| Message ID | 20201015180628.GB14732@duo.ucw.cz (mailing list archive) |
|---|---|
| State | Not Applicable |
| Headers | show |
| Series | Bluetooth CVEs deciphered? | expand |
Hi! > I believe Google has good information which CVE corresponds to which > patch, and I used that to improve cip-kernel-sec. Result is here. Can > you take a look before I start fighting yml? I believe I indentified the other 2 fixes, too. Here's updated diff. Best regards, Pavel diff --git a/issues/CVE-2020-12351.yml b/issues/CVE-2020-12351.yml index 63f8b60..a28487e 100644 --- a/issues/CVE-2020-12351.yml +++ b/issues/CVE-2020-12351.yml @@ -1,37 +1,14 @@ -description: INTEL-SA-00435 +description: | + A heap-based type confusion affecting Linux kernel 4.8 and higher was discovered in net/bluetooth/l2cap_core.c. +advisory: | references: -- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html -comments: - debian/carnil: |- - CVE-2020-12351, CVE-2020-12352 and CVE-2020-24490 are three - issues covered by a set of commits/patches sent upstream but - there is no clear association from the CVEs to the commits. So - duplicate this entry for now to all three CVEs. - The commits are: - https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-1-luiz.dentz@gmail.com/ - https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-2-luiz.dentz@gmail.com/ - https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-3-luiz.dentz@gmail.com/ - https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-4-luiz.dentz@gmail.com/ - which are not yet in mainline, and - a2ec905d1e16 ("Bluetooth: fix kernel oops in - store_pending_adv_report") which is in 5.8 (and which was - backported to 5.7.13, 5.4.56 and 4.19.137). - The "fixed version" information in INTEL-SA-00435 is thus as - well contradictory as it mentions the issue to be fixed in 5.9 - or later. - wens: |- - The four patches are already in net-next as of 2020-10-14 and should hit - mainline soon. As far as I can tell, ("Bluetooth: A2MP: Fix not - initializing all members") fixes commits going all the way back to - 3.6, when A2MP was added. - Regarding the culprit commits, the first commit is fixed by a2ec905d1e16 - ("Bluetooth: fix kernel oops in store_pending_adv_report"); the next - nine are the various "not fully initialized stack variables"; the last - two are the sk_filter and BT_HS ones, respectfully. + https://github.com/google/security-research/security/advisories/GHSA-h637-c88j-47wq +aliases: + GHSA-h637-c88j-47wq introduced-by: - mainline: [c215e9397b00b3045a668120ed7dbd89f2866e74, 6b44d9b8d96b37f72ccd7335b32f386a67b7f1f4, - a28381dc9ca3e54b0678e2cd7c68c1afb2d7cc76, e072f5dab22e7bf0a10daf854acc0fc271396ee7, - 6113f84fc1a8962aed25f54a115b196e9aea151f, 8e2a0d92c56ec6955526a8b60838c9b00f70540d, - aa09537d80bf7e6282103618eb496f03e76f2953, 0d868de9d8760c76f6d4c6c777935c05ef272caa, - 8e05e3ba88adcf7ac644e6ef26676ea7c048a08c, 93c3e8f5c9a0e4dc6b6c93108dcf3ec54ab1191a, - dbb50887c8f619fc5c3489783ebc3122bc134a31, 6d80dfd094a7b286e95cdcac79efeb7bbb4e226f] + mainline: dbb50887c8f619fc5c3489783ebc3122bc134a31 + + (no Fixed: tag matching dbb50887c8 in -next). + +Probably this fixes it? + f19425641cb2572a33cb074d5e30283720bd4d22 .. yep. \ No newline at end of file diff --git a/issues/CVE-2020-12352.yml b/issues/CVE-2020-12352.yml index 63f8b60..64b731d 100644 --- a/issues/CVE-2020-12352.yml +++ b/issues/CVE-2020-12352.yml @@ -1,37 +1,19 @@ -description: INTEL-SA-00435 +description: | + BadChoice: Stack-Based Information Leak (BleedingTooth) + A