Bug 1013721 (CVE-2016-9800) - VUL-0: CVE-2016-9800: bluez,bluez-hcidump: buffer overflow in pin_code_reply_dump()
Summary: VUL-0: CVE-2016-9800: bluez,bluez-hcidump: buffer overflow in pin_code_reply_...
Status: RESOLVED FIXED
Alias: CVE-2016-9800
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Minor
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/177093/
Whiteboard: CVSSv2:RedHat:CVE-2016-9800:1.2:(AV:L...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-12-05 17:01 UTC by Matthias Gerstner
Modified: 2019-04-18 08:20 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
dump file to reproduce the issue (852 bytes, application/octet-stream)
2016-12-05 17:02 UTC, Matthias Gerstner 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Gerstner 2016-12-05 17:01:12 UTC 
In BlueZ 5.42, a buffer overflow was observed in "pin_code_reply_dump" function
in "tools/parser/hci.c" source file. The issue exists because "pin" array is
overflowed by supplied parameter due to lack of boundary checks on size of the
buffer from frame "pin_code_reply_cp *cp" parameter.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1401527
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9800
http://www.cvedetails.com/cve/CVE-2016-9800/
Comment 1 Matthias Gerstner 2016-12-05 17:02:46 UTC 
Created attachment 704875 [details]
dump file to reproduce the issue
Comment 2 Matthias Gerstner 2016-12-05 17:04:09 UTC 
SLE-12* is affected. bluez-hcidump from SLE-11-SP1:Update contains the exact same code but I could not reproduce the issue. I'm not sure why.

QA reproducer:

Using the attached dump file and the following command:

  hcidump -a -r CVE-2016-9800

the program terminated with a libc dump "buffer overflow detected" on SLES-12-SP2.
Comment 3 Swamp Workflow Management 2016-12-05 23:04:26 UTC 
bugbot adjusting priority
Comment 10 Stefan Seyfried 2018-06-04 19:10:16 UTC 
This is not yet in newly released version bluez-5.50.

Has this ever been communicated to bluez upstream?
Comment 11 Al Cho 2018-06-05 02:46:17 UTC 
(In reply to Stefan Seyfried from comment #10)
> This is not yet in newly released version bluez-5.50.
> 
> Has this ever been communicated to bluez upstream?

Yes, I did, but bluez upstream also ask us consider using btmon over hcidump, hcidump is a deprecated tool that they might remove at some point.
Comment 12 Stefan Seyfried 2018-06-05 07:53:07 UTC 
Ok, thanks. I'm just always trying to reduce the number of patches when integrating a new upstream release (and have e.g. pushed 0001-obexd-use-AM_LDFLAGS-for-linking.patch again :-)

Will just add a note in bluez.spec that we will keep them as downstream patches.
Comment 13 Swamp Workflow Management 2018-06-21 16:34:02 UTC 
SUSE-SU-2018:1778-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1013721,1013877,1026652,1057342
CVE References: CVE-2016-7837,CVE-2016-9800,CVE-2016-9804,CVE-2017-1000250
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    bluez-5.13-5.4.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    bluez-5.13-5.4.1
SUSE Linux Enterprise Server 12-SP3 (src):    bluez-5.13-5.4.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    bluez-5.13-5.4.1
Comment 18 Swamp Workflow Management 2018-12-19 17:09:40 UTC 
SUSE-SU-2018:4188-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1013721,1013732
CVE References: CVE-2016-9800,CVE-2016-9801
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    bluez-5.13-5.7.1
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    bluez-5.13-5.7.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    bluez-5.13-5.7.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    bluez-5.13-5.7.1
SUSE Linux Enterprise Server 12-SP4 (src):    bluez-5.13-5.7.1
SUSE Linux Enterprise Server 12-SP3 (src):    bluez-5.13-5.7.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    bluez-5.13-5.7.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    bluez-5.13-5.7.1
Comment 19 Swamp Workflow Management 2018-12-19 17:10:27 UTC 
SUSE-SU-2018:4189-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1013721,1013732
CVE References: CVE-2016-9800,CVE-2016-9801
Sources used:
SUSE Linux Enterprise Workstation Extension 15 (src):    bluez-5.48-5.8.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    bluez-5.48-5.8.1
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    bluez-5.48-5.8.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    bluez-5.48-5.8.1
Comment 20 Swamp Workflow Management 2018-12-22 23:12:35 UTC 
openSUSE-SU-2018:4259-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1013721,1013732
CVE References: CVE-2016-9800,CVE-2016-9801
Sources used:
openSUSE Leap 15.0 (src):    bluez-5.48-lp150.4.6.1
Comment 24 Swamp Workflow Management 2019-02-28 14:09:23 UTC 
SUSE-SU-2019:0510-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1013721,1013732,1013877,1015173,1026652,1057342
CVE References: CVE-2016-7837,CVE-2016-9800,CVE-2016-9801,CVE-2016-9804,CVE-2016-9918,CVE-2017-1000250
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    bluez-5.13-3.10.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    bluez-5.13-3.10.1
SUSE Linux Enterprise Server 12-LTSS (src):    bluez-5.13-3.10.1
Comment 25 Alexander Bergmann 2019-04-18 08:20:52 UTC 
Fixed and released.