CVE-2019-8922
https://notcve.org/view.php?id=CVE-2019-8922
A heap-based buffer overflow was discovered in bluetoothd in BlueZ through 5.48. There isn't any check on whether there is enough space in the destination buffer. The function simply appends all data passed to it. The values of all attributes that are requested are appended to the output buffer. There are no size checks whatsoever, resulting in a simple heap overflow if one can craft a request where the response is large enough to overflow the preallocated buffer. • https://lists.debian.org/debian-lts-announce/2022/10/msg00026.html https://security.netapp.com/advisory/ntap-20211203-0002 https://ssd-disclosure.com/ssd-advisory-linux-bluez-information-leak-and-heap-overflow • CWE-787: Out-of-bounds Write •
CVE-2019-8921
https://notcve.org/view.php?id=CVE-2019-8921
An issue was discovered in bluetoothd in BlueZ through 5.48. The vulnerability lies in the handling of a SVC_ATTR_REQ by the SDP implementation. By crafting a malicious CSTATE, it is possible to trick the server into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data. The root cause can be found in the function service_attr_req of sdpd-request.c. The server does not check whether the CSTATE data is the same in consecutive requests, and instead simply trusts that it is the same. • https://lists.debian.org/debian-lts-announce/2022/10/msg00026.html https://security.netapp.com/advisory/ntap-20211203-0002 https://ssd-disclosure.com/ssd-advisory-linux-bluez-information-leak-and-heap-overflow • CWE-345: Insufficient Verification of Data Authenticity •
CVE-2021-3658
https://notcve.org/view.php?id=CVE-2021-3658
bluetoothd from bluez incorrectly saves adapters' Discoverable status when a device is powered down, and restores it when powered up. If a device is powered down while discoverable, it will be discoverable when powered on again. This could lead to inadvertent exposure of the bluetooth stack to physically nearby attackers. bluetoothd de bluez guarda incorrectamente el estado Discoverable de los adaptadores cuando es apagado un dispositivo, y lo restaura cuando es encendido. Si un dispositivo es apagado mientras es detectado, será detectado cuando es encendido de nuevo. Esto podría conllevar a una exposición inadvertida de la pila bluetooth a atacantes físicamente cercanos • https://bugzilla.redhat.com/show_bug.cgi?id=1984728 https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=b497b5942a8beb8f89ca1c359c54ad67ec843055 https://github.com/bluez/bluez/commit/b497b5942a8beb8f89ca1c359c54ad67ec843055 https://gitlab.gnome.org/GNOME/gnome-bluetooth/-/issues/89 https://security.netapp.com/advisory/ntap-20220407-0002 • CWE-863: Incorrect Authorization •
CVE-2021-41229 – Memory leak in BlueZ
https://notcve.org/view.php?id=CVE-2021-41229
BlueZ is a Bluetooth protocol stack for Linux. In affected versions a vulnerability exists in sdp_cstate_alloc_buf which allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash. BlueZ es una pila de protocolos Bluetooth para Linux. • https://github.com/bluez/bluez/security/advisories/GHSA-3fqg-r8j5-f5xq https://lists.debian.org/debian-lts-announce/2021/11/msg00022.html https://lists.debian.org/debian-lts-announce/2022/10/msg00026.html https://security.netapp.com/advisory/ntap-20211203-0004 https://access.redhat.com/security/cve/CVE-2021-41229 https://bugzilla.redhat.com/show_bug.cgi?id=2025034 • CWE-400: Uncontrolled Resource Consumption CWE-401: Missing Release of Memory after Effective Lifetime •
CVE-2021-43400
https://notcve.org/view.php?id=CVE-2021-43400
An issue was discovered in gatt-database.c in BlueZ 5.61. A use-after-free can occur when a client disconnects during D-Bus processing of a WriteValue call. Se ha detectado un problema en el archivo gatt-database.c en BlueZ versión 5.61. Puede producirse un uso de memoria previamente liberada cuando un cliente se desconecta durante el procesamiento de D-Bus de una llamada WriteValue • https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=838c0dc7641e1c991c0f3027bf94bee4606012f8 https://lists.debian.org/debian-lts-announce/2022/10/msg00026.html • CWE-416: Use After Free •