[Touch-packages] [Bug 1926548] Re: The gatt protocol has out-of-bounds read that leads to information leakage
bluez (5.53-0ubuntu3.2) focal-security; urgency=medium
* SECURITY UPDATE: secure pairing passkey brute force
- debian/patches/CVE-2020-26558.patch: fix not properly checking for
secure flags in src/shared/att-types.h, src/shared/gatt-server.c.
- CVE-2020-26558
* SECURITY UPDATE: DoS or code execution via double-free
- debian/patches/CVE-2020-27153.patch: fix possible crash on disconnect
in src/shared/att.c.
- CVE-2020-27153
* SECURITY UPDATE: info disclosure via out of bounds read
- debian/patches/CVE-2021-3588.patch: when client features is read
check if the offset is within the cli_feat bounds in
src/gatt-database.c.
- CVE-2021-3588
-- Marc Deslauriers Wed, 09 Jun 2021
11:06:38 -0400
** Changed in: bluez (Ubuntu Focal)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to bluez in Ubuntu.
https://bugs.launchpad.net/bugs/1926548
Title:
The gatt protocol has out-of-bounds read that leads to information
leakage
Status in Bluez Utilities:
Fix Released
Status in bluez package in Ubuntu:
Fix Released
Status in bluez source package in Focal:
Fix Released
Status in bluez source package in Groovy:
Fix Released
Status in bluez source package in Hirsute:
Fix Released
Status in bluez source package in Impish:
Fix Released
Bug description:
I installed the latest bluez 5.53-0ubuntu3 version using apt-get install. It
seems that this vulnerability was silently fixed in the latest bluez5.8, and
the cve number was not assigned.
But this vulnerability now affects the latest ubuntu system
This vulnerability allows an attacker to remotely obtain most of the contents
of the heap without authentication.
The vulnerability code is stored in cli_feat_read_cb, this function does not
verify the offset parameter
The vulnerability code is as follows
gatt-database.c
1054:static void cli_feat_read_cb(struct gatt_db_attribute *attrib,
unsigned int id, uint16_t offset,
uint8_t opcode, struct bt_att *att,
void *user_data){
...
len = sizeof(state->cli_feat)-offset;
value = len? >cli_feat[offset]: NULL;
done:
gatt_db_attribute_read_result(attrib, id, ecode, value, len);
}
len will become very large due to integer overflow, so that a message of mtu
(0x90) size will be sent later
The message content is the buffer pointed to by value, which can be most
addresses on the heap
poc is very simple, the core is this line of code
memcpy([0],"\x0c\x0b\x00\x0d\x00",5);
0xc stands for read
\x0b\x00 represents the handle of the client feature, which can be obtained
through the find info message, which seems to be 0b by default
\x0d\x00 is offset0xd
this vulnerability is serious
I want to apply for a cve number, although this has been silently fixed in
the latest version
To manage notifications about this bug go to:
https://bugs.launchpad.net/bluez/+bug/1926548/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1926548] Re: The gatt protocol has out-of-bounds read that leads to information leakage
bluez (5.55-0ubuntu1.2) groovy-security; urgency=medium
* SECURITY UPDATE: secure pairing passkey brute force
- debian/patches/CVE-2020-26558.patch: fix not properly checking for
secure flags in src/shared/att-types.h, src/shared/gatt-server.c.
- CVE-2020-26558
* SECURITY UPDATE: info disclosure via out of bounds read
- debian/patches/CVE-2021-3588.patch: when client features is read
check if the offset is within the cli_feat bounds in
src/gatt-database.c.
