UBUNTU-CVE-2019-8922

Source
https://ubuntu.com/security/CVE-2019-8922
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-8922.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2019-8922
Related
Published
2021-11-29T08:15:00Z
Modified
2024-10-15T14:07:19Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A heap-based buffer overflow was discovered in bluetoothd in BlueZ through 5.48. There isn't any check on whether there is enough space in the destination buffer. The function simply appends all data passed to it. The values of all attributes that are requested are appended to the output buffer. There are no size checks whatsoever, resulting in a simple heap overflow if one can craft a request where the response is large enough to overflow the preallocated buffer. This issue exists in serviceattrreq gets called by process_request (in sdpd-request.c), which also allocates the response buffer.

References

Affected packages

Ubuntu:Pro:16.04:LTS / bluez

Package

Name
bluez
Purl
pkg:deb/ubuntu/bluez?arch=src?distro=esm-infra/xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

5.*

5.35-0ubuntu2
5.36-0ubuntu1
5.37-0ubuntu5
5.37-0ubuntu5.1
5.37-0ubuntu5.3
5.37-0ubuntu5.3+esm1
5.37-0ubuntu5.3+esm2
5.37-0ubuntu5.3+esm3
5.37-0ubuntu5.3+esm4

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:18.04:LTS / bluez

Package

Name
bluez
Purl
pkg:deb/ubuntu/bluez?arch=src?distro=bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.48-0ubuntu3.7

Affected versions

5.*

5.46-0ubuntu3
5.46-0ubuntu4
5.48-0ubuntu3
5.48-0ubuntu3.1
5.48-0ubuntu3.2
5.48-0ubuntu3.3
5.48-0ubuntu3.4
5.48-0ubuntu3.5
5.48-0ubuntu3.6

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "5.48-0ubuntu3.7",
            "binary_name": "bluetooth"
        },
        {
            "binary_version": "5.48-0ubuntu3.7",
            "binary_name": "bluez"
        },
        {
            "binary_version": "5.48-0ubuntu3.7",
            "binary_name": "bluez-cups"
        },
        {
            "binary_version": "5.48-0ubuntu3.7",
            "binary_name": "bluez-dbg"
        },
        {
            "binary_version": "5.48-0ubuntu3.7",
            "binary_name": "bluez-hcidump"
        },
        {
            "binary_version": "5.48-0ubuntu3.7",
            "binary_name": "bluez-obexd"
        },
        {
            "binary_version": "5.48-0ubuntu3.7",
            "binary_name": "bluez-tests"
        },
        {
            "binary_version": "5.48-0ubuntu3.7",
            "binary_name": "libbluetooth-dev"
        },
        {
            "binary_version": "5.48-0ubuntu3.7",
            "binary_name": "libbluetooth3"
        },
        {
            "binary_version": "5.48-0ubuntu3.7",
            "binary_name": "libbluetooth3-dbg"
        }
    ]
}

Ubuntu:20.04:LTS / bluez

Package

Name
bluez
Purl
pkg:deb/ubuntu/bluez?arch=src?distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.53-0ubuntu3

Affected versions

5.*

5.50-0ubuntu4
5.51-0ubuntu1
5.51-0ubuntu2
5.52-0ubuntu1
5.52-0ubuntu2
5.53-0ubuntu1
5.53-0ubuntu2

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "5.53-0ubuntu3",
            "binary_name": "bluetooth"
        },
        {
            "binary_version": "5.53-0ubuntu3",
            "binary_name": "bluez"
        },
        {
            "binary_version": "5.53-0ubuntu3",
            "binary_name": "bluez-cups"
        },
        {
            "binary_version": "5.53-0ubuntu3",
            "binary_name": "bluez-dbg"
        },
        {
            "binary_version": "5.53-0ubuntu3",
            "binary_name": "bluez-hcidump"
        },
        {
            "binary_version": "5.53-0ubuntu3",
            "binary_name": "bluez-obexd"
        },
        {
            "binary_version": "5.53-0ubuntu3",
            "binary_name": "bluez-tests"
        },
        {
            "binary_version": "5.53-0ubuntu3",
            "binary_name": "libbluetooth-dev"
        },
        {
            "binary_version": "5.53-0ubuntu3",
            "binary_name": "libbluetooth3"
        },
        {
            "binary_version": "5.53-0ubuntu3",
            "binary_name": "libbluetooth3-dbg"
        }
    ]
}