mbox series

[SRU,T/X/B/C/D,0/1] CVE-2019-3460 - Heap data infoleak in multiple locations including functionl2cap_parse_conf_rsp

Message ID 20190219122746.4197-1-kai.heng.feng@canonical.com
Headers show
Series CVE-2019-3460 - Heap data infoleak in multiple locations including functionl2cap_parse_conf_rsp | expand

Message

Kai-Heng Feng Feb. 19, 2019, 12:27 p.m. UTC 
The L2CAP config octet length other than 1,2 and 4 will be uses as a
pointer.
To avoid being tricked into a pointer, always check its length.

For Trusty, another commit is cherry-picked as an dependency. The commit
has a CVE number, but somehow it's not in the CVE Matrix. Xenial forward
doesn't need the patch.

Marcel Holtmann (1):
  Bluetooth: Check L2CAP option sizes returned from l2cap_get_conf_opt

 net/bluetooth/l2cap_core.c | 77 +++++++++++++++++++++++---------------
 1 file changed, 46 insertions(+), 31 deletions(-)

Comments

Tyler Hicks Feb. 19, 2019, 4:39 p.m. UTC | #1 
On 2019-02-19 20:27:43, Kai-Heng Feng wrote:
> For Trusty, another commit is cherry-picked as an dependency. The commit
> has a CVE number, but somehow it's not in the CVE Matrix.

The problem was that the ubuntu-cve-tracker had the wrong information
about the commit that fixed the this CVE. I've adjusted the
ubuntu-cve-tracker and now it correctly shows that Trusty has not
received this CVE fix. Thanks for pointing this out!

Tyler