Bug 1013712 (CVE-2016-9798)

Summary: VUL-0: CVE-2016-9798: bluez,bluez-hcidump: use-after-free in conf_opt()
Product: [Novell Products] SUSE Security Incidents Reporter: Matthias Gerstner <matthias.gerstner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: abergmann, acho, atanno, atoptsoglou, matthias.gerstner, rfrohl, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/177091/
Whiteboard: CVSSv2:RedHat:CVE-2016-9798:1.2:(AV:L/AC:H/Au:N/C:N/I:N/A:P) CVSSv3:NVD:CVE-2016-9798:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVSSv2:NVD:CVE-2016-9798:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv3:RedHat:CVE-2016-9798:2.5:(AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L) CVSSv2:SUSE:CVE-2016-9798:1.2:(AV:L/AC:H/Au:N/C:N/I:N/A:P)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1013708, 1013732    
Attachments: dump file to reproduce the issue
CVE-2016-9798-hcidump-Fixed-malformed-segment-frame-length.patch

Description Matthias Gerstner 2016-12-05 16:34:49 UTC
In BlueZ 5.42, a use-after-free was identified in "conf_opt" function in
"tools/parser/l2cap.c" source file. This issue can be triggered by processing a
corrupted dump file and will result in hcidump crash.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1401522
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9798
http://www.cvedetails.com/cve/CVE-2016-9798/
Comment 1 Matthias Gerstner 2016-12-05 16:35:43 UTC
Created attachment 704866 [details]
dump file to reproduce the issue
Comment 2 Matthias Gerstner 2016-12-05 16:36:30 UTC
Only SLE-12* codestreams are affected. The code in question is not yet contained in SLE-11 versions.

QA reproducer:

I've been able to reproduce the issue using the attached dump file and the following command:

  valgrind /usr/sbin/hcidump -a -r cve-2016-9798

The program will not crash but valgrind will print errors about invalid read accesses.
Comment 3 Swamp Workflow Management 2016-12-05 23:03:53 UTC
bugbot adjusting priority
Comment 4 Al Cho 2016-12-06 09:57:40 UTC
(In reply to Matthias Gerstner from comment #2)
> Only SLE-12* codestreams are affected. The code in question is not yet
> contained in SLE-11 versions.

Would you please let me know which version in SLE-11 ? is it bluez-4.99 or bluez-4.22?

> 
> QA reproducer:
> 
> I've been able to reproduce the issue using the attached dump file and the
> following command:
> 
>   valgrind /usr/sbin/hcidump -a -r cve-2016-9798
> 
> The program will not crash but valgrind will print errors about invalid read
> accesses.
Comment 5 Matthias Gerstner 2016-12-06 10:21:53 UTC
> Would you please let me know which version in SLE-11 ? is it bluez-4.99 or
> bluez-4.22?

We currently have three codestreams for SLE-11 with following versions for bluez: 

SUSE:SLE-11-SP1:Update/bluez/bluez.spec:Version:        4.51
SUSE:SLE-11-SP3:Update/bluez/bluez.spec:Version:        4.99
SUSE:SLE-11-SP4:Update/bluez/bluez.spec:Version:        4.99

Most of the current bugs regarding bluez affect the 'hcidump' tool which is not contained in these versions of bluez. Instead there is a separate package bluez-hcidump that exists only for one codestream:

./SUSE:SLE-11-SP1:Update/bluez-hcidump/bluez-hcidump.spec:Version:        1.42
Comment 18 Swamp Workflow Management 2019-05-24 19:10:34 UTC
SUSE-SU-2019:1339-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1013708,1013712,1013893,1015171,1015173
CVE References: CVE-2016-9797,CVE-2016-9798,CVE-2016-9802,CVE-2016-9917,CVE-2016-9918
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    bluez-5.13-5.12.1
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    bluez-5.13-5.12.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    bluez-5.13-5.12.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    bluez-5.13-5.12.1
SUSE Linux Enterprise Server 12-SP4 (src):    bluez-5.13-5.12.1
SUSE Linux Enterprise Server 12-SP3 (src):    bluez-5.13-5.12.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    bluez-5.13-5.12.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    bluez-5.13-5.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Swamp Workflow Management 2019-05-24 19:19:38 UTC
SUSE-SU-2019:1353-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1013708,1013712,1013893,1015171
CVE References: CVE-2016-9797,CVE-2016-9798,CVE-2016-9802,CVE-2016-9917
Sources used:
SUSE Linux Enterprise Workstation Extension 15 (src):    bluez-5.48-5.16.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    bluez-5.48-5.16.1
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    bluez-5.48-5.16.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    bluez-5.48-5.16.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Swamp Workflow Management 2019-05-30 10:18:55 UTC
openSUSE-SU-2019:1476-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1013708,1013712,1013893,1015171
CVE References: CVE-2016-9797,CVE-2016-9798,CVE-2016-9802,CVE-2016-9917
Sources used:
openSUSE Leap 15.1 (src):    bluez-5.48-lp151.8.3.1
openSUSE Leap 15.0 (src):    bluez-5.48-lp150.4.13.1
Comment 21 Alexandre Makoto Tanno 2019-09-26 14:16:53 UTC
The bug was not fixed after applying the update:

