Bug 1013885 (CVE-2016-9803)

Summary: VUL-0: CVE-2016-9803: bluez: out-of-bounds read in le_meta_ev_dump()
Product: [Novell Products] SUSE Security Incidents Reporter: Matthias Gerstner <matthias.gerstner>
Component: IncidentsAssignee: Joey Lee <jlee>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: abergmann, acho, gabriele.sonnu, jlee, smash_bz, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/177096/
Whiteboard: CVSSv2:SUSE:CVE-2016-9803:1.2:(AV:L/AC:H/Au:N/C:N/I:N/A:P) CVSSv3.1:SUSE:CVE-2016-9803:2.5:(AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L) maint:planned:update
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: dump file to reproduce the issue

Description Matthias Gerstner 2016-12-06 11:00:09 UTC 
rh#1401543

In BlueZ 5.42, an out-of-bounds read was observed in "le_meta_ev_dump" function
in "tools/parser/hci.c" source file. This issue exists because 'subevent' (which
is used to read correct element from 'ev_le_meta_str' array) is overflowed.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1401543
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9803
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9803.html
http://www.cvedetails.com/cve/CVE-2016-9803/
Comment 1 Matthias Gerstner 2016-12-06 11:02:16 UTC 
Created attachment 705030 [details]
dump file to reproduce the issue
Comment 2 Matthias Gerstner 2016-12-06 11:07:22 UTC 
Only SUSE:SLE-12:Update and SUSE:SLE-12-SP2:Update codestreams are affected. Older versions don't contain the code in question.

QA reproducer: Using the attached dump file I was NOT able to show symptoms of the issue on SLES-12-SP2. The supposed reproducer command is:

  valgrind hcidump -a -r CVE-2016-9803

The out of bound access does by chance not cause a crash of valgrind errors. The original reporter only reproduced it in a bluez version compiled with
'-fsanitize=address'.
Comment 3 Swamp Workflow Management 2016-12-06 23:00:45 UTC 
bugbot adjusting priority
Comment 5 Johannes Segitz 2018-05-24 12:11:24 UTC 
Not in regularly maintained products, closing
Comment 6 Johannes Segitz 2018-05-24 12:47:17 UTC 
(In reply to Johannes Segitz from comment #5)
Error on my side. Please submit for SLE 12 SP2. Thank you
Comment 18 Swamp Workflow Management 2022-10-25 13:23:36 UTC 
SUSE-SU-2022:3718-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1013885,1193237
CVE References: CVE-2016-9803,CVE-2019-8921
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    bluez-5.13-5.31.1
SUSE OpenStack Cloud 9 (src):    bluez-5.13-5.31.1
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    bluez-5.13-5.31.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    bluez-5.13-5.31.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    bluez-5.13-5.31.1
SUSE Linux Enterprise Server 12-SP5 (src):    bluez-5.13-5.31.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    bluez-5.13-5.31.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    bluez-5.13-5.31.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    bluez-5.13-5.31.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Joey Lee 2022-10-25 13:27:22 UTC 
(In reply to Joey Lee from comment #16)
> (In reply to Gabriele Sonnu from comment #13)
> > Hi Joey, any update?
> > Our tracking shows a missing submission for SUSE:SLE-12-SP2:Update/bluez.
> 
> I have checked SLE12-SP2:Update/bluez-5.13, it missed f25df405f2. I will
> backport it.
> 
> On the other hand, looks that all bluez/changelog in different SLE version
> do NOT have bsc#1013885, CVE-2016-9803. I will add them to changelog and
> spec file.

The submitreq of backported f25df405f2 be merged to 12-SP2:Update/bluez-5.13:

https://build.suse.de/request/show/282906
Comment 20 Joey Lee 2022-12-22 04:55:27 UTC 
(In reply to Joey Lee from comment #19)
> (In reply to Joey Lee from comment #16)
> > (In reply to Gabriele Sonnu from comment #13)
> > > Hi Joey, any update?
> > > Our tracking shows a missing submission for SUSE:SLE-12-SP2:Update/bluez.
> > 
> > I have checked SLE12-SP2:Update/bluez-5.13, it missed f25df405f2. I will
> > backport it.
> > 
> > On the other hand, looks that all bluez/changelog in different SLE version
> > do NOT have bsc#1013885, CVE-2016-9803. I will add them to changelog and
> > spec file.
> 
> The submitreq of backported f25df405f2 be merged to 12-SP2:Update/bluez-5.13:
> 
> https://build.suse.de/request/show/282906

The change be merged. Set this issue to fixed.