bluez-utils: Arbitrary command execution through inproper escaping in hcid's security.c

Automatically imported from Debian bug report #323365 http://bugs.debian.org/323365

Message-Id: <email address hidden>
Date: Tue, 16 Aug 2005 11:35:51 +0200
From: Moritz Muehlenhoff <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: bluez-utils: Arbitrary command execution through inproper escaping in hcid's
 security.c

Package: bluez-utils
Severity: grave
Tags: security patch
Justification: user security hole

A vulnerability in hcid has been found. Please see this URL for details:
http://sourceforge.net/mailarchive/forum.php?thread_id=7893206&forum_id=1881
https://bugs.gentoo.org/show_bug.cgi?id=101557

Upstream fix available at:
http://cvs.sourceforge.net/viewcvs.py/bluez/utils/hcid/security.c?r1=1.31&r2=1.34

This is CAN-2005-2547.

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-rc5
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)

Fixed in Breezy, Warty and Hoary are not vulnerable.

Message-Id: <email address hidden>
Date: Thu, 18 Aug 2005 17:32:04 -0700
From: Edd Dumbill <email address hidden>
To: <email address hidden>
Subject: Bug#323365: fixed in bluez-utils 2.19-1

Source: bluez-utils
Source-Version: 2.19-1

We believe that the bug you reported is fixed in the latest version of
bluez-utils, which is due to be installed in the Debian FTP archive:

bluez-bcm203x_2.19-1_i386.deb
  to pool/contrib/b/bluez-utils/bluez-bcm203x_2.19-1_i386.deb
bluez-cups_2.19-1_i386.deb
  to pool/main/b/bluez-utils/bluez-cups_2.19-1_i386.deb
bluez-pcmcia-support_2.19-1_i386.deb
  to pool/main/b/bluez-utils/bluez-pcmcia-support_2.19-1_i386.deb
bluez-utils_2.19-1.diff.gz
  to pool/main/b/bluez-utils/bluez-utils_2.19-1.diff.gz
bluez-utils_2.19-1.dsc
  to pool/main/b/bluez-utils/bluez-utils_2.19-1.dsc
bluez-utils_2.19-1_i386.deb
  to pool/main/b/bluez-utils/bluez-utils_2.19-1_i386.deb
bluez-utils_2.19.orig.tar.gz
  to pool/main/b/bluez-utils/bluez-utils_2.19.orig.tar.gz

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Edd Dumbill <email address hidden> (supplier of updated bluez-utils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 19 Aug 2005 01:12:02 +0100
Source: bluez-utils
Binary: bluez-pcmcia-support bluez-bcm203x bluez-cups bluez-utils
Architecture: source i386
Version: 2.19-1
Distribution: unstable
Urgency: high
Maintainer: Edd Dumbill <email address hidden>
Changed-By: Edd Dumbill <email address hidden>
Description:
 bluez-bcm203x - Firmware loader for Broadcom 203x based Bluetooth devices
 bluez-cups - Bluetooth printer driver for CUPS
 bluez-pcmcia-support - PCMCIA support files for BlueZ 2.0 Bluetooth tools
 bluez-utils - Bluetooth tools and daemons
Closes: 323365
Changes:
 bluez-utils (2.19-1) unstable; urgency=high
 .
   * New upstream release.
   * Urgency high as fixes hcid pin helper vulnerability (CAN-2005-2547)
     (Closes: #323365)
   * Bump libbluetooth1-dev build dependency to 2.19
   * Add note about new features in debian/NEWS
Files:
 52d0490621bdfd7c444a1eb2ea29bd43 710 admin optional bluez-utils_2.19-1.dsc
 8f9fb314bbe0041c47bf34f1465dbed4 496241 admin optional bluez-utils_2.19.orig.tar.gz
 f8547aba5c219bffa04629efeaa26e51 21162 admin optional bluez-utils_2.19-1.diff.gz
 fafc315b9bed5de74adee00b7f6f0f76 163674 admin optional bluez-utils_2.19-1_i386.deb
 cd153ababcddde08189639d97e6ec4af 14846 admin extra bluez-pcmcia-support_2.19-1_i386.deb
 8b7c6b9d3be1b833e63675b47905970b 18726 admin optional bluez-cups_2.19-1_i386.deb
 8616faa3eaa8eedfa9a3476101fd80e8 17158 contrib/admin optional bluez-bcm203x_2.19-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDBSaUrxbtsbubhxERAjuFAJ965cJ9E711/V4IU/94JfJ2Q...

Message-Id: <email address hidden>
Date: Sun, 25 Sep 2005 23:22:11 +0100
From: Edd Dumbill <email address hidden>
To: William Ballard <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: bluez-utils 2.19-1 not in Sarge security updates?

On Sun, 2005-09-25 at 18:06 -0400, William Ballard wrote:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=323365
>
> Why is this grave security bugfix not in Sarge security updates, more
> than a month later? I know there's a "good reason," but in my few years
> of using Debian I have always run unstable.

It is, version 2.15-1.1, you just missed it.

We don't upload new upstream versions to stable to fix security holes.
Where we can we just backport the fix. This is so as not to cause
knock-on problems introduced in new versions.

In the case of bluez-utils, this is exactly what was done -- see
http://packages.debian.org/stable/admin/bluez-utils
http://packages.debian.org/changelogs/pool/main/b/bluez-utils/bluez-utils_2.15-1.1/changelog

I would not have closed the bug if the fix hadn't gone in.

-- Edd