Bug 166792 - Remote attackers can execute arbitrary commands with crafted Bluetooth device name
Summary: Remote attackers can execute arbitrary commands with crafted Bluetooth device...
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: bluez-libs (Show other bugs)
(Show other bugs)
Version: 4
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: David Woodhouse
QA Contact:
URL: http://cve.mitre.org/cgi-bin/cvename....
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-08-25 19:08 UTC by Richard Dawe
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-09-10 08:44:23 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Richard Dawe 2005-08-25 19:08:29 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050719 Fedora/1.7.10-1.5.1

Description of problem:
From <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2547>:

"security.c in hcid for BlueZ 2.18 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the Bluetooth device name when invoking the PIN helper."

This is fixed in bluez-utils 2.19. From <http://www.bluez.org/>:

"06.08.2005 Release of bluez-libs-2.19 and bluez-utils-2.19

These releases fixes a security problem when the remote device names contain shell escape characters and an off by one memory allocation bug. They also add preliminary support for device specific service records."

Version-Release number of selected component (if applicable):
bluez-libs-2.15-1

How reproducible:
Didn't try

Steps to Reproduce:


Additional info:

Comment 1 Richard Dawe 2005-08-29 18:12:27 UTC
I've prepared some updated packages, which you can find here:

http://homepages.nildram.co.uk/~phekda/richdawe/fedora/FC4/bluez-libs-2.20-1richdawe.src.rpm

It's unclear to me whether you need to update bluez-utils too, so I did:

http://homepages.nildram.co.uk/~phekda/richdawe/fedora/FC4/bluez-utils-2.20-1richdawe.src.rpm

I've tested this pair of packages by sending some images from a Sony Ericsson
K750i mobile phone (cell phone) to my MSI USB Bluetooth dongle on my PC. Not
exactly extensive testing.

Comment 2 David Woodhouse 2006-09-10 08:44:23 UTC
Closing bug, since FC4 is no longer supported.

This probably should have been fixed before that happened, but unfortunately it
wasn't. Maybe the Fedora Legacy folks will issue an update.


Note You need to log in before you can comment on or make changes to this bug.