Bluez security alert from Arch

13 September 2017, 01:36:31

I think bluez affects many users and I don't know how may subscribe to arch alerts, but here it is:

Arch Linux Security Advisory ASA-201709-3
=========================================

Severity: High
Date : 2017-09-12
CVE-ID : CVE-2017-1000250
Package : bluez
Type : information disclosure
Remote : Yes
Link : https://security.archlinux.org/AVG-396

Summary
=======

The package bluez before version 5.46-2 is vulnerable to information
disclosure.

Resolution
==========

Upgrade to 5.46-2.

# pacman -Syu "bluez>=5.46-2"

The problem has been fixed upstream but no release is available yet.

Workaround
==========

None.

Description
===========

An information-disclosure flaw was found in the bluetoothd
implementation of the Service Discovery Protocol (SDP). A specially
crafted Bluetooth device could, without prior pairing or user
interaction, retrieve portions of the bluetoothd process memory,
including potentially sensitive information such as Bluetooth
encryption keys.

Impact
======

A remote attacker is able to use a specially crafted Bluetooth device
to obtain sensitive information such as Bluetooth encryption keys.

References
==========

https://bugs.archlinux.org/task/55603
https://www.armis.com/blueborne/
http://pkgs.fedoraproject.org/cgit/rpms/bluez.git/plain/0010-Out-of-bounds-heap-read-in-service_search_attr_req-f.patch
https://security.archlinux.org/CVE-2017-1000250

Re: Bluez security alert from Arch

Reply #1 – 13 September 2017, 10:15:41

I updated the package and it will be available in the [world-testing] repo shortly, to upgrade follow the steps below:

Uncomment or add the [world-testing] repo to your /etc/pacman.conf configuration file
Run sudo pacman -Syu bluez
Comment back the [world-testig] repo

Regards.

Re: Bluez security alert from Arch

Reply #2 – 13 September 2017, 14:17:16

Thanks for patch! It worked well

Re: Bluez security alert from Arch

Reply #3 – 17 September 2017, 21:09:23

Works for me.