Bug 452715 - (CVE-2008-2374) CVE-2008-2374 bluez-libs: SDP payload processing vulnerability
CVE-2008-2374 bluez-libs: SDP payload processing vulnerability
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 452820 452821 452822 452878 452879 452880 452881 453384 453385 453386 453387 833879 833880
  Show dependency treegraph
Reported: 2008-06-24 11:46 EDT by Jan Lieskovsky
Modified: 2012-06-20 10:00 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-01-09 04:42:48 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Fixes for SDP vulnerability in bluez-libs (29.37 KB, patch)
2008-06-24 12:37 EDT, Marcel Holtmann
no flags Details | Diff
Fixes for SDP vulnerability in bluez-utils (9.95 KB, patch)
2008-06-24 12:38 EDT, Marcel Holtmann
no flags Details | Diff
Patch for bluez-libs 3.7 in RHEL5 (28.26 KB, patch)
2008-06-25 06:16 EDT, Bastien Nocera
no flags Details | Diff
Patch for 3.7 (6.90 KB, patch)
2008-06-25 06:32 EDT, Bastien Nocera
no flags Details | Diff
RHEL-4 bluez-libs patch (27.25 KB, patch)
2008-06-26 10:12 EDT, Bastien Nocera
no flags Details | Diff
Patch for bluez-utils 2.10 (RHEL-4) (7.87 KB, patch)
2008-06-27 05:38 EDT, Bastien Nocera
no flags Details | Diff

  None (edit)
Description Jan Lieskovsky 2008-06-24 11:46:38 EDT
Description of problem:

The SDP parsing code blindly trusts string length fields in incoming
SDP packets, exposing reliant applications to over-the-wireless memory
manipulation attacks.   An attacker need only send a malformed
response to an SDP query to take advantage of this.

This is most apparent in file bluez-libs-3.30/src/sdp.c, lines 988,
994, 1002 (see below).  Also elsewhere in the code where input
pointers are advanced without checking bytes remaining to be parsed.
The root of the problem is that in bluez-libs-3.30/src/sdp.c:1125, the
function sdp_extract_pdu() takes a buffer to parse (in) and a pointer
to a length field (out), but it does not take an incoming length field

Attached is a patch to fix this issue.  Basically I added a
"bytesleft" argument to all of the SDP payload processing routines;
length fields are checked
against the number of remaining bytes to ensure the parser doesn't run
past the end of the packet, or do crazy things like malloc two gigs of
memory.  This touches a lot of places, and changes the external API
for SDP payload processing, but I don't see any other way to do this
-- the parser MUST be aware of the incoming packet size in order for
this to be secure.

Version-Release number of selected component (if applicable):
All versions before bluez-{libs,utils}-3.34 

Additional info:

Proposed upstream patch:

Comment 1 Jan Lieskovsky 2008-06-24 11:48:05 EDT
Public mention about this issue:

Comment 7 Bastien Nocera 2008-06-24 13:15:59 EDT
(In reply to comment #3)
> This issue affects the code of bluez-libs as shipped with RHEL-{4,5} and
> Fedora-{8,9}. 

Did you file bugs for the Fedora versions?
Comment 24 Fedora Update System 2008-07-06 02:15:11 EDT
bluez-utils-3.35-2.fc9, bluez-libs-3.35-1.fc9 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update bluez-utils bluez-libs'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-6133
Comment 25 Jan Lieskovsky 2008-07-08 09:27:33 EDT
More information about potential security consequences of this one
from Marcel Holtmann:

It affects the SDP client functionality and I don't see how you can
actually trigger it. The user has to first enter a trusted relationship
with the remote device before unexpected SDP transaction will happen and
then you can do more harm anyway. The exception is that the user has
proximity tool running that scans every device in range, but such things
are neither shipped with RHEL or Fedora.

However today I realized that there is an issue with the SDP service
record registration. As normal user you can register service records via
an old Unix socket interface or via D-Bus. Both times you give the
record in binary form and since hcid is running as root, this could
allow a privilege escalation.

The post mentions that you could
trigger this remotely. This is a hard stretch since you actually have to
construct a scenario for it. BlueZ will not connect to other devices
without trusting them by default.

However the same parsing is used to create service records locally and
hence you have a local privilege escalation.

Comment 26 Fedora Update System 2008-09-10 02:51:44 EDT
bluez-libs-3.35-1.fc9, bluez-utils-3.35-3.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 27 Fedora Update System 2008-10-15 22:09:49 EDT
bluez-utils-3.35-3.fc8, bluez-libs-3.35-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 28 Red Hat Product Security 2009-01-09 04:42:48 EST
This issue was addressed in:

Red Hat Enterprise Linux:


Note You need to log in before you can comment on or make changes to this bug.