Bug 104357 - (CVE-2005-2547) VUL-0: CVE-2005-2547: bluez command execution
(CVE-2005-2547)
VUL-0: CVE-2005-2547: bluez command execution
Status: VERIFIED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other All
: P2 - High : Normal
: ---
Assigned To: Stefan Behlert
Security Team bot
CVE-2005-2547: CVSS v2 Base Score: 7....
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-08-12 11:11 UTC by Ludwig Nussel
Modified: 2022-01-06 14:39 UTC (History)
3 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2005-08-12 11:11:24 UTC
We received the following report via vendor-sec.
The issue is public.

   6 remote non-root user
  +1 default package
  -1 default inactive
  -1 user interaction
  +1 command execution

Total Score: 6 (Moderate)

Date: Fri, 12 Aug 2005 09:34:59 +0200
From: Thierry Carrez <koon@gentoo.org>
To: vendor-sec <vendor-sec@lst.de>, marcel@holtmann.org
Subject: [vendor-sec] CAN assignment for bluez-utils device name validation vulnerability

Hello everyone,

Please note that following (public) vulnerability in bluez-utils was
assigned CAN-2005-2547 :

The name of a Bluetooth device is improperly validated by the hcid
utility when a remote device attempts to pair itself with a computer.

An attacker could create a malicious device name (containing shell
escape characters) on a Bluetooth device resulting in arbitrary commands
being executed as root upon attempting to pair the device with the computer.

Vulnerable: <= 2.18
Fixed in 2.19

Refs:
http://www.bluez.org/
https://bugs.gentoo.org/show_bug.cgi?id=101557
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2547

Please use this reference in all communication regarding this vulnerability.

-- 
Thierry Carrez
Gentoo Linux Security
Comment 1 Marcus Meissner 2005-08-12 11:22:55 UTC
From: Mark J Cox <mjc@redhat.com> 
 
Actually only 2.16, 2.17, 2.18 were vulnerable 
 
Comment 2 Stefan Behlert 2005-08-12 11:39:05 UTC
I assume we will make an update for older products?    
10.0 will contain 2.19 starting with beta2 if I am correct.  
I'll think I need a swamp-id for that, do I get it in this case from  
security-team or from aj?   
Comment 3 Ludwig Nussel 2005-08-12 11:42:36 UTC
If we are vulnerable in any released distro then we want to fix it there, yes.  
  
http://w3d.suse.de/Dev/Components/Packages/PackMan/pm_pr_fixing_bug.html#pm_pr_fb_bt_security_bugs  
Comment 4 Stefan Behlert 2005-08-12 11:54:16 UTC
Thanks for the link. I especially liked the part 
"The package maintainer does not need to write patchinfo files, the security 
team will handle that." :) 
Comment 5 Ludwig Nussel 2005-08-12 11:56:31 UTC
SM-Tracker-2029 
Comment 6 Stefan Behlert 2005-08-12 12:01:39 UTC
Thanks. Just for completeness: Is Monday early enough for a Patch for the old  
versions?   
Comment 7 Ludwig Nussel 2005-08-12 12:05:26 UTC
yes 
Comment 8 Ludwig Nussel 2005-08-15 14:03:31 UTC
which packages are affected? only bluez-libs? 
Comment 9 Stefan Behlert 2005-08-15 14:22:19 UTC
only bluez-utils , bluez-libs is not affected.  
unfortunately this means that I have to create patches for each of the  
affected versions:  
SL9.0/SLES8-SLEC:  2.3  
SL9.1/SLES9-SLD:   2.4  
SL9.2:             2.10  
SL9.3:             2.15  
  
Simply updating the packages with v2.19 is no option. The patches are already  
finished, I "just" have to test if build accepts them (which it does) and to  
check the packages into the autobuild-system, which will happen late today or  
early tomorrow.  
 
BTW the CAN-number seems to be wrong (or I am not allowed to view the bug), 
but I will include the CAN-number in the ChangeLog-files never-the-less if I 
don't hear otherwise from you. 
  
Comment 10 Stefan Behlert 2005-08-15 15:41:29 UTC
/work/src/done/9.0/bluez-utils  
/work/src/done/9.1/bluez-utils  
/work/src/done/9.2/bluez-utils  
/work/src/done/9.3/bluez-utils  
/work/src/done/SLEC/bluez-utils  
/work/src/done/SLES9-SLD/bluez-utils  
  
This should be all affected distributions. 
 
Comment 11 Ludwig Nussel 2005-08-17 15:19:19 UTC
mls pointed out that the patch is insufficient. '&' needs to be escaped as 
well. 
Comment 12 Ludwig Nussel 2005-08-17 15:20:41 UTC
hmm, wait  
Comment 13 Ludwig Nussel 2005-08-17 15:32:41 UTC
no, it's ok security wise. They surround the quoted string with double quotes. 
therefore only ` $ \ " need to be quoted. Quoting ; and | is not needed. Those 
characters would show up as \; and \| actually. 
Comment 14 Michael Schröder 2005-08-17 17:33:00 UTC
So shall we fix the patch by dropping the | and ; lines? 
(btw, why is tmp of size 497 and why is there a memset instead of *ptr = 0?) 
Comment 15 Ludwig Nussel 2005-08-18 08:16:42 UTC
No released distro is actually affected. The function calling popen doesn't 
read the device name at all so no need to quote it. 
Comment 16 Stefan Behlert 2005-08-18 08:36:12 UTC
i added | and ; explicit by request from upstream. I have to confess I didn't 
look to close at the patch for the old distros, since the versions there are 
quite different from the current one the fix from upstream is for. I saw that 
some old versions might allocate a little bit more memory than needed, but 
since no other harm should be done (and I wanted to get it out soon) I didn't 
change much from the original patch for v2.18. 
Comment 17 Thomas Biege 2009-10-13 20:33:15 UTC
CVE-2005-2547: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)