Gentoo Logo

bluez-utils: Bluetooth device name validation vulnerability

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200508-09 / bluez-utils
Release Date August 17, 2005
Latest Revision August 17, 2005: 01
Impact high
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
net-wireless/bluez-utils < 2.19 >= 2.19 All supported architectures

Related bugreports: #101557

Synopsis

Improper validation of Bluetooth device names can lead to arbitrary command execution.

2.  Impact Information

Background

bluez-utils are the utilities for use with the BlueZ implementation of the Bluetooth wireless standards for Linux.

Description

The name of a Bluetooth device is improperly validated by the hcid utility when a remote device attempts to pair itself with a computer.

Impact

An attacker could create a malicious device name on a Bluetooth device resulting in arbitrary commands being executed as root upon attempting to pair the device with the computer.

3.  Resolution Information

Workaround

There are no known workarounds at this time.

Resolution

All bluez-utils users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-wireless/bluez-utils-2.19"

4.  References



Print

Page updated August 17, 2005

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.