SB2016120302 - Denial of service in BlueZ

Description

This security bulletin contains information about 9 secuirty vulnerabilities.

1) Use-after-free (CVE-ID: CVE-2016-9798)

The vulnerability allows a local user to perform denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error within the conf_opt() function in tools/parser/l2cap.c when processing a corrupted dump file. A local user can use a specially crafted dump file to crash hcidump.

2) Out-of-bounds read (CVE-ID: CVE-2016-9918)

The vulnerability allows a local user to perform denial of service (DoS) attack.

The vulnerability exists due to a boundary condition within packet_hexdump()  function in monitor/packet.c. A local user can pass a specially crafted dump file, trigger out-of-bounds read error and crash the affected application.

3) Buffer overflow (CVE-ID: CVE-2016-9917)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition within the read_n()  function in tools/hcidump.c. A local user can pass a specially crafted dump file, trigger a buffer overflow and crash hcidump.

4) Buffer overflow (CVE-ID: CVE-2016-9804)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition within the commands_dump()  function in tools/parser/csr.c. A local user can pass a specially crafted dump file, trigger a buffer overflow and crash hcidump.

5) Out-of-bounds read (CVE-ID: CVE-2016-9918)

The vulnerability allows a local user to perform denial of service (DoS) attack.

The vulnerability exists due to a boundary condition within the "packet_hexdump()" function in monitor/packet.c. A local user can pass a specially crafted dump file, trigger a buffer overflow and crash hcidump.

6) Out-of-bounds read (CVE-ID: CVE-2016-9803)

The vulnerability allows a local user to perform a denial of service attack.

The vulnerability exists due to a boundary condition within the le_meta_ev_dump() function in tools/parser/hci.c. A local user can pass a specially crafted dump file, trigger a buffer overflow and crash application.

7) Buffer overflow (CVE-ID: CVE-2016-9801)

The vulnerability allows a local user to perform denial of service (DoS) attack.

The vulnerability exists due to a boundary condition within the set_ext_ctrl() function in tools/parser/l2cap.c. A local user can pass a specially crafted dump file, trigger a buffer overflow and crash application.

8) Buffer overflow (CVE-ID: CVE-2016-9800)

The vulnerability allows a local user to perform denial of service (DoS) attack.

The vulnerability exists due to a boundary condition within the pin_code_reply_dump() function in tools/parser/hci.c. A local user can pass a specially crafted dump file, trigger a buffer overflow and crash application.

9) Buffer overflow (CVE-ID: CVE-2016-9799)

The vulnerability allows a local user to perform denial of service (DoS) attack.

The vulnerability exists due to a boundary condition within the pklg_read_hci() function in btsnoop.c. A local user can pass a specially crafted dump file, trigger a buffer overflow and crash application.

Remediation

Install update from vendor's website.

References

• https://www.spinics.net/lists/linux-bluetooth/msg68892.html
• http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00054.html
• https://www.spinics.net/lists/linux-bluetooth/msg68898.html
• http://www.securityfocus.com/bid/94652