  Before:
  -------

      sles15:/work/bluez # valgrind hcidump -a -r cve-2016-9798 > cve-2016-9798.txt
      ==29674== Memcheck, a memory error detector
      ==29674== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
      ==29674== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
      ==29674== Command: hcidump -a -r cve-2016-9798
      ==29674== 
      ==29674== Conditional jump or move depends on uninitialised value(s)
      ==29674==    at 0x11DE54: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11EA63: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11D5F4: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x10F1AA: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so)
      ==29674== 
      ==29674== Conditional jump or move depends on uninitialised value(s)
      ==29674==    at 0x11DE6D: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11EA63: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11D5F4: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x10F1AA: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so)
      ==29674== 
      ==29674== Use of uninitialised value of size 8
      ==29674==    at 0x11DE7D: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11EA63: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11D5F4: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x10F1AA: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so)
      ==29674== 
      ==29674== Use of uninitialised value of size 8
      ==29674==    at 0x4E85B21: _itoa_word (in /lib64/libc-2.26.so)
      ==29674==    by 0x4E89460: vfprintf (in /lib64/libc-2.26.so)
      ==29674==    by 0x4F4172B: __printf_chk (in /lib64/libc-2.26.so)
      ==29674==    by 0x11E1BA: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11EA63: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11D5F4: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x10F1AA: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so)
      ==29674== 
      ==29674== Conditional jump or move depends on uninitialised value(s)
      ==29674==    at 0x4E85B28: _itoa_word (in /lib64/libc-2.26.so)
      ==29674==    by 0x4E89460: vfprintf (in /lib64/libc-2.26.so)
      ==29674==    by 0x4F4172B: __printf_chk (in /lib64/libc-2.26.so)
      ==29674==    by 0x11E1BA: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11EA63: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11D5F4: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x10F1AA: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so)
      ==29674== 
      ==29674== Conditional jump or move depends on uninitialised value(s)
      ==29674==    at 0x4E89EF0: vfprintf (in /lib64/libc-2.26.so)
      ==29674==    by 0x4F4172B: __printf_chk (in /lib64/libc-2.26.so)
      ==29674==    by 0x11E1BA: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11EA63: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11D5F4: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x10F1AA: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so)
      ==29674== 
      ==29674== Conditional jump or move depends on uninitialised value(s)
      ==29674==    at 0x4E89F6C: vfprintf (in /lib64/libc-2.26.so)
      ==29674==    by 0x4F4172B: __printf_chk (in /lib64/libc-2.26.so)
      ==29674==    by 0x11E1BA: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11EA63: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11D5F4: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x10F1AA: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so)
      ==29674== 
      ==29674== Conditional jump or move depends on uninitialised value(s)
      ==29674==    at 0x4E89D72: vfprintf (in /lib64/libc-2.26.so)
      ==29674==    by 0x4F4172B: __printf_chk (in /lib64/libc-2.26.so)
      ==29674==    by 0x11E1BA: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11EA63: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11D5F4: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x10F1AA: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so)
      ==29674== 
      ==29674== Use of uninitialised value of size 8
      ==29674==    at 0x4E85B7B: _itoa_word (in /lib64/libc-2.26.so)
      ==29674==    by 0x4E89460: vfprintf (in /lib64/libc-2.26.so)
      ==29674==    by 0x4F4172B: __printf_chk (in /lib64/libc-2.26.so)
      ==29674==    by 0x11E1BA: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11EA63: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11D5F4: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x10F1AA: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so)
      ==29674== 
      ==29674== Conditional jump or move depends on uninitialised value(s)
      ==29674==    at 0x4E85B85: _itoa_word (in /lib64/libc-2.26.so)
      ==29674==    by 0x4E89460: vfprintf (in /lib64/libc-2.26.so)
      ==29674==    by 0x4F4172B: __printf_chk (in /lib64/libc-2.26.so)
      ==29674==    by 0x11E1BA: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11EA63: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11D5F4: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x10F1AA: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so)
      ==29674== 
      ==29674== Conditional jump or move depends on uninitialised value(s)
      ==29674==    at 0x4E89518: vfprintf (in /lib64/libc-2.26.so)
      ==29674==    by 0x4F4172B: __printf_chk (in /lib64/libc-2.26.so)
      ==29674==    by 0x11E1BA: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11EA63: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11D5F4: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x10F1AA: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so)
      ==29674== 
      ==29674== Conditional jump or move depends on uninitialised value(s)
