Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 14 Jan 2019 10:50:53 +1100
From: Michael Ellerman <mpe@...erman.id.au>
To: Solar Designer <solar@...nwall.com>, oss-security@...ts.openwall.com
Cc: Marcel Holtmann <marcel@...tmann.org>, Johan Hedberg <johan.hedberg@...il.com>
Subject: Re: Linux kernel: Bluetooth: two remote infoleaks (CVE-2019-3459, CVE-2019-3460)

Solar Designer <solar@...nwall.com> writes:
> Hi,
>
> Ran Menscher (Bcc'ed on this message) reported two issues (crediting
> "Shlomi Oberman, Yuli Shapiro and Karamba Security Ltd. research team")
> in Linux's Bluetooth stack to linux-distros and security@k.o on
> January 1.  Unfortunately, but unsurprisingly to me, we collectively
> failed to handle these issues well.  We did some things right, but not
> all of those that ideally would have been done before embargo end.  From
> the start, Ran was unwilling to precisely follow the linux-distros list
> policy (set a tentative public disclosure date/time) and to stay on top
> of the issues, instead expecting linux-distros to act more like a CERT
> (coordinate with other parties), which it mostly is not.  I did point
> this out to Ran, and suggested contacting Android, but I think no one
> did that.  (See the third "forwarded message" below on this "not a CERT"
> aspect and what can be done about it.)  The Bluetooth subsystem
> maintainers didn't reply.  Distros appeared uninterested in doing
> anything about the issues under embargo.  There were also numerous
> occasions where I ended up substituting for other distros' roles they
> had volunteered for.  And now I am doing Ran's job of making the
> mandatory posting to oss-security (after a reminder yesterday).
>
> On the bright side, I appreciate Greg KH's (security@k.o) handling of
> these issues.  Greg took care of notifying the Bluetooth maintainers and
> produced patches suitable for posting to the Linux lists (but still
> needing review and testing), and made such postings as soon as the
> embargo was over.  The thread with patches:
>
> https://lore.kernel.org/linux-bluetooth/20190110062833.GA15047@kroah.com/
>
> I also appreciate Yves-Alexis Perez (Debian) assigning the CVE IDs:
>
>> On Tue, 2019-01-01 at 09:27 +0000, Ran Menscher wrote:
>> > BUG 1 HEAP ADDRESS INFOLEAK IN USE OF L2CAP_GET_CONF_OPT
>>  
>> CVE-2019-3459
>> 
>> > BUG 2 HEAP DATA INFOLEAK IN MULTIPLE LOCATIONS INCLUDING FUNCTION
>> > L2CAP_PARSE_CONF_RSP
>>  
>> CVE-2019-3460
>
> Also very helpful was Ran's answer that "According to git blame, the
> issues had been introduced in Linux-2.6.12-rc2 (in 2005)"

I'm not sure that's correct. That happens to be the start of the
mainline git history, so all code older than that appears to have been
added by that commit.

Looking at the full history tree, I think I see the bug being introduced
in l2cap_get_conf_opt() here in May 2002 during the 2.5.x series:

  https://github.com/mpe/linux-fullhistory/commit/c38fab942f7ce71b30bfa71b3c75846ed6dc4846#diff-4d1b9a05ae99bd80285a75f4ded05abbL1519


Looking at l2cap_parse_conf_req(), the lack of error handling dates back
to the original submission, in v2.4.5.2 in May 2001:

  https://github.com/mpe/linux-fullhistory/commit/5857cb7a6e8112e1f3125ca2fe7f815e379ae2f3#diff-dd9f85cee1be8eba9aef4a6ee3ab099dR1436


There's instructions for using the fullhistory tree here:
  https://github.com/mpe/linux-fullhistory/wiki

cheers

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.