Bug 1606203 (CVE-2018-10910)
Summary: | CVE-2018-10910 bluez: failure in disabling Bluetooth discoverability in certain cases may lead to the unauthorized pairing of Bluetooth devices | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Scott Gayou <sgayou> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | bnocera, darcari, dwmw2, dzickus, gtiwari, hwkernel-mgr, spacewar |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A bug in Bluez may allow for the Bluetooth Discoverable state being set to on when no Bluetooth agent is registered with the system. This situation could lead to the unauthorized pairing of certain Bluetooth devices without any form of authentication.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-03-31 22:32:46 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1606371, 1606373, 1609340 | ||
Bug Blocks: | 1594633 |
Description
Scott Gayou
2018-07-20 18:55:53 UTC
Upstream workaround in gnome-bluetooth: https://gitlab.gnome.org/GNOME/gnome-bluetooth/commit/6b5086d42ea64d46277f3c93b43984f331d12f89 Note that the actual bug is not in gnome-bluetooth. RHEL is not affected as RHEL-7 is running Gnome 3.26, which is not impacted. Created bluez tracking bugs for this issue: Affects: fedora-all [bug 1606371] Acknowledgments: Name: Chris Marchesi Mitigation: Disable Bluetooth. It appears that a fix was merged upstream and may be available in a future release of BlueZ 5.51. gnome-bluetooth-3.28.2 will take advantage of this fix. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:1101 https://access.redhat.com/errata/RHSA-2020:1101 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-10910 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1912 https://access.redhat.com/errata/RHSA-2020:1912 |