Bug 2125965 (CVE-2022-39177)

Summary: CVE-2022-39177 bluez: BlueZ allows physically proximate attackers to cause a denial of service because malformed and invalid capabilities can be processed in profiles/audio/avdtp.c
Product: [Other] Security Response Reporter: Sandipan Roy <saroy>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bnocera, darcari, dwmw2, dzickus, gopalkrishna.tiwari, hwkernel-mgr, jburrell, pbrobinson, spacewar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in BlueZ. This flaw allows physically proximate attackers to cause a denial of service due to malformed and invalid capabilities processed in profiles/audio/avdtp.c.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2125971, 2125972, 2125973    
Bug Blocks: 2123781    

Description Sandipan Roy 2022-09-12 06:22:50 UTC 
BlueZ before 5.59 allows physically proximate attackers to cause a denial of service because malformed and invalid capabilities can be processed in profiles/audio/avdtp.c.

https://ubuntu.com/security/notices/USN-5481-1
https://bugs.launchpad.net/ubuntu/+source/bluez/+bug/1977968
Comment 1 Sandipan Roy 2022-09-12 06:37:39 UTC 
Created bluez tracking bugs for this issue:

Affects: fedora-all [bug 2125972]