- CVE-2021-3588
-- Marc Deslauriers Wed, 09 Jun 2021
11:01:25 -0400
** Also affects: bluez (Ubuntu Groovy)
Importance: Undecided
Status: New
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-26558
** Changed in: bluez (Ubuntu Groovy)
Status: New => Fix Released
** Also affects: bluez (Ubuntu Focal)
Importance: Undecided
Status: New
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-27153
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to bluez in Ubuntu.
https://bugs.launchpad.net/bugs/1926548
Title:
The gatt protocol has out-of-bounds read that leads to information
leakage
Status in Bluez Utilities:
Fix Released
Status in bluez package in Ubuntu:
Fix Released
Status in bluez source package in Focal:
Fix Released
Status in bluez source package in Groovy:
Fix Released
Status in bluez source package in Hirsute:
Fix Released
Status in bluez source package in Impish:
Fix Released
Bug description:
I installed the latest bluez 5.53-0ubuntu3 version using apt-get install. It
seems that this vulnerability was silently fixed in the latest bluez5.8, and
the cve number was not assigned.
But this vulnerability now affects the latest ubuntu system
This vulnerability allows an attacker to remotely obtain most of the contents
of the heap without authentication.
The vulnerability code is stored in cli_feat_read_cb, this function does not
verify the offset parameter
The vulnerability code is as follows
gatt-database.c
1054:static void cli_feat_read_cb(struct gatt_db_attribute *attrib,
unsigned int id, uint16_t offset,
uint8_t opcode, struct bt_att *att,
void *user_data){
...
len = sizeof(state->cli_feat)-offset;
value = len? >cli_feat[offset]: NULL;
done:
gatt_db_attribute_read_result(attrib, id, ecode, value, len);
}
len will become very large due to integer overflow, so that a message of mtu
(0x90) size will be sent later
The message content is the buffer pointed to by value, which can be most
addresses on the heap
poc is very simple, the core is this line of code
memcpy([0],"\x0c\x0b\x00\x0d\x00",5);
0xc stands for read
\x0b\x00 represents the handle of the client feature, which can be obtained
through the find info message, which seems to be 0b by default
\x0d\x00 is offset0xd
this vulnerability is serious
I want to apply for a cve number, although this has been silently fixed in
the latest version
To manage notifications about this bug go to:
https://bugs.launchpad.net/bluez/+bug/1926548/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1926548] Re: The gatt protocol has out-of-bounds read that leads to information leakage
Wonderful, thanks Daniel!
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to bluez in Ubuntu.
https://bugs.launchpad.net/bugs/1926548
Title:
The gatt protocol has out-of-bounds read that leads to information
leakage
Status in Bluez Utilities:
Fix Released
Status in bluez package in Ubuntu:
Fix Released
Status in bluez source package in Hirsute:
Fix Released
Status in bluez source package in Impish:
Fix Released
Bug description:
I installed the latest bluez 5.53-0ubuntu3 version using apt-get install. It
seems that this vulnerability was silently fixed in the latest bluez5.8, and
the cve number was not assigned.
But this vulnerability now affects the latest ubuntu system
This vulnerability allows an attacker to remotely obtain most of the contents
of the heap without authentication.
The vulnerability code is stored in cli_feat_read_cb, this function does not
verify the offset parameter
The vulnerability code is as follows
gatt-database.c
1054:static void cli_feat_read_cb(struct gatt_db_attribute *attrib,
unsigned int id, uint16_t offset,
uint8_t opcode, struct bt_att *att,
void *user_data){
...
len = sizeof(state->cli_feat)-offset;
value = len? >cli_feat[offset]: NULL;
done:
gatt_db_attribute_read_result(attrib, id, ecode, value, len);
}
len will become very large due to integer overflow, so that a message of mtu
(0x90) size will be sent later
The message content is the buffer pointed to by value, which can be most
addresses on the heap
poc is very simple, the core is this line of code
memcpy([0],"\x0c\x0b\x00\x0d\x00",5);
0xc stands for read
\x0b\x00 represents the handle of the client feature, which can be obtained
through the find info message, which seems to be 0b by default
\x0d\x00 is offset0xd
this vulnerability is serious
I want to apply for a cve number, although this has been silently fixed in
the latest version
To manage notifications about this bug go to:
https://bugs.launchpad.net/bluez/+bug/1926548/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1926548] Re: The gatt protocol has out-of-bounds read that leads to information leakage
(checks again) Yes, fixed in 5.56 looks right.
