Bug 1015173 – VUL-1: CVE-2016-9918: bluez,bluez-hcidump: Out of bounds stack read in packet_hexdump()

Bug 1015173 - (CVE-2016-9918) VUL-1: CVE-2016-9918: bluez,bluez-hcidump: Out of bounds stack read in packet_hexdump()

(CVE-2016-9918)
Summary:	VUL-1: CVE-2016-9918: bluez,bluez-hcidump: Out of bounds stack read in packe...

Status:	NEW

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/177296/
Whiteboard:	CVSSv2:SUSE:CVE-2016-9918:2.9:(AV:A/A...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2016-12-12 17:02 UTC by Marcus Meissner
Modified:	2021-05-05 15:00 UTC (History)
CC List:	8 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
CVE-2016-9918.poc (40 bytes, application/octet-stream) 2016-12-12 17:03 UTC, Marcus Meissner	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2016-12-12 17:02:36 UTC

https://www.spinics.net/lists/linux-bluetooth/msg68898.html

A out-of-bound read was identified in "packet_hexdump" function in "monitor/packet.c" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. To replicate this issue use the attached sample below and execute the following command: 

./monitor/btmon -r <PoC File>


PoC.file base64 encoded:
AACACQQHGAAaERDoAwAAAAkjBxgAAwMDAwMDAwMDAwMDAwMDAwMDAw==

Comment 1 Marcus Meissner 2016-12-12 17:03:16 UTC

Created attachment 706109 [details]
CVE-2016-9918.poc

QA REPRODUCER:

btmon -r CVE-2016-9918.poc

should not result in a segmentation fault.

Comment 2 Marcus Meissner 2016-12-12 17:05:50 UTC

as the buffer is overwritten with characters 0-9a-f exploitability is only a crash

Comment 3 Swamp Workflow Management 2016-12-12 23:02:05 UTC

bugbot adjusting priority

Comment 7 Al Cho 2019-01-24 02:40:09 UTC

sr:182513

Comment 12 Al Cho 2019-02-18 08:13:05 UTC

*** Bug 1013893 has been marked as a duplicate of this bug. ***

Comment 13 Swamp Workflow Management 2019-02-28 14:09:47 UTC

SUSE-SU-2019:0510-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1013721,1013732,1013877,1015173,1026652,1057342
CVE References: CVE-2016-7837,CVE-2016-9800,CVE-2016-9801,CVE-2016-9804,CVE-2016-9918,CVE-2017-1000250
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    bluez-5.13-3.10.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    bluez-5.13-3.10.1
SUSE Linux Enterprise Server 12-LTSS (src):    bluez-5.13-3.10.1

Comment 14 Deshun Wang 2019-03-25 05:25:46 UTC

Has this been fixed on SLE-12SP4? Is there a schedule？

Comment 15 Marcus Meissner 2019-03-25 15:48:30 UTC

the update is in queue, will be released in the next days / 2 weeks

Comment 16 Swamp Workflow Management 2019-04-02 16:17:11 UTC

SUSE-SU-2019:0841-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1015173
CVE References: CVE-2016-9918
Sources used:
SUSE Linux Enterprise Workstation Extension 15 (src):    bluez-5.48-5.13.10
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    bluez-5.48-5.13.10
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    bluez-5.48-5.13.10
SUSE Linux Enterprise Module for Basesystem 15 (src):    bluez-5.48-5.13.10

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.

Comment 20 Swamp Workflow Management 2019-05-24 19:15:10 UTC

SUSE-SU-2019:1339-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1013708,1013712,1013893,1015171,1015173
CVE References: CVE-2016-9797,CVE-2016-9798,CVE-2016-9802,CVE-2016-9917,CVE-2016-9918
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    bluez-5.13-5.12.1
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    bluez-5.13-5.12.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    bluez-5.13-5.12.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    bluez-5.13-5.12.1
SUSE Linux Enterprise Server 12-SP4 (src):    bluez-5.13-5.12.1
SUSE Linux Enterprise Server 12-SP3 (src):    bluez-5.13-5.12.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    bluez-5.13-5.12.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    bluez-5.13-5.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.