Bug 166791 - [CAN-2005-2547] Remote attackers can execute arbitrary commands with crafted Bluetooth device name
Summary: [CAN-2005-2547] Remote attackers can execute arbitrary commands with crafted ...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora Legacy
Classification: Retired
Component: bluez-libs
Version: fc3
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Fedora Legacy Bugs
QA Contact:
URL: http://cve.mitre.org/cgi-bin/cvename....
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-08-25 19:05 UTC by Richard Dawe
Modified: 2007-04-18 17:30 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2006-08-13 13:24:40 UTC
Embargoed:


Attachments (Terms of Use)

Description Richard Dawe 2005-08-25 19:05:15 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050719 Fedora/1.7.10-1.5.1

Description of problem:
From <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2547>:

"security.c in hcid for BlueZ 2.18 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the Bluetooth device name when invoking the PIN helper."

This is fixed in bluez-utils 2.19. From <http://www.bluez.org/>:

"06.08.2005 Release of bluez-libs-2.19 and bluez-utils-2.19

These releases fixes a security problem when the remote device names contain shell escape characters and an off by one memory allocation bug. They also add preliminary support for device specific service records."

I've prepared some updated packages, which you can find here:

http://homepages.nildram.co.uk/~phekda/richdawe/fedora/FC3/bluez-libs-2.19-1richdawe.src.rpm

It's unclear to me whether you need to update bluez-utils too, so I did:

http://homepages.nildram.co.uk/~phekda/richdawe/fedora/FC3/bluez-utils-2.19-1richdawe.src.rpm

I've tested this pair of packages by sending some images from a Sony Ericsson K750i mobile phone (cell phone) to my MSI USB Bluetooth dongle on my PC. Not exactly extensive testing.

Version-Release number of selected component (if applicable):
bluez-libs-2.10-2

How reproducible:
Didn't try

Steps to Reproduce:

  

Additional info:

Comment 1 Matthew Miller 2006-07-10 20:41:58 UTC
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.

Thank you!


Comment 2 Richard Dawe 2006-07-11 20:41:37 UTC
It doesn't look like there's an update for bluez-libs 1.19 in Fedora Legacy.

Since this is a security issue, I've reassigned this to Fedora Legacy.

Comment 3 Matthew Miller 2006-07-11 20:46:10 UTC
Thanks!

Comment 4 Jesse Keating 2006-08-13 13:24:40 UTC
According to the CVE-2005-2547, this only effects bluez verions 2.16, 2.17, and
2.18.  FC3 and 4 shipped 2.15 and thus are not vulnerable.


Note You need to log in before you can comment on or make changes to this bug.