commit 3a40bef49305f8327635b81ac8be52a3ca063d5a
Author: Luiz Augusto von Dentz
AuthorDate: Mon Jan 4 10:38:31 2021 -0800
Commit: Luiz Augusto von Dentz
CommitDate: Tue Jan 5 10:41:27 2021 -0800
landed on master before the next tag, which was:
commit 482929f12b645f652d378fbe8d0a5b7c05d65c4f (tag: 5.56)
Author: Marcel Holtmann
AuthorDate: Mon Feb 22 21:12:40 2021 +0100
Commit: Marcel Holtmann
CommitDate: Mon Feb 22 21:12:40 2021 +0100
However, it doesn't look like it's present on master anymore because it
was rewritten 6 hours later:
commit 6a50b6aeda78a88eafb177718109c256eec077a6
Author: Luiz Augusto von Dentz
AuthorDate: Tue Jan 5 16:45:37 2021 -0800
Commit: Luiz Augusto von Dentz
CommitDate: Tue Jan 5 16:55:32 2021 -0800
I assume the rewrite is free of the original bug, and so still fixed in
5.56.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to bluez in Ubuntu.
https://bugs.launchpad.net/bugs/1926548
Title:
The gatt protocol has out-of-bounds read that leads to information
leakage
Status in Bluez Utilities:
Fix Released
Status in bluez package in Ubuntu:
Fix Released
Status in bluez source package in Hirsute:
Fix Released
Status in bluez source package in Impish:
Fix Released
Bug description:
I installed the latest bluez 5.53-0ubuntu3 version using apt-get install. It
seems that this vulnerability was silently fixed in the latest bluez5.8, and
the cve number was not assigned.
But this vulnerability now affects the latest ubuntu system
This vulnerability allows an attacker to remotely obtain most of the contents
of the heap without authentication.
The vulnerability code is stored in cli_feat_read_cb, this function does not
verify the offset parameter
The vulnerability code is as follows
gatt-database.c
1054:static void cli_feat_read_cb(struct gatt_db_attribute *attrib,
unsigned int id, uint16_t offset,
uint8_t opcode, struct bt_att *att,
void *user_data){
...
len = sizeof(state->cli_feat)-offset;
value = len? >cli_feat[offset]: NULL;
done:
gatt_db_attribute_read_result(attrib, id, ecode, value, len);
}
len will become very large due to integer overflow, so that a message of mtu
(0x90) size will be sent later
The message content is the buffer pointed to by value, which can be most
addresses on the heap
poc is very simple, the core is this line of code
memcpy([0],"\x0c\x0b\x00\x0d\x00",5);
0xc stands for read
\x0b\x00 represents the handle of the client feature, which can be obtained
through the find info message, which seems to be 0b by default
\x0d\x00 is offset0xd
this vulnerability is serious
I want to apply for a cve number, although this has been silently fixed in
the latest version
To manage notifications about this bug go to:
https://bugs.launchpad.net/bluez/+bug/1926548/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1926548] Re: The gatt protocol has out-of-bounds read that leads to information leakage
Daniel, are you sure about that fixed-in-5.56 bug tag? I can't spot the
referenced commit in the tarballs 5.55, 5.56, 5.57, 5.58 from:
http://www.bluez.org/
nor in the github sources:
https://github.com/bluez/bluez/blob/master/src/gatt-database.c#L1054
nor the kernel.org sources:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/tree/src/gatt-database.c#n1054
Thanks
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to bluez in Ubuntu.
https://bugs.launchpad.net/bugs/1926548
Title:
The gatt protocol has out-of-bounds read that leads to information
leakage
Status in Bluez Utilities:
Fix Released
Status in bluez package in Ubuntu:
Fix Released
Status in bluez source package in Hirsute:
Fix Released
Status in bluez source package in Impish:
Fix Released
Bug description:
I installed the latest bluez 5.53-0ubuntu3 version using apt-get install. It
seems that this vulnerability was silently fixed in the latest bluez5.8, and
the cve number was not assigned.
