Bug 1102238 (CVE-2018-10910) - VUL-1: CVE-2018-10910: gnome-bluetooth,bluez: failure in disabling Bluetooth discoverability in certain cases may lead to the unauthorized pairing of Bluetooth devices
Summary: VUL-1: CVE-2018-10910: gnome-bluetooth,bluez: failure in disabling Bluetooth ...
Status: RESOLVED FIXED
Alias: CVE-2018-10910
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Assignee: Al Cho
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/211375/
Whiteboard: CVSSv3:RedHat:CVE-2018-10910:4.5:(AV...
Keywords:
Depends on:
Blocks:
 
Reported: 2018-07-23 12:50 UTC by Karol Babioch
Modified: 2018-09-04 14:08 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Karol Babioch 2018-07-23 12:50:53 UTC 
rh#1606203

A bug in bluez prevents the disabling of Bluetooth discoverability after the closing of the Gnome 3 Bluetooth settings window. In certain situations, this flaw could potentially lead to the unauthorized pairing of Bluetooth devices.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1602985

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1606203
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10910
Comment 1 Al Cho 2018-07-24 09:42:33 UTC 
(In reply to Karol Babioch from comment #0)
> rh#1606203
> 
> A bug in bluez prevents the disabling of Bluetooth discoverability after the
> closing of the Gnome 3 Bluetooth settings window. In certain situations,
> this flaw could potentially lead to the unauthorized pairing of Bluetooth
> devices.
> 
> References:
> https://bugzilla.redhat.com/show_bug.cgi?id=1602985
> 
> References:
> https://bugzilla.redhat.com/show_bug.cgi?id=1606203
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10910

There are no information page in 
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10910

But I also reference:https://access.redhat.com/security/cve/cve-2018-10910

and we only have Tumbleweed use gnome-3.28.

I will test with Tumbleweed, SLE15 and other for understanding this issue.
Comment 2 Karol Babioch 2018-07-24 11:11:35 UTC 
(In reply to Al Cho from comment #1)
> There are no information page in 
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10910

You are right. It will show up eventually, but this might take a couple of days.

> But I also reference:https://access.redhat.com/security/cve/cve-2018-10910

Great
 
> and we only have Tumbleweed use gnome-3.28.

This might not only affect GNOME 3.28. We have to look at the code of all supported codestreams. I didn't have time to investigate any further on this until now, though.

> I will test with Tumbleweed, SLE15 and other for understanding this issue.

Thanks!
Comment 3 Al Cho 2018-07-27 10:23:33 UTC 
(In reply to Karol Babioch from comment #2)
> (In reply to Al Cho from comment #1)
> > There are no information page in 
> > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10910
> 
> You are right. It will show up eventually, but this might take a couple of
> days.
> 
> > But I also reference:https://access.redhat.com/security/cve/cve-2018-10910
> 
> Great
>  
> > and we only have Tumbleweed use gnome-3.28.
> 
> This might not only affect GNOME 3.28. We have to look at the code of all
> supported codestreams. I didn't have time to investigate any further on this
> until now, though.
> 

Yes, You are right.

> > I will test with Tumbleweed, SLE15 and other for understanding this issue.
> 
> Thanks!

Now we did have 3.28.1 version in https://build.opensuse.org/package/show/GNOME:Factory/gnome-bluetooth, and already patched work-around patch.
Comment 4 Karol Babioch 2018-09-04 14:08:23 UTC 
Our supported codestreams are not affected by this, because even in SUSE:SLE-15:Update we only ship 3.26.x of gnome-bluetooth, which was working synchronously with the bluez API.

For Factory/Tumbleweed we need to update to the latest versions of bluez and gnome-bluetooth, because while this can be worked around in gnome-bluetooth, the underlying issue is in bluez itself.

Going to close this bug, though, since we already have up-to-date versions containing the work-around in the build service.