you reported is fixed in the latest version of bluez-hcidump, which is due to be installed in the Debian FTP archive: bluez-hcidump_1.30-1.diff.gz to pool/main/b/bluez-hcidump/bluez-hcidump_1.30-1.diff.gz bluez-hcidump_1.30-1.dsc to pool/main/b/bluez-hcidump/bluez-hcidump_1.30-1.dsc bluez-hcidump_1.30-1_powerpc.deb to pool/main/b/bluez-hcidump/bluez-hcidump_1.30-1_powerpc.deb bluez-hcidump_1.30.orig.tar.gz to pool/main/b/bluez-hcidump/bluez-hcidump_1.30.orig.tar.gz A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Filippo Giunchedi <[EMAIL PROTECTED]> (supplier of updated bluez-hcidump package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Tue, 21 Feb 2006 19:16:39 +0100 Source: bluez-hcidump Binary: bluez-hcidump Architecture: source powerpc Version: 1.30-1 Distribution: unstable Urgency: low Maintainer: Debian Bluetooth Maintainers <[EMAIL PROTECTED]> Changed-By: Filippo Giunchedi <[EMAIL PROTECTED]> Description: bluez-hcidump - Analyses Bluetooth HCI packets Closes: 351881 Changes: bluez-hcidump (1.30-1) unstable; urgency=low . * New upstream release, this fixes the remote DoS in l2cap.c CVE-2006-0670 (Closes: #351881) Files: 7e2999c80e740afeeb9980c45446041f 776 admin extra bluez-hcidump_1.30-1.dsc 46ac502055ccab1fd6f11cab7187e9c7 136524 admin extra bluez-hcidump_1.30.orig.tar.gz d05f7583fc3e6029df25a740e3fa095e 2242 admin extra bluez-hcidump_1.30-1.diff.gz 192c271fe95413557aa600b2b89f7f0e 86964 admin extra bluez-hcidump_1.30-1_powerpc.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFD+3S7ABzeamt51AERAqmgAKCm0sOtCIPTebpF/z2/vcZgZum4xACeOuHx pqCo9stlsxEhT5Sy+YiQnK0= =HFNL -----END PGP SIGNATURE-----
--- End Message ---