      ==29674==    at 0x11DEF4: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11EA63: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11D5F4: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x10F1AA: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so)
      ==29674== 
      ==29674== Conditional jump or move depends on uninitialised value(s)
      ==29674==    at 0x11DF0D: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11EA63: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11D5F4: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x10F1AA: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so)
      ==29674== 
      ==29674== Use of uninitialised value of size 8
      ==29674==    at 0x11DE40: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11EA63: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11D5F4: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x10F1AA: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so)
      ==29674== 
      ==29674== Use of uninitialised value of size 8
      ==29674==    at 0x11DE63: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11EA63: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11D5F4: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x10F1AA: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so)
      ==29674== 
      ==29674== Use of uninitialised value of size 8
      ==29674==    at 0x11E1A0: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11EA63: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11D5F4: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x10F1AA: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so)
      ==29674== 
      ==29674== Use of uninitialised value of size 8
      ==29674==    at 0x11DEF0: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11EA63: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11D5F4: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x10F1AA: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so)
      ==29674== 
      ==29674== Invalid read of size 1
      ==29674==    at 0x11DE40: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11EA63: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x120F10: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11D5F4: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x10F1AA: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so)
      ==29674==  Address 0x51f57e4 is 12 bytes before an unallocated block of size 4,188,144 in arena "client"
      ==29674== 
      ==29674== Invalid read of size 1
      ==29674==    at 0x11DE50: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11EA63: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x120F10: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11D5F4: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x10F1AA: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so)
      ==29674==  Address 0x51f57e3 is 13 bytes before an unallocated block of size 4,188,144 in arena "client"
      ==29674== 
      ==29674== Invalid read of size 1
      ==29674==    at 0x11DE63: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11EA63: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x120F10: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11D5F4: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x10F1AA: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so)
      ==29674==  Address 0x51f57e3 is 13 bytes before an unallocated block of size 4,188,144 in arena "client"
      ==29674== 
      ==29674== Invalid read of size 1
      ==29674==    at 0x11E1A0: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11EA63: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x120F10: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11D5F4: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x10F1AA: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so)
      ==29674==  Address 0x51f57e4 is 12 bytes before an unallocated block of size 4,188,144 in arena "client"
      ==29674== 
      ==29674== Invalid read of size 1
      ==29674==    at 0x11DEF0: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11EA63: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x120F10: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x11D5F4: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x10F1AA: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so)
      ==29674==  Address 0x51f57e3 is 13 bytes before an unallocated block of size 4,188,144 in arena "client"
      ==29674== 
      ==29674== Syscall param read(buf) points to unaddressable byte(s)
      ==29674==    at 0x4F23C61: read (in /lib64/libc-2.26.so)
      ==29674==    by 0x10F5AD: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x10F32D: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so)
      ==29674==  Address 0x51f56ac is 0 bytes after a block of size 1,500 alloc'd
      ==29674==    at 0x4C2E01F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
      ==29674==    by 0x10F0B8: ??? (in /usr/bin/hcidump)
      ==29674==    by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so)
      ==29674== 
      ==29674== 
      ==29674== HEAP SUMMARY:
      ==29674==     in use at exit: 14 bytes in 1 blocks
      ==29674==   total heap usage: 5 allocs, 4 frees, 5,714 bytes allocated
      ==29674== 
      ==29674== LEAK SUMMARY:
      ==29674==    definitely lost: 0 bytes in 0 blocks
      ==29674==    indirectly lost: 0 bytes in 0 blocks
      ==29674==      possibly lost: 0 bytes in 0 blocks
      ==29674==    still reachable: 14 bytes in 1 blocks
      ==29674==         suppressed: 0 bytes in 0 blocks
      ==29674== Rerun with --leak-check=full to see details of leaked memory
      ==29674== 
      ==29674== For counts of detected and suppressed errors, rerun with: -v
      ==29674== Use --track-origins=yes to see where uninitialised values come from
      ==29674== ERROR SUMMARY: 82206 errors from 23 contexts (suppressed: 0 from 0)