But this vulnerability now affects the latest ubuntu system
This vulnerability allows an attacker to remotely obtain most of the contents
of the heap without authentication.
The vulnerability code is stored in cli_feat_read_cb, this function does not
verify the offset parameter
The vulnerability code is as follows
gatt-database.c
1054:static void cli_feat_read_cb(struct gatt_db_attribute *attrib,
unsigned int id, uint16_t offset,
uint8_t opcode, struct bt_att *att,
void *user_data){
...
len = sizeof(state->cli_feat)-offset;
value = len? >cli_feat[offset]: NULL;
done:
gatt_db_attribute_read_result(attrib, id, ecode, value, len);
}
len will become very large due to integer overflow, so that a message of mtu
(0x90) size will be sent later
The message content is the buffer pointed to by value, which can be most
addresses on the heap
poc is very simple, the core is this line of code
memcpy([0],"\x0c\x0b\x00\x0d\x00",5);
0xc stands for read
\x0b\x00 represents the handle of the client feature, which can be obtained
through the find info message, which seems to be 0b by default
\x0d\x00 is offset0xd
this vulnerability is serious
I want to apply for a cve number, although this has been silently fixed in
the latest version
To manage notifications about this bug go to:
https://bugs.launchpad.net/bluez/+bug/1926548/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1926548] Re: The gatt protocol has out-of-bounds read that leads to information leakage
** Changed in: bluez
Status: Unknown => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to bluez in Ubuntu.
https://bugs.launchpad.net/bugs/1926548
Title:
The gatt protocol has out-of-bounds read that leads to information
leakage
Status in Bluez Utilities:
Fix Released
Status in bluez package in Ubuntu:
Fix Released
Status in bluez source package in Hirsute:
Fix Released
Status in bluez source package in Impish:
Fix Released
Bug description:
I installed the latest bluez 5.53-0ubuntu3 version using apt-get install. It
seems that this vulnerability was silently fixed in the latest bluez5.8, and
the cve number was not assigned.
But this vulnerability now affects the latest ubuntu system
This vulnerability allows an attacker to remotely obtain most of the contents
of the heap without authentication.
The vulnerability code is stored in cli_feat_read_cb, this function does not
verify the offset parameter
The vulnerability code is as follows
gatt-database.c
1054:static void cli_feat_read_cb(struct gatt_db_attribute *attrib,
unsigned int id, uint16_t offset,
uint8_t opcode, struct bt_att *att,
void *user_data){
...
len = sizeof(state->cli_feat)-offset;
value = len? >cli_feat[offset]: NULL;
done:
gatt_db_attribute_read_result(attrib, id, ecode, value, len);
}
len will become very large due to integer overflow, so that a message of mtu
(0x90) size will be sent later
The message content is the buffer pointed to by value, which can be most
addresses on the heap
poc is very simple, the core is this line of code
memcpy([0],"\x0c\x0b\x00\x0d\x00",5);
0xc stands for read
\x0b\x00 represents the handle of the client feature, which can be obtained
through the find info message, which seems to be 0b by default
\x0d\x00 is offset0xd
this vulnerability is serious
I want to apply for a cve number, although this has been silently fixed in
the latest version
To manage notifications about this bug go to:
https://bugs.launchpad.net/bluez/+bug/1926548/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1926548] Re: The gatt protocol has out-of-bounds read that leads to information leakage
** Also affects: bluez via
https://github.com/bluez/bluez/issues/70
Importance: Unknown
Status: Unknown
** Tags added: fixed-in-5.56 fixed-upstream
** Also affects: bluez (Ubuntu Hirsute)
Importance: Undecided
Status: New
** Also affects: bluez (Ubuntu Impish)
Importance: Undecided
Status: New
** Changed in: bluez (Ubuntu Hirsute)
Status: New => Fix Released
** Changed in: bluez (Ubuntu Impish)
Status: New => Fix Released
** Tags added: rls-ff-incoming
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to bluez in Ubuntu.
