Ubuntu
bluez package

[CVE-2008-2374] Vulnerability in the SDP client functionality in BlueZ

Bug #246819 reported by Till Ulen
254
Affects Status Importance Assigned to Milestone
bluez (Ubuntu)
Fix Released
Low
Unassigned
bluez-utils (Ubuntu)
Invalid
Low
Unassigned

Bug Description

CVE-2008-2374 description:

"src/sdp.c in bluez-libs 3.30 in BlueZ, and other bluez-libs before 3.34 and bluez-utils before 3.34 versions, does not validate string length fields in SDP packets, which allows remote SDP servers to cause a denial of service or possibly have unspecified other impact via a crafted length field that triggers excessive memory allocation or a buffer over-read."

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2374

CVE References

Revision history for this message
Philipp Dreimann (philipp-dreimann) wrote :

is someone working on this package or why does nothing happen?

Revision history for this message
Kees Cook (kees) wrote :

This is considered a low priority issue, and will be worked on when other bluez issues collect, or time allows.

Changed in bluez-utils:
importance: Undecided → Low
status: New → Confirmed
Changed in bluez-libs:
importance: Undecided → Low
status: New → Confirmed
Revision history for this message
Mario Limonciello (superm1) wrote :

BlueZ 4.x is in Intrepid and includes these fixes..

bluez (4.12-0ubuntu1) intrepid; urgency=low

  * Initial Release. (LP: #274950)
    - This package replaces bluez-utils and bluez-libs source packages.
    - It was generated by merging the contents of bluez-utils and bluez-libs
      and updating content.
    - Legacy functionality for hidd, dund, and pand are not present, and
      have been removed from all configuration files.
  * This release introduces encryption (LP: #182191)
  * debian/patches:
    - bluez-utils-oui-usage.patch was borrowed from the Fedora 10 packaging.
    - sco-connect-git.patch was taken from bluez git shortly after 4.12 release.
      It should "help" with some sco headset issues.
  * debian/control:
    - Update different packages per upstream's recommendations.
    - Update conflicts/replaces for earlier packages.
    - Add a transitional bluez-utils package to help with the transition.

 -- Mario Limonciello < <email address hidden>> Tue, 07 Oct 2008 12:10:29 -0500

Changed in bluez-libs:
status: Confirmed → Fix Released
Changed in bluez-utils:
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.