  After:
  ------

      ==27845== Syscall param read(buf) points to unaddressable byte(s)
      ==27845==    at 0x4F23C61: read (in /lib64/libc-2.26.so)
      ==27845==    by 0x10F84D: ??? (in /usr/bin/hcidump)
      ==27845==    by 0x10F33D: ??? (in /usr/bin/hcidump)
      ==27845==    by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so)
      ==27845==  Address 0x51f4aac is 0 bytes after a block of size 1,500 alloc'd
      ==27845==    at 0x4C2E01F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
      ==27845==    by 0x10F0C8: ??? (in /usr/bin/hcidump)
      ==27845==    by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so)
      ==27845== 
      ==27845== 
      ==27845== HEAP SUMMARY:
      ==27845==     in use at exit: 14 bytes in 1 blocks
      ==27845==   total heap usage: 5 allocs, 4 frees, 2,642 bytes allocated
      ==27845== 
      ==27845== LEAK SUMMARY:
      ==27845==    definitely lost: 0 bytes in 0 blocks
      ==27845==    indirectly lost: 0 bytes in 0 blocks
      ==27845==      possibly lost: 0 bytes in 0 blocks
      ==27845==    still reachable: 14 bytes in 1 blocks
      ==27845==         suppressed: 0 bytes in 0 blocks
      ==27845== Rerun with --leak-check=full to see details of leaked memory
      ==27845== 
      ==27845== For counts of detected and suppressed errors, rerun with: -v
      ==27845== Use --track-origins=yes to see where uninitialised values come from
      ==27845== ERROR SUMMARY: 82206 errors from 23 contexts (suppressed: 0 from 0)
Comment 24 Al Cho 2019-10-15 08:15:31 UTC
Created attachment 821491 [details]
CVE-2016-9798-hcidump-Fixed-malformed-segment-frame-length.patch

(In reply to Alexandre Makoto Tanno from comment #21)
[..snip]

Yes, thanks for your information, this issue should be fixed but I use that wrong PoC file (the same with CVE-2016-9797) to debug, so that didn't fixed by lastest patch I post.

And this issue is caused by Segment L2CAP packet into the payload of many HCI data packets. L2CAP SDUs whose length field does not match the actual frame length.
Comment 27 Swamp Workflow Management 2019-10-18 19:23:04 UTC
SUSE-SU-2019:1353-2: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1013708,1013712,1013893,1015171
CVE References: CVE-2016-9797,CVE-2016-9798,CVE-2016-9802,CVE-2016-9917
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP1 (src):    bluez-5.48-5.16.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    bluez-5.48-5.16.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    bluez-5.48-5.16.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    bluez-5.48-5.16.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 29 Swamp Workflow Management 2019-11-07 14:13:13 UTC
SUSE-SU-2019:2915-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1013712
CVE References: CVE-2016-9798
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    bluez-5.13-5.15.3
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    bluez-5.13-5.15.3
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    bluez-5.13-5.15.3
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    bluez-5.13-5.15.3
SUSE Linux Enterprise Server 12-SP5 (src):    bluez-5.13-5.15.3
SUSE Linux Enterprise Server 12-SP4 (src):    bluez-5.13-5.15.3
SUSE Linux Enterprise Desktop 12-SP4 (src):    bluez-5.13-5.15.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 30 Swamp Workflow Management 2019-11-25 17:16:17 UTC
SUSE-SU-2019:3046-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1013712
CVE References: CVE-2016-9798
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP1 (src):    bluez-5.48-5.19.1
SUSE Linux Enterprise Workstation Extension 15 (src):    bluez-5.48-5.19.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    bluez-5.48-5.19.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    bluez-5.48-5.19.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    bluez-5.48-5.19.1
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    bluez-5.48-5.19.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    bluez-5.48-5.19.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    bluez-5.48-5.19.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 31 Swamp Workflow Management 2019-11-30 17:11:17 UTC
openSUSE-SU-2019:2585-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1013712
CVE References: CVE-2016-9798
Sources used:
openSUSE Leap 15.0 (src):    bluez-5.48-lp150.4.16.1
Comment 32 Swamp Workflow Management 2019-11-30 20:13:56 UTC
openSUSE-SU-2019:2588-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1013712
CVE References: CVE-2016-9798
Sources used:
openSUSE Leap 15.1 (src):    bluez-5.48-lp151.8.6.1
Comment 33 Alexandros Toptsoglou 2020-04-24 14:53:28 UTC
Done