https://bugs.launchpad.net/bugs/1926548
Title:
The gatt protocol has out-of-bounds read that leads to information
leakage
Status in Bluez Utilities:
Unknown
Status in bluez package in Ubuntu:
Fix Released
Status in bluez source package in Hirsute:
Fix Released
Status in bluez source package in Impish:
Fix Released
Bug description:
I installed the latest bluez 5.53-0ubuntu3 version using apt-get install. It
seems that this vulnerability was silently fixed in the latest bluez5.8, and
the cve number was not assigned.
But this vulnerability now affects the latest ubuntu system
This vulnerability allows an attacker to remotely obtain most of the contents
of the heap without authentication.
The vulnerability code is stored in cli_feat_read_cb, this function does not
verify the offset parameter
The vulnerability code is as follows
gatt-database.c
1054:static void cli_feat_read_cb(struct gatt_db_attribute *attrib,
unsigned int id, uint16_t offset,
uint8_t opcode, struct bt_att *att,
void *user_data){
...
len = sizeof(state->cli_feat)-offset;
value = len? >cli_feat[offset]: NULL;
done:
gatt_db_attribute_read_result(attrib, id, ecode, value, len);
}
len will become very large due to integer overflow, so that a message of mtu
(0x90) size will be sent later
The message content is the buffer pointed to by value, which can be most
addresses on the heap
poc is very simple, the core is this line of code
memcpy([0],"\x0c\x0b\x00\x0d\x00",5);
0xc stands for read
\x0b\x00 represents the handle of the client feature, which can be obtained
through the find info message, which seems to be 0b by default
\x0d\x00 is offset0xd
this vulnerability is serious
I want to apply for a cve number, although this has been silently fixed in
the latest version
To manage notifications about this bug go to:
https://bugs.launchpad.net/bluez/+bug/1926548/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1926548] Re: The gatt protocol has out-of-bounds read that leads to information leakage
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to bluez in Ubuntu.
https://bugs.launchpad.net/bugs/1926548
Title:
The gatt protocol has out-of-bounds read that leads to information
leakage
Status in bluez package in Ubuntu:
New
Bug description:
I installed the latest bluez 5.53-0ubuntu3 version using apt-get install. It
seems that this vulnerability was silently fixed in the latest bluez5.8, and
the cve number was not assigned.
But this vulnerability now affects the latest ubuntu system
This vulnerability allows an attacker to remotely obtain most of the contents
of the heap without authentication.
The vulnerability code is stored in cli_feat_read_cb, this function does not
verify the offset parameter
The vulnerability code is as follows
gatt-database.c
1054:static void cli_feat_read_cb(struct gatt_db_attribute *attrib,
unsigned int id, uint16_t offset,
uint8_t opcode, struct bt_att *att,
void *user_data){
...
len = sizeof(state->cli_feat)-offset;
value = len? >cli_feat[offset]: NULL;
done:
gatt_db_attribute_read_result(attrib, id, ecode, value, len);
}
len will become very large due to integer overflow, so that a message of mtu
(0x90) size will be sent later
The message content is the buffer pointed to by value, which can be most
addresses on the heap
poc is very simple, the core is this line of code
memcpy([0],"\x0c\x0b\x00\x0d\x00",5);
0xc stands for read
\x0b\x00 represents the handle of the client feature, which can be obtained
through the find info message, which seems to be 0b by default
\x0d\x00 is offset0xd
this vulnerability is serious
I want to apply for a cve number, although this has been silently fixed in
the latest version
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bluez/+bug/1926548/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
