Bug 1013893 (CVE-2016-9802)

Summary: VUL-0: CVE-2016-9802: bluez: buffer over-read in l2cap_packet()
Product: [Novell Products] SUSE Security Incidents Reporter: Matthias Gerstner <matthias.gerstner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: abergmann, acho, atanno, carlos.lopez, deshun.wang, matthias.gerstner, rfrohl, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/177095/
Whiteboard: CVSSv2:SUSE:CVE-2016-9802:1.2:(AV:L/AC:H/Au:N/C:N/I:N/A:P)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: dump file to reproduce the issue

Description Matthias Gerstner 2016-12-06 11:20:51 UTC 
In BlueZ 5.42, a buffer over-read was identified in "l2cap_packet" function in
"monitor/packet.c" source file. This issue can be triggered by processing a
corrupted dump file and will result in btmon crash.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1401541
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9802
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9802.html
http://www.cvedetails.com/cve/CVE-2016-9802/
Comment 1 Matthias Gerstner 2016-12-06 11:21:15 UTC 
Created attachment 705035 [details]
dump file to reproduce the issue
Comment 2 Matthias Gerstner 2016-12-06 11:24:39 UTC 
The affected code is only contained in codestreams SUSE:SLE-12:Update, SUSE:SLE-12-SP2:Update.

QA reproducer: I was NOT able to reproduce the issue using the attached dump file on SLES-12-SP2. The supposed command to reproduce is:

 btmon -r CVE-2016-9802

There is no visible crash or valgrind errors in my case. The original reporter used a bluez version compiled with '-fsanitize=address'.
Comment 3 Swamp Workflow Management 2016-12-06 23:00:56 UTC 
bugbot adjusting priority
Comment 5 Johannes Segitz 2018-05-24 12:09:21 UTC 
Not in regularly maintained products, closing
Comment 6 Johannes Segitz 2018-05-24 12:45:50 UTC 
sorry, misread that. Please submit for SLE 12 SP2. Thank you
Comment 9 Al Cho 2019-02-18 08:27:31 UTC 
sr:182543 (SLE-15)
sr:184226 (SLE12)
sr:184227 (SLE12-SP2)
Comment 10 Deshun Wang 2019-03-25 05:24:42 UTC 
Has this been fixed on 12SP4? Is there a schedule?
Comment 11 Al Cho 2019-03-27 06:42:46 UTC 
(In reply to Deshun Wang from comment #10)
> Has this been fixed on 12SP4? Is there a schedule?

https://build.suse.de/request/show/184227 it was already accepted.

From Marcus (on http://bugzilla.suse.com/show_bug.cgi?id=1015173#c15)
the update is in queue, will be released in the next days / 2 weeks
Comment 15 Swamp Workflow Management 2019-05-24 19:12:11 UTC 
SUSE-SU-2019:1339-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1013708,1013712,1013893,1015171,1015173
CVE References: CVE-2016-9797,CVE-2016-9798,CVE-2016-9802,CVE-2016-9917,CVE-2016-9918
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    bluez-5.13-5.12.1
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    bluez-5.13-5.12.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    bluez-5.13-5.12.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    bluez-5.13-5.12.1
SUSE Linux Enterprise Server 12-SP4 (src):    bluez-5.13-5.12.1
SUSE Linux Enterprise Server 12-SP3 (src):    bluez-5.13-5.12.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    bluez-5.13-5.12.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    bluez-5.13-5.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2019-05-24 19:20:28 UTC 
SUSE-SU-2019:1353-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1013708,1013712,1013893,1015171
CVE References: CVE-2016-9797,CVE-2016-9798,CVE-2016-9802,CVE-2016-9917
Sources used:
SUSE Linux Enterprise Workstation Extension 15 (src):    bluez-5.48-5.16.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    bluez-5.48-5.16.1
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    bluez-5.48-5.16.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    bluez-5.48-5.16.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2019-05-30 10:19:03 UTC 
openSUSE-SU-2019:1476-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1013708,1013712,1013893,1015171
CVE References: CVE-2016-9797,CVE-2016-9798,CVE-2016-9802,CVE-2016-9917
Sources used:
openSUSE Leap 15.1 (src):    bluez-5.48-lp151.8.3.1
openSUSE Leap 15.0 (src):    bluez-5.48-lp150.4.13.1
Comment 18 Alexandre Makoto Tanno 2019-09-26 14:17:30 UTC 
The bug was not fixed after applying the update:

  Before:
  -------

      sles15:/work/bluez # valgrind hcidump -a -r CVE-2016-9802 
      ==29791== Memcheck, a memory error detector
      ==29791== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
      ==29791== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
      ==29791== Command: hcidump -a -r CVE-2016-9802
      ==29791== 
      HCI sniffer - Bluetooth packet analyzer ver 5.48
      packet logger data format
      < HCI Command: Unknown (0x00|0x0003) plen 16
        . # . . . . . . . . . . 
      ==29791== Syscall param read(buf) points to unaddressable byte(s)
      ==29791==    at 0x4F23C61: read (in /lib64/libc-2.26.so)
      ==29791==    by 0x10F5AD: ??? (in /usr/bin/hcidump)
      ==29791==    by 0x10F140: ??? (in /usr/bin/hcidump)
      ==29791==    by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so)
      ==29791==  Address 0x51f4aac is 0 bytes after a block of size 1,500 alloc'd
      ==29791==    at 0x4C2E01F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
      ==29791==    by 0x10F0B8: ??? (in /usr/bin/hcidump)
      ==29791==    by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so)
      ==29791== 
      ==29791== 
      ==29791== HEAP SUMMARY:
      ==29791==     in use at exit: 14 bytes in 1 blocks
      ==29791==   total heap usage: 3 allocs, 2 frees, 2,538 bytes allocated
      ==29791== 
      ==29791== LEAK SUMMARY:
      ==29791==    definitely lost: 0 bytes in 0 blocks
      ==29791==    indirectly lost: 0 bytes in 0 blocks
      ==29791==      possibly lost: 0 bytes in 0 blocks
      ==29791==    still reachable: 14 bytes in 1 blocks
      ==29791==         suppressed: 0 bytes in 0 blocks
      ==29791== Rerun with --leak-check=full to see details of leaked memory
      ==29791== 
      ==29791== For counts of detected and suppressed errors, rerun with: -v
      ==29791== ERROR SUMMARY: 2 errors from 1 contexts (suppressed: 0 from 0)

  After:
  ------

      sles15:/work/bluez # valgrind hcidump -a -r CVE-2016-9802     
      ==27822== Memcheck, a memory error detector
      ==27822== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
      ==27822== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
      ==27822== Command: hcidump -a -r CVE-2016-9802
      ==27822== 
      HCI sniffer - Bluetooth packet analyzer ver 5.48
      packet logger data format
      < HCI Command: Unknown (0x00|0x0003) plen 16
        . # . . . . . . . . . . 
      ==27822== Syscall param read(buf) points to unaddressable byte(s)
      ==27822==    at 0x4F23C61: read (in /lib64/libc-2.26.so)
      ==27822==    by 0x10F84D: ??? (in /usr/bin/hcidump)
      ==27822==    by 0x10F150: ??? (in /usr/bin/hcidump)
      ==27822==    by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so)
      ==27822==  Address 0x51f4aac is 0 bytes after a block of size 1,500 alloc'd
      ==27822==    at 0x4C2E01F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
      ==27822==    by 0x10F0C8: ??? (in /usr/bin/hcidump)
      ==27822==    by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so)
      ==27822== 
      ==27822== 
      ==27822== HEAP SUMMARY:
      ==27822==     in use at exit: 14 bytes in 1 blocks
      ==27822==   total heap usage: 3 allocs, 2 frees, 2,538 bytes allocated
      ==27822== 
      ==27822== LEAK SUMMARY:
      ==27822==    definitely lost: 0 bytes in 0 blocks
      ==27822==    indirectly lost: 0 bytes in 0 blocks
      ==27822==      possibly lost: 0 bytes in 0 blocks
      ==27822==    still reachable: 14 bytes in 1 blocks
      ==27822==         suppressed: 0 bytes in 0 blocks
      ==27822== Rerun with --leak-check=full to see details of leaked memory
      ==27822== 
      ==27822== For counts of detected and suppressed errors, rerun with: -v
      ==27822== ERROR SUMMARY: 2 errors from 1 contexts (suppressed: 0 from 0)
Comment 22 Swamp Workflow Management 2019-10-18 19:23:12 UTC 
SUSE-SU-2019:1353-2: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1013708,1013712,1013893,1015171
CVE References: CVE-2016-9797,CVE-2016-9798,CVE-2016-9802,CVE-2016-9917
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP1 (src):    bluez-5.48-5.16.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    bluez-5.48-5.16.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    bluez-5.48-5.16.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    bluez-5.48-5.16.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 26 Carlos López 2022-09-16 13:40:56 UTC 
Done, closing.