(checks again) Yes, fixed in 5.56 looks right. commit 3a40bef49305f8327635b81ac8be52a3ca063d5a Author: Luiz Augusto von Dentz <luiz.von.de...@intel.com> AuthorDate: Mon Jan 4 10:38:31 2021 -0800 Commit: Luiz Augusto von Dentz <luiz.von.de...@intel.com> CommitDate: Tue Jan 5 10:41:27 2021 -0800
landed on master before the next tag, which was: commit 482929f12b645f652d378fbe8d0a5b7c05d65c4f (tag: 5.56) Author: Marcel Holtmann <mar...@holtmann.org> AuthorDate: Mon Feb 22 21:12:40 2021 +0100 Commit: Marcel Holtmann <mar...@holtmann.org> CommitDate: Mon Feb 22 21:12:40 2021 +0100 However, it doesn't look like it's present on master anymore because it was rewritten 6 hours later: commit 6a50b6aeda78a88eafb177718109c256eec077a6 Author: Luiz Augusto von Dentz <luiz.von.de...@intel.com> AuthorDate: Tue Jan 5 16:45:37 2021 -0800 Commit: Luiz Augusto von Dentz <luiz.von.de...@intel.com> CommitDate: Tue Jan 5 16:55:32 2021 -0800 I assume the rewrite is free of the original bug, and so still fixed in 5.56. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to bluez in Ubuntu. https://bugs.launchpad.net/bugs/1926548 Title: The gatt protocol has out-of-bounds read that leads to information leakage Status in Bluez Utilities: Fix Released Status in bluez package in Ubuntu: Fix Released Status in bluez source package in Hirsute: Fix Released Status in bluez source package in Impish: Fix Released Bug description: I installed the latest bluez 5.53-0ubuntu3 version using apt-get install. It seems that this vulnerability was silently fixed in the latest bluez5.8, and the cve number was not assigned. But this vulnerability now affects the latest ubuntu system This vulnerability allows an attacker to remotely obtain most of the contents of the heap without authentication. The vulnerability code is stored in cli_feat_read_cb, this function does not verify the offset parameter The vulnerability code is as follows gatt-database.c 1054:static void cli_feat_read_cb(struct gatt_db_attribute *attrib, unsigned int id, uint16_t offset, uint8_t opcode, struct bt_att *att, void *user_data){ ... len = sizeof(state->cli_feat)-offset; value = len? &state->cli_feat[offset]: NULL; done: gatt_db_attribute_read_result(attrib, id, ecode, value, len); } len will become very large due to integer overflow, so that a message of mtu (0x90) size will be sent later The message content is the buffer pointed to by value, which can be most addresses on the heap poc is very simple, the core is this line of code memcpy(&buf[0],"\x0c\x0b\x00\x0d\x00",5); 0xc stands for read \x0b\x00 represents the handle of the client feature, which can be obtained through the find info message, which seems to be 0b by default \x0d\x00 is offset0xd this vulnerability is serious I want to apply for a cve number, although this has been silently fixed in the latest version To manage notifications about this bug go to: https://bugs.launchpad.net/bluez/+bug/1926548/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
