Bug#303501: CAN-2005-0750: Bluetooth root exploit due to boundary checking

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#303501: CAN-2005-0750: Bluetooth root exploit due to boundary checking
From: "Geoff Crompton" <geoffc@strategicdata.com.au>
Date: Thu, 07 Apr 2005 13:08:21 +1000
Message-id: <[🔎] 20050407030822.1847CC000D48@sd01.mel.strategicdata.com.au>
Reply-to: "Geoff Crompton" <geoffc@strategicdata.com.au>, 303501@bugs.debian.org

Package: kernel-source-2.6.8
Version: 2.6.8-15
Severity: critical
Justification: root security hole

USN-103-1 says this:
> Ilja van Sprundel discovered that the bluez_sock_create() function did
> not check its "protocol" argument for negative values. A local
> attacker could exploit this to execute arbitrary code with root
> privileges by creating a Bluetooth socket with a specially crafted
> protocol number. (CAN-2005-0750) 

It's fixed in 2.6.11.6, and the relevant diff can be seen:
http://www.kernel.org/diff/diffview.cgi?file=%2Fpub%2Flinux%2Fkernel%2Fv2.6%2Fincr%2Fpatch-2.6.11.5-6.bz2;z=6

Reply to:

Prev by Date: Bug#303498: CAN-2005-0749: Elf Binary Loading Local DoS
Next by Date: Re: debian-installer and kernel status (pre- and post-sarge) on sparc
Previous by thread: Bug#303498: CAN-2005-0749: Elf Binary Loading Local DoS
Next by thread: Bug#295422: e2fsprogs for Sarge
Index(es):
- Date
- Thread