Debian Bug report logs - #323365
bluez-utils: Arbitrary command execution through inproper escaping in hcid's security.c

version graph

Package: bluez-utils; Maintainer for bluez-utils is Debian Bluetooth Maintainers <pkg-bluetooth-maintainers@lists.alioth.debian.org>; Source for bluez-utils is src:bluez.

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Tue, 16 Aug 2005 09:48:04 UTC

Severity: grave

Tags: patch, security

Fixed in version bluez-utils/2.19-1

Done: Edd Dumbill <ejad@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Edd Dumbill <ejad@debian.org>:
Bug#323365; Package bluez-utils. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to Edd Dumbill <ejad@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: bluez-utils: Arbitrary command execution through inproper escaping in hcid's security.c
Date: Tue, 16 Aug 2005 11:35:51 +0200
Package: bluez-utils
Severity: grave
Tags: security patch
Justification: user security hole

A vulnerability in hcid has been found. Please see this URL for details:
http://sourceforge.net/mailarchive/forum.php?thread_id=7893206&forum_id=1881
https://bugs.gentoo.org/show_bug.cgi?id=101557

Upstream fix available at:
http://cvs.sourceforge.net/viewcvs.py/bluez/utils/hcid/security.c?r1=1.31&r2=1.34

This is CAN-2005-2547.

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-rc5
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)



Reply sent to Edd Dumbill <ejad@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at 323365-close@bugs.debian.org (full text, mbox):

From: Edd Dumbill <ejad@debian.org>
To: 323365-close@bugs.debian.org
Subject: Bug#323365: fixed in bluez-utils 2.19-1
Date: Thu, 18 Aug 2005 17:32:04 -0700
Source: bluez-utils
Source-Version: 2.19-1

We believe that the bug you reported is fixed in the latest version of
bluez-utils, which is due to be installed in the Debian FTP archive:

bluez-bcm203x_2.19-1_i386.deb
  to pool/contrib/b/bluez-utils/bluez-bcm203x_2.19-1_i386.deb
bluez-cups_2.19-1_i386.deb
  to pool/main/b/bluez-utils/bluez-cups_2.19-1_i386.deb
bluez-pcmcia-support_2.19-1_i386.deb
  to pool/main/b/bluez-utils/bluez-pcmcia-support_2.19-1_i386.deb
bluez-utils_2.19-1.diff.gz
  to pool/main/b/bluez-utils/bluez-utils_2.19-1.diff.gz
bluez-utils_2.19-1.dsc
  to pool/main/b/bluez-utils/bluez-utils_2.19-1.dsc
bluez-utils_2.19-1_i386.deb
  to pool/main/b/bluez-utils/bluez-utils_2.19-1_i386.deb
bluez-utils_2.19.orig.tar.gz
  to pool/main/b/bluez-utils/bluez-utils_2.19.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 323365@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Edd Dumbill <ejad@debian.org> (supplier of updated bluez-utils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 19 Aug 2005 01:12:02 +0100
Source: bluez-utils
Binary: bluez-pcmcia-support bluez-bcm203x bluez-cups bluez-utils
Architecture: source i386
Version: 2.19-1
Distribution: unstable
Urgency: high
Maintainer: Edd Dumbill <ejad@debian.org>
Changed-By: Edd Dumbill <ejad@debian.org>
Description: 
 bluez-bcm203x - Firmware loader for Broadcom 203x based Bluetooth devices
 bluez-cups - Bluetooth printer driver for CUPS
 bluez-pcmcia-support - PCMCIA support files for BlueZ 2.0 Bluetooth tools
 bluez-utils - Bluetooth tools and daemons
Closes: 323365
Changes: 
 bluez-utils (2.19-1) unstable; urgency=high
 .
   * New upstream release.
   * Urgency high as fixes hcid pin helper vulnerability (CAN-2005-2547)
     (Closes: #323365)
   * Bump libbluetooth1-dev build dependency to 2.19
   * Add note about new features in debian/NEWS
Files: 
 52d0490621bdfd7c444a1eb2ea29bd43 710 admin optional bluez-utils_2.19-1.dsc
 8f9fb314bbe0041c47bf34f1465dbed4 496241 admin optional bluez-utils_2.19.orig.tar.gz
 f8547aba5c219bffa04629efeaa26e51 21162 admin optional bluez-utils_2.19-1.diff.gz
 fafc315b9bed5de74adee00b7f6f0f76 163674 admin optional bluez-utils_2.19-1_i386.deb
 cd153ababcddde08189639d97e6ec4af 14846 admin extra bluez-pcmcia-support_2.19-1_i386.deb
 8b7c6b9d3be1b833e63675b47905970b 18726 admin optional bluez-cups_2.19-1_i386.deb
 8616faa3eaa8eedfa9a3476101fd80e8 17158 contrib/admin optional bluez-bcm203x_2.19-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDBSaUrxbtsbubhxERAjuFAJ965cJ9E711/V4IU/94JfJ2QXFWcACgr+ff
OF1uGlAG5HeCYLyIIUqkthU=
=ZFLc
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#323365; Package bluez-utils. Full text and rfc822 format available.

Acknowledgement sent to Edd Dumbill <ejad@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #15 received at 323365@bugs.debian.org (full text, mbox):

From: Edd Dumbill <ejad@debian.org>
To: William Ballard <nospam_50916@alltel.net>
Cc: debian-user@lists.debian.org, 323365@bugs.debian.org
Subject: Re: bluez-utils 2.19-1 not in Sarge security updates?
Date: Sun, 25 Sep 2005 23:22:11 +0100
On Sun, 2005-09-25 at 18:06 -0400, William Ballard wrote:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=323365
> 
> Why is this grave security bugfix not in Sarge security updates, more 
> than a month later?  I know there's a "good reason," but in my few years 
> of using Debian I have always run unstable.

It is, version 2.15-1.1, you just missed it.

We don't upload new upstream versions to stable to fix security holes.
Where we can we just backport the fix.  This is so as not to cause
knock-on problems introduced in new versions.

In the case of bluez-utils, this is exactly what was done -- see 
http://packages.debian.org/stable/admin/bluez-utils
http://packages.debian.org/changelogs/pool/main/b/bluez-utils/bluez-utils_2.15-1.1/changelog

I would not have closed the bug if the fix hadn't gone in.

-- Edd





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 06:17:00 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 03:52:39 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.