[Expired for bluez (Ubuntu) because there has been no activity for 60 days.]
** Changed in: bluez (Ubuntu) Status: Incomplete => Expired -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to bluez in Ubuntu. https://bugs.launchpad.net/bugs/1102700 Title: bluetoothd crash when parsing invalid HIDP SDP record Status in bluez package in Ubuntu: Expired Bug description: If a remote Bluetooth device contains HIDP SDP records in a specific invalid format, it is possible to crash BlueZ with SIGSEGV due to invalid memory reads, either by buffer overflow due to improper strncpy() usage or usage of arbitrary input as pointer. The several patches that address this problem are already upstream and are present on the 5.1 release. These are the commits (some are cosmetic but required to avoid conflicts of next patches): http://git.kernel.org/?p=bluetooth/bluez.git;a=commit;h=21acf2283cacf0c029f2cea82380f4744a1dbcb5 http://git.kernel.org/?p=bluetooth/bluez.git;a=commit;h=df29632772171d5fd0e71c518fc3753adb11d0c0 http://git.kernel.org/?p=bluetooth/bluez.git;a=commit;h=fce691bd0bd08710ffd379025e894bcffaa5acb6 http://git.kernel.org/?p=bluetooth/bluez.git;a=commit;h=90228fc151bac5f19b2d21c18d51ef90f3b0d1b5 http://git.kernel.org/?p=bluetooth/bluez.git;a=commit;h=0f8aca093099d4fc693adc6270b9b0bd02287017 http://git.kernel.org/?p=bluetooth/bluez.git;a=commit;h=ce376961fb3a667ef35360c222bc3928d4657f4b http://git.kernel.org/?p=bluetooth/bluez.git;a=commit;h=b41a46ef4c2bd9dc30998c6726ab6232a299c8e8 http://git.kernel.org/?p=bluetooth/bluez.git;a=commit;h=0305cfa11a06dea356f699a46da96f7146210466 http://git.kernel.org/?p=bluetooth/bluez.git;a=commit;h=5ba183dc82b4e8a1b3caa58648d6ac02b9325cb6 http://git.kernel.org/?p=bluetooth/bluez.git;a=commit;h=a35f83e113c1c58dd1c6cf8bda2b1bf99d07a695 A patch backported from the above commits to the current BlueZ version on 12.04.1 LTS is attached. It was tested only on precise, but should apply just fine on more recent releases. Let me know you need specific versions of this patch. I will also attach a script that reproduces the crash using an emulated BT dongle. Usage instructions are at https://github.com/lizardo/bluez-tests/blob/master/README.rst NOTE: I tried to send a report which includes the crash information using apport-bug, but it did not seem to create a bug report here after 2 days. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bluez/+bug/1102700/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp