Bug 104357 (CVE-2005-2547)

Summary: VUL-0: CVE-2005-2547: bluez command execution
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: IncidentsAssignee: Stefan Behlert <behlert>
Status: VERIFIED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P2 - High CC: behlert, mls, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard: CVE-2005-2547: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Ludwig Nussel 2005-08-12 11:11:24 UTC 
We received the following report via vendor-sec.
The issue is public.

   6 remote non-root user
  +1 default package
  -1 default inactive
  -1 user interaction
  +1 command execution

Total Score: 6 (Moderate)

Date: Fri, 12 Aug 2005 09:34:59 +0200
From: Thierry Carrez <koon@gentoo.org>
To: vendor-sec <vendor-sec@lst.de>, marcel@holtmann.org
Subject: [vendor-sec] CAN assignment for bluez-utils device name validation vulnerability

Hello everyone,

Please note that following (public) vulnerability in bluez-utils was
assigned CAN-2005-2547 :

The name of a Bluetooth device is improperly validated by the hcid
utility when a remote device attempts to pair itself with a computer.

An attacker could create a malicious device name (containing shell
escape characters) on a Bluetooth device resulting in arbitrary commands
being executed as root upon attempting to pair the device with the computer.

Vulnerable: <= 2.18
Fixed in 2.19

Refs:
http://www.bluez.org/
https://bugs.gentoo.org/show_bug.cgi?id=101557
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2547

Please use this reference in all communication regarding this vulnerability.

-- 
Thierry Carrez
Gentoo Linux Security
Comment 1 Marcus Meissner 2005-08-12 11:22:55 UTC 
From: Mark J Cox <mjc@redhat.com> 
 
Actually only 2.16, 2.17, 2.18 were vulnerable
Comment 2 Stefan Behlert 2005-08-12 11:39:05 UTC 
I assume we will make an update for older products?    
10.0 will contain 2.19 starting with beta2 if I am correct.  
I'll think I need a swamp-id for that, do I get it in this case from  
security-team or from aj?
Comment 3 Ludwig Nussel 2005-08-12 11:42:36 UTC 
If we are vulnerable in any released distro then we want to fix it there, yes.  
  
http://w3d.suse.de/Dev/Components/Packages/PackMan/pm_pr_fixing_bug.html#pm_pr_fb_bt_security_bugs
Comment 4 Stefan Behlert 2005-08-12 11:54:16 UTC 
Thanks for the link. I especially liked the part 
"The package maintainer does not need to write patchinfo files, the security 
team will handle that." :)
Comment 5 Ludwig Nussel 2005-08-12 11:56:31 UTC 
SM-Tracker-2029
Comment 6 Stefan Behlert 2005-08-12 12:01:39 UTC 
Thanks. Just for completeness: Is Monday early enough for a Patch for the old  
versions?
Comment 7 Ludwig Nussel 2005-08-12 12:05:26 UTC 
yes
Comment 8 Ludwig Nussel 2005-08-15 14:03:31 UTC 
which packages are affected? only bluez-libs?
Comment 9 Stefan Behlert 2005-08-15 14:22:19 UTC 
only bluez-utils , bluez-libs is not affected.  
unfortunately this means that I have to create patches for each of the  
affected versions:  
SL9.0/SLES8-SLEC:  2.3  
SL9.1/SLES9-SLD:   2.4  
SL9.2:             2.10  
SL9.3:             2.15  
  
Simply updating the packages with v2.19 is no option. The patches are already  
finished, I "just" have to test if build accepts them (which it does) and to  
check the packages into the autobuild-system, which will happen late today or  
early tomorrow.  
 
BTW the CAN-number seems to be wrong (or I am not allowed to view the bug), 
but I will include the CAN-number in the ChangeLog-files never-the-less if I 
don't hear otherwise from you.
Comment 10 Stefan Behlert 2005-08-15 15:41:29 UTC 
/work/src/done/9.0/bluez-utils  
/work/src/done/9.1/bluez-utils  
/work/src/done/9.2/bluez-utils  
/work/src/done/9.3/bluez-utils  
/work/src/done/SLEC/bluez-utils  
/work/src/done/SLES9-SLD/bluez-utils  
  
This should be all affected distributions.
Comment 11 Ludwig Nussel 2005-08-17 15:19:19 UTC 
mls pointed out that the patch is insufficient. '&' needs to be escaped as 
well.
Comment 12 Ludwig Nussel 2005-08-17 15:20:41 UTC 
hmm, wait
Comment 13 Ludwig Nussel 2005-08-17 15:32:41 UTC 
no, it's ok security wise. They surround the quoted string with double quotes. 
therefore only ` $ \ " need to be quoted. Quoting ; and | is not needed. Those 
characters would show up as \; and \| actually.
Comment 14 Michael Schröder 2005-08-17 17:33:00 UTC 
So shall we fix the patch by dropping the | and ; lines? 
(btw, why is tmp of size 497 and why is there a memset instead of *ptr = 0?)
Comment 15 Ludwig Nussel 2005-08-18 08:16:42 UTC 
No released distro is actually affected. The function calling popen doesn't 
read the device name at all so no need to quote it.
Comment 16 Stefan Behlert 2005-08-18 08:36:12 UTC 
i added | and ; explicit by request from upstream. I have to confess I didn't 
look to close at the patch for the old distros, since the versions there are 
quite different from the current one the fix from upstream is for. I saw that 
some old versions might allocate a little bit more memory than needed, but 
since no other harm should be done (and I wanted to get it out soon) I didn't 
change much from the original patch for v2.18.
Comment 17 Thomas Biege 2009-10-13 20:33:15 UTC 
CVE-2005-2547: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)