Bug 1013721 (CVE-2016-9800)

Summary: VUL-0: CVE-2016-9800: bluez,bluez-hcidump: buffer overflow in pin_code_reply_dump()
Product: [Novell Products] SUSE Security Incidents Reporter: Matthias Gerstner <matthias.gerstner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: abergmann, seife, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/177093/
Whiteboard: CVSSv2:RedHat:CVE-2016-9800:1.2:(AV:L/AC:H/Au:N/C:N/I:N/A:P) CVSSv2:SUSE:CVE-2016-9800:4.0:(AV:L/AC:H/Au:N/C:N/I:N/A:C) CVSSv2:NVD:CVE-2016-9800:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv3:NVD:CVE-2016-9800:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVSSv3:RedHat:CVE-2016-9800:2.5:(AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: dump file to reproduce the issue

Description Matthias Gerstner 2016-12-05 17:01:12 UTC 
In BlueZ 5.42, a buffer overflow was observed in "pin_code_reply_dump" function
in "tools/parser/hci.c" source file. The issue exists because "pin" array is
overflowed by supplied parameter due to lack of boundary checks on size of the
buffer from frame "pin_code_reply_cp *cp" parameter.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1401527
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9800
http://www.cvedetails.com/cve/CVE-2016-9800/
Comment 1 Matthias Gerstner 2016-12-05 17:02:46 UTC 
Created attachment 704875 [details]
dump file to reproduce the issue
Comment 2 Matthias Gerstner 2016-12-05 17:04:09 UTC 
SLE-12* is affected. bluez-hcidump from SLE-11-SP1:Update contains the exact same code but I could not reproduce the issue. I'm not sure why.

QA reproducer:

Using the attached dump file and the following command:

  hcidump -a -r CVE-2016-9800

the program terminated with a libc dump "buffer overflow detected" on SLES-12-SP2.
Comment 3 Swamp Workflow Management 2016-12-05 23:04:26 UTC 
bugbot adjusting priority
Comment 10 Stefan Seyfried 2018-06-04 19:10:16 UTC 
This is not yet in newly released version bluez-5.50.

Has this ever been communicated to bluez upstream?
Comment 11 Al Cho 2018-06-05 02:46:17 UTC 
(In reply to Stefan Seyfried from comment #10)
> This is not yet in newly released version bluez-5.50.
> 
> Has this ever been communicated to bluez upstream?

Yes, I did, but bluez upstream also ask us consider using btmon over hcidump, hcidump is a deprecated tool that they might remove at some point.
Comment 12 Stefan Seyfried 2018-06-05 07:53:07 UTC 
Ok, thanks. I'm just always trying to reduce the number of patches when integrating a new upstream release (and have e.g. pushed 0001-obexd-use-AM_LDFLAGS-for-linking.patch again :-)

Will just add a note in bluez.spec that we will keep them as downstream patches.
Comment 13 Swamp Workflow Management 2018-06-21 16:34:02 UTC 
SUSE-SU-2018:1778-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1013721,1013877,1026652,1057342
CVE References: CVE-2016-7837,CVE-2016-9800,CVE-2016-9804,CVE-2017-1000250
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    bluez-5.13-5.4.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    bluez-5.13-5.4.1
SUSE Linux Enterprise Server 12-SP3 (src):    bluez-5.13-5.4.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    bluez-5.13-5.4.1
Comment 18 Swamp Workflow Management 2018-12-19 17:09:40 UTC 
SUSE-SU-2018:4188-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1013721,1013732
CVE References: CVE-2016-9800,CVE-2016-9801
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    bluez-5.13-5.7.1
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    bluez-5.13-5.7.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    bluez-5.13-5.7.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    bluez-5.13-5.7.1
SUSE Linux Enterprise Server 12-SP4 (src):    bluez-5.13-5.7.1
SUSE Linux Enterprise Server 12-SP3 (src):    bluez-5.13-5.7.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    bluez-5.13-5.7.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    bluez-5.13-5.7.1
Comment 19 Swamp Workflow Management 2018-12-19 17:10:27 UTC 
SUSE-SU-2018:4189-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1013721,1013732
CVE References: CVE-2016-9800,CVE-2016-9801
Sources used:
SUSE Linux Enterprise Workstation Extension 15 (src):    bluez-5.48-5.8.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    bluez-5.48-5.8.1
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    bluez-5.48-5.8.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    bluez-5.48-5.8.1
Comment 20 Swamp Workflow Management 2018-12-22 23:12:35 UTC 
openSUSE-SU-2018:4259-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1013721,1013732
CVE References: CVE-2016-9800,CVE-2016-9801
Sources used:
openSUSE Leap 15.0 (src):    bluez-5.48-lp150.4.6.1
Comment 24 Swamp Workflow Management 2019-02-28 14:09:23 UTC 
SUSE-SU-2019:0510-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1013721,1013732,1013877,1015173,1026652,1057342
CVE References: CVE-2016-7837,CVE-2016-9800,CVE-2016-9801,CVE-2016-9804,CVE-2016-9918,CVE-2017-1000250
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    bluez-5.13-3.10.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    bluez-5.13-3.10.1
SUSE Linux Enterprise Server 12-LTSS (src):    bluez-5.13-3.10.1
Comment 25 Alexander Bergmann 2019-04-18 08:20:52 UTC 
Fixed and released.