stack-based information leak affecting Linux kernel 3.6 and higher was discovered in net/bluetooth/a2mp.c. +advisory: | references: -- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html -comments: - debian/carnil: |- - CVE-2020-12351, CVE-2020-12352 and CVE-2020-24490 are three - issues covered by a set of commits/patches sent upstream but - there is no clear association from the CVEs to the commits. So - duplicate this entry for now to all three CVEs. - The commits are: - https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-1-luiz.dentz@gmail.com/ - https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-2-luiz.dentz@gmail.com/ - https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-3-luiz.dentz@gmail.com/ - https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-4-luiz.dentz@gmail.com/ - which are not yet in mainline, and - a2ec905d1e16 ("Bluetooth: fix kernel oops in - store_pending_adv_report") which is in 5.8 (and which was - backported to 5.7.13, 5.4.56 and 4.19.137). - The "fixed version" information in INTEL-SA-00435 is thus as - well contradictory as it mentions the issue to be fixed in 5.9 - or later. - wens: |- - The four patches are already in net-next as of 2020-10-14 and should hit - mainline soon. As far as I can tell, ("Bluetooth: A2MP: Fix not - initializing all members") fixes commits going all the way back to - 3.6, when A2MP was added. - Regarding the culprit commits, the first commit is fixed by a2ec905d1e16 - ("Bluetooth: fix kernel oops in store_pending_adv_report"); the next - nine are the various "not fully initialized stack variables"; the last - two are the sk_filter and BT_HS ones, respectfully. + https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq +aliases: + GHSA-7mh3-gq28-gfrq introduced-by: - mainline: [c215e9397b00b3045a668120ed7dbd89f2866e74, 6b44d9b8d96b37f72ccd7335b32f386a67b7f1f4, - a28381dc9ca3e54b0678e2cd7c68c1afb2d7cc76, e072f5dab22e7bf0a10daf854acc0fc271396ee7, - 6113f84fc1a8962aed25f54a115b196e9aea151f, 8e2a0d92c56ec6955526a8b60838c9b00f70540d, - aa09537d80bf7e6282103618eb496f03e76f2953, 0d868de9d8760c76f6d4c6c777935c05ef272caa, - 8e05e3ba88adcf7ac644e6ef26676ea7c048a08c, 93c3e8f5c9a0e4dc6b6c93108dcf3ec54ab1191a, - dbb50887c8f619fc5c3489783ebc3122bc134a31, 6d80dfd094a7b286e95cdcac79efeb7bbb4e226f] + mainline: + 47f2d97d38816aaca94c9b6961c6eff1cfcd0bd6 + 8e2a0d92c56ec6955526a8b60838c9b00f70540d ? +fixed-by: + probably this: eddb7732119d53400f48a02536a84c509692faa8 + +Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> +Date: Thu Aug 6 11:17:11 2020 -0700 + + \ No newline at end of file diff --git a/issues/CVE-2020-24490.yml b/issues/CVE-2020-24490.yml index 63f8b60..8fe3617 100644 --- a/issues/CVE-2020-24490.yml +++ b/issues/CVE-2020-24490.yml @@ -1,37 +1,25 @@ -description: INTEL-SA-00435 +description: | + BadVibes: Heap-Based Buffer Overflow (BleedingTooth) + A heap-based buffer overflow affecting Linux kernel 4.19 and higher was discovered in net/bluetooth/hci_event.c. +advisory: | + references: -- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html + https://github.com/google/security-research/security/advisories/GHSA-ccx2-w2r4-x649 +aliases: + GHSA-ccx2-w2r4-x649 comments: - debian/carnil: |- - CVE-2020-12351, CVE-2020-12352 and CVE-2020-24490 are three - issues covered by a set of commits/patches sent upstream but - there is no clear association from the CVEs to the commits. So - duplicate this entry for now to all three CVEs. - The commits are: - https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-1-luiz.dentz@gmail.com/ - https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-2-luiz.dentz@gmail.com/ - https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-3-luiz.dentz@gmail.com/ - https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-4-luiz.dentz@gmail.com/ - which are not yet in mainline, and - a2ec905d1e16 ("Bluetooth: fix kernel oops in - store_pending_adv_report") which is in 5.8 (and which was - backported to 5.7.13, 5.4.56 and 4.19.137). - The "fixed version" information in INTEL-SA-00435 is thus as - well contradictory as it mentions the issue to be fixed in 5.9 - or later. - wens: |- - The four patches are already in net-next as of 2020-10-14 and should hit - mainline soon. As far as I can tell, ("Bluetooth: A2MP: Fix not - initializing all members") fixes commits going all the way back to - 3.6, when A2MP was added. - Regarding the culprit commits, the first commit is fixed by a2ec905d1e16 - ("Bluetooth: fix kernel oops in store_pending_adv_report"); the next - nine are the various "not fully initialized stack variables"; the last - two are the sk_filter and BT_HS ones, respectfully. + Pavel Machek: + This actually looks like most severe from the recent bluetooth stuff. + + Fix is not one-liner but also not scary. Adds checking at expected places. introduced-by: - mainline: [c215e9397b00b3045a668120ed7dbd89f2866e74, 6b44d9b8d96b37f72ccd7335b32f386a67b7f1f4, - a28381dc9ca3e54b0678e2cd7c68c1afb2d7cc76, e072f5dab22e7bf0a10daf854acc0fc271396ee7, - 6113f84fc1a8962aed25f54a115b196e9aea151f, 8e2a0d92c56ec6955526a8b60838c9b00f70540d, - aa09537d80bf7e6282103618eb496f03e76f2953, 0d868de9d8760c76f6d4c6c777935c05ef272caa, - 8e05e3ba88adcf7ac644e6ef26676ea7c048a08c, 93c3e8f5c9a0e4dc6b6c93108dcf3ec54ab1191a, - dbb50887c8f619fc5c3489783ebc3122bc134a31, 6d80dfd094a7b286e95cdcac79efeb7bbb4e226f] + mainline: + c215e9397b00b3045a668120ed7dbd89f2866e74 + b2cc9761f144e8ef714be8c590603073b80ddc13 +fixed-by: + mainline: + a2ec905d1e160a33b2e210e45ad30445ef26ce0e + 4.19: + 5df9e5613d1c51e16b1501a4c75e139fbbe0fb6c + -- needs to be backported to 4.4? + \ No newline at end of file
diff --git a/issues/CVE-2020-12351.yml b/issues/CVE-2020-12351.yml index 63f8b60..b7f519b 100644 --- a/issues/CVE-2020-12351.yml +++ b/issues/CVE-2020-12351.yml @@ -1,37 +1,9 @@ -description: INTEL-SA-00435 +description: | + A heap-based type confusion affecting Linux kernel 4.8 and higher was discovered in net/bluetooth/l2cap_core.c. +advisory: | references: -- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html -comments: - debian/carnil: |- - CVE-2020-12351, CVE-2020-12352 and CVE-2020-24490 are three - issues covered by a set of commits/patches sent upstream but - there is no clear association from the CVEs to the commits. So - duplicate this entry for now to all three CVEs. - The commits are: - https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-1-luiz.dentz@gmail.com/ - https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-2-luiz.dentz@gmail.com/ - https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-3-luiz.dentz@gmail.com/ - https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-4-luiz.dentz@gmail.com/ - which are not yet in mainline, and - a2ec905d1e16 ("Bluetooth: fix kernel oops in - store_pending_adv_report") which is in 5.8 (and which was - backported to 5.7.13, 5.4.56 and 4.19.137). - The "fixed version" information in INTEL-SA-00435 is thus as - well contradictory as it mentions the issue to be fixed in 5.9 - or later. - wens: |- - The four patches are already in net-next as of 2020-10-14 and should hit - mainline soon. As far as I can tell, ("Bluetooth: A2MP: Fix not - initializing all members") fixes commits going all the way back to - 3.6, when A2MP was added. - Regarding the culprit commits, the first commit is fixed by a2ec905d1e16 - ("Bluetooth: fix kernel oops in store_pending_adv_report"); the next - nine are the various "not fully initialized stack variables"; the last - two are the sk_filter and BT_HS ones, respectfully. + https://github.com/google/security-research/security/advisories/GHSA-h637-c88j-47wq +aliases: + GHSA-h637-c88j-47wq introduced-by: - mainline: [c215e9397b00b3045a668120ed7dbd89f2866e74, 6b44d9b8d96b37f72ccd7335b32f386a67b7f1f4, - a28381dc9ca3e54b0678e2cd7c68c1afb2d7cc76, e072f5dab22e7bf0a10daf854acc0fc271396ee7, - 6113f84fc1a8962aed25f54a115b196e9aea151f, 8e2a0d92c56ec6955526a8b60838c9b00f70540d, - aa09537d80bf7e6282103618eb496f03e76f2953, 0d868de9d8760c76f6d4c6c777935c05ef272caa, - 8e05e3ba88adcf7ac644e6ef26676ea7c048a08c, 93c3e8f5c9a0e4dc6b6c93108dcf3ec54ab1191a, - dbb50887c8f619fc5c3489783ebc3122bc134a31, 6d80dfd094a7b286e95cdcac79efeb7bbb4e226f] + mainline: dbb50887c8f619fc5c3489783ebc3122bc134a31 diff --git a/issues/CVE-2020-12352.yml b/issues/CVE-2020-12352.yml index 63f8b60..372e3ce 100644 --- a/issues/CVE-2020-12352.yml +++ b/issues/CVE-2020-12352.yml @@ -1,37 +1,13 @@ -description: INTEL-SA-00435 +description: | + BadChoice: Stack-Based Information Leak (BleedingTooth) + A stack-based information leak affecting Linux kernel 3.6 and higher was discovered in net/bluetooth/a2mp.c. +advisory: | references: -- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html -comments: - debian/carnil: |- - CVE-2020-12351, CVE-2020-12352 and CVE-2020-24490 are three - issues covered by a set of commits/patches sent upstream but - there is no clear association from the CVEs to the commits. So - duplicate this entry for now to all three CVEs. - The commits are: - https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-1-luiz.dentz@gmail.com/ - https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-2-luiz.dentz@gmail.com/ - https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-3-luiz.dentz@gmail.com/ - https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-4-luiz.dentz@gmail.com/ - which are not yet in mainline, and - a2ec905d1e16 ("Bluetooth: fix kernel oops in - store_pending_adv_report") which is in 5.8 (and which was - backported to 5.7.13, 5.4.56 and 4.19.137). - The "fixed version" information in INTEL-SA-00435 is thus as - well contradictory as it mentions the issue to be fixed in 5.9 - or later. - wens: |- - The four patches are already in net-next as of 2020-10-14 and should hit - mainline soon. As far as I can tell, ("Bluetooth: A2MP: Fix not - initializing all members") fixes commits going all the way back to - 3.6, when A2MP was added. - Regarding the culprit commits, the first commit is fixed by a2ec905d1e16 - ("Bluetooth: fix kernel oops in store_pending_adv_report"); the next - nine are the various "not fully initialized stack variables"; the last - two are the sk_filter and BT_HS ones, respectfully. + https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq +aliases: + GHSA-7mh3-gq28-gfrq introduced-by: - mainline: [c215e9397b00b3045a668120ed7dbd89f2866e74, 6b44d9b8d96b37f72ccd7335b32f386a67b7f1f4, - a28381dc9ca3e54b0678e2cd7c68c1afb2d7cc76, e072f5dab22e7bf0a10daf854acc0fc271396ee7, - 6113f84fc1a8962aed25f54a115b196e9aea151f, 