An update was found in the Raspberry Pi foundation git reopistory with the following message: "Bluetooth firmware update works around most of the report "Spectra" class of vulnerabilities. CVE-2020-10370 will be addressed in a follow-up release." I suppose the fixed CVEs are: CVE-2020-10367 CVE-2020-10368 CVE-2020-10369
So there's so many unanswered questions in your statement: 1) bluez doesn't ship firmware it's purely userspace software 2) we don't ship bluetooth firmware that works with the Raspberry Pi as it's not upstream in linux-firmware (see the bugs against that about that) 3) the raspberry pi devices have a number of wireless modules from a number of vendors which of those are affected. I also don't have access to the blocking RHBZ so I can't see what else is there (and yes I'm a RHer). Please do some proper research because ATM this isn't a bug!
@ Peter Robinson, ACK. Closing this as NOTABUG.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10370
In reply to comment #1: > So there's so many unanswered questions in your statement: > 1) bluez doesn't ship firmware it's purely userspace software > 2) we don't ship bluetooth firmware that works with the Raspberry Pi as it's > not upstream in linux-firmware (see the bugs against that about that) > 3) the raspberry pi devices have a number of wireless modules from a number > of vendors which of those are affected. > > I also don't have access to the blocking RHBZ so I can't see what else is > there (and yes I'm a RHer). > > Please do some proper research because ATM this isn't a bug! Are you sure that this one is with "raspberry pi devices" devices only? Looking to the sub CVE-2020-10367 it is "Code execution on a Broadcom Bluetooth chip leads to code execution within Wi-Fi". Why this chip could not be with other platforms that we support? Seeing what currently already included to rhel*: "ls /lib/firmware/brcm/bcm43 bcm4329-fullmac-4.bin bcm43xx-0.fw bcm43xx_hdr-0.fw " , so maybe will have to ship broadcom/BCM43430A1.hcd broadcom/BCM4345C0.hcd broadcom/BCM43430A1.hcd broadcom/BCM4345C0.hcd also? Keeping this flaw open, even maybe could be closed later as NOTABUG if only for Raspberry Pi and if no Red Hat products compatible with related chips. If I understand right, these three patches (for the bluez-firmware) are related to this CVE: https://github.com/RPi-Distro/bluez-firmware/commit/98cbd44897277502200537dbacbe53a22def0417 https://github.com/RPi-Distro/bluez-firmware/commit/afe608e7055a0c8d80c9430e16993e6219e46c93 https://github.com/RPi-Distro/bluez-firmware/commit/ba01b70ddf3fcccb47895d885724919da045421f (info taken from https://bugzilla.suse.com/show_bug.cgi?id=1176631 ).
> Why this chip could not be with other platforms that we support? It could be but it's not a bluez bug as stated in the title. It would be linux-firmware. BUT there's 3 vendors that ship brcmfmac HW - Broadcom, Infineon/Cypress and Synaptics. The Raspberry Pi has HW, as do other HW vendors, from all 3 of those suppliers. If for example it's only relevant to Synaptics HW we're no vulnerable as we don't ship any synaptics firmware. That's why we need more information to work out what actually is or is not vulnerable.