Debian Bug report logs - #303501
CAN-2005-0750: Bluetooth root exploit due to boundary checking

Package: kernel-source-2.6.8; Maintainer for kernel-source-2.6.8 is (unknown);

Reported by: "Geoff Crompton" <geoffc@strategicdata.com.au>

Date: Thu, 7 Apr 2005 03:18:01 UTC

Severity: critical

Tags: security

Found in version 2.6.8-15

Done: muehlenhoff@univention.de (Moritz Mühlenhoff)

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian kernel team <debian-kernel@lists.debian.org>:
Bug#303501; Package kernel-source-2.6.8. (full text, mbox, link).

Acknowledgement sent to "Geoff Crompton" <geoffc@strategicdata.com.au>:
New Bug report received and forwarded. Copy sent to Debian kernel team <debian-kernel@lists.debian.org>. (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: kernel-source-2.6.8
Version: 2.6.8-15
Severity: critical
Justification: root security hole

USN-103-1 says this:
> Ilja van Sprundel discovered that the bluez_sock_create() function did
> not check its "protocol" argument for negative values. A local
> attacker could exploit this to execute arbitrary code with root
> privileges by creating a Bluetooth socket with a specially crafted
> protocol number. (CAN-2005-0750) 

It's fixed in 2.6.11.6, and the relevant diff can be seen:
http://www.kernel.org/diff/diffview.cgi?file=%2Fpub%2Flinux%2Fkernel%2Fv2.6%2Fincr%2Fpatch-2.6.11.5-6.bz2;z=6

Tags added: security Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian kernel team <debian-kernel@lists.debian.org>:
Bug#303501; Package kernel-source-2.6.8. (full text, mbox, link).

Acknowledgement sent to Matthijs Mohlmann <matthijs@cacholong.nl>:
Extra info received and forwarded to list. Copy sent to Debian kernel team <debian-kernel@lists.debian.org>. (full text, mbox, link).

Message #12 received at 303501@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi,

It seems that this is fixed in the current kernel (just uploaded)

The patch submitted by this bug seems to be applied already.

Probably forgotten to add to the changelog entry ?

Regards,

Matthijs Mohlmann

[signature.asc (application/pgp-signature, attachment)]

Reply sent to muehlenhoff@univention.de (Moritz Mühlenhoff):
You have taken responsibility. (full text, mbox, link).

Notification sent to "Geoff Crompton" <geoffc@strategicdata.com.au>:
Bug acknowledged by developer. (full text, mbox, link).

Message #17 received at 303501-done@bugs.debian.org (full text, mbox, reply):

Hi,
this bug has already been fixed as part of the 2.6.8-16 upload, but
was not directly closed through the changelog, so I'm closing it now.

Cheers,
         Moritz
-- 
Moritz Muehlenhoff muehlenhoff@univention.de     fon: +49 421 22 232- 0
Development        Linux for Your Business       fax: +49 421 22 232-99
Univention GmbH    http://www.univention.de/   mobil: +49 175 22 999 23

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Tue Aug 14 22:42:17 2018; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #303501 CAN-2005-0750: Bluetooth root exploit due to boundary checking

Debian Bug report logs - #303501
CAN-2005-0750: Bluetooth root exploit due to boundary checking