8e2a0d92c56ec6955526a8b60838c9b00f70540d, - aa09537d80bf7e6282103618eb496f03e76f2953, 0d868de9d8760c76f6d4c6c777935c05ef272caa, - 8e05e3ba88adcf7ac644e6ef26676ea7c048a08c, 93c3e8f5c9a0e4dc6b6c93108dcf3ec54ab1191a, - dbb50887c8f619fc5c3489783ebc3122bc134a31, 6d80dfd094a7b286e95cdcac79efeb7bbb4e226f] + mainline: + 47f2d97d38816aaca94c9b6961c6eff1cfcd0bd6 + 8e2a0d92c56ec6955526a8b60838c9b00f70540d +fixed-by: \ No newline at end of file diff --git a/issues/CVE-2020-24490.yml b/issues/CVE-2020-24490.yml index 63f8b60..8fe3617 100644 --- a/issues/CVE-2020-24490.yml +++ b/issues/CVE-2020-24490.yml @@ -1,37 +1,25 @@ -description: INTEL-SA-00435 +description: | + BadVibes: Heap-Based Buffer Overflow (BleedingTooth) + A heap-based buffer overflow affecting Linux kernel 4.19 and higher was discovered in net/bluetooth/hci_event.c. +advisory: | + references: -- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html + https://github.com/google/security-research/security/advisories/GHSA-ccx2-w2r4-x649 +aliases: + GHSA-ccx2-w2r4-x649 comments: - debian/carnil: |- - CVE-2020-12351, CVE-2020-12352 and CVE-2020-24490 are three - issues covered by a set of commits/patches sent upstream but - there is no clear association from the CVEs to the commits. So - duplicate this entry for now to all three CVEs. - The commits are: - https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-1-luiz.dentz@gmail.com/ - https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-2-luiz.dentz@gmail.com/ - https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-3-luiz.dentz@gmail.com/ - https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-4-luiz.dentz@gmail.com/ - which are not yet in mainline, and - a2ec905d1e16 ("Bluetooth: fix kernel oops in - store_pending_adv_report") which is in 5.8 (and which was - backported to 5.7.13, 5.4.56 and 4.19.137). - The "fixed version" information in INTEL-SA-00435 is thus as - well contradictory as it mentions the issue to be fixed in 5.9 - or later. - wens: |- - The four patches are already in net-next as of 2020-10-14 and should hit - mainline soon. As far as I can tell, ("Bluetooth: A2MP: Fix not - initializing all members") fixes commits going all the way back to - 3.6, when A2MP was added. - Regarding the culprit commits, the first commit is fixed by a2ec905d1e16 - ("Bluetooth: fix kernel oops in store_pending_adv_report"); the next - nine are the various "not fully initialized stack variables"; the last - two are the sk_filter and BT_HS ones, respectfully. + Pavel Machek: + This actually looks like most severe from the recent bluetooth stuff. + + Fix is not one-liner but also not scary. Adds checking at expected places. introduced-by: - mainline: [c215e9397b00b3045a668120ed7dbd89f2866e74, 6b44d9b8d96b37f72ccd7335b32f386a67b7f1f4, - a28381dc9ca3e54b0678e2cd7c68c1afb2d7cc76, e072f5dab22e7bf0a10daf854acc0fc271396ee7, - 6113f84fc1a8962aed25f54a115b196e9aea151f, 8e2a0d92c56ec6955526a8b60838c9b00f70540d, - aa09537d80bf7e6282103618eb496f03e76f2953, 0d868de9d8760c76f6d4c6c777935c05ef272caa, - 8e05e3ba88adcf7ac644e6ef26676ea7c048a08c, 93c3e8f5c9a0e4dc6b6c93108dcf3ec54ab1191a, - dbb50887c8f619fc5c3489783ebc3122bc134a31, 6d80dfd094a7b286e95cdcac79efeb7bbb4e226f] + mainline: + c215e9397b00b3045a668120ed7dbd89f2866e74 + b2cc9761f144e8ef714be8c590603073b80ddc13 +fixed-by: + mainline: + a2ec905d1e160a33b2e210e45ad30445ef26ce0e + 4.19: + 5df9e5613d1c51e16b1501a4c75e139fbbe0fb6c + -- needs to be backported to 4.4? + \ No newline at end of file