[security][solved] Can we get BlueBorne (Bluetooth vulnerabilities) fixed in OTA-2 or OTA-1 hotfix?

Talkless

Here's some news link:

https://arstechnica.com/information-technology/2017/09/bluetooth-bugs-open-billions-of-devices-to-attacks-no-clicking-required/

Ubuntu CVE pages:

https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000251.html

https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000250.html

flohack

To be honest: We cannot do this so fast. We are a small team, and the patches we are talking here about need to be backported probably, which creates chance to introduce new errors, or in worst case new security flaws. The CVE 250 is fixed in Bluez, which means we could try to upgrade to a newer version in the same moment.

The CVE 251 is a kernel patch, which is really painful, we would need to backport it to various 3.x kernel versions, which are all more or less end of life already. maybe someone can take a look if Android is backporting this for the older devices.

Until we want to delay OTA-2 further to an unknown date I suggest releasing it without these patches, and make a hotfix later.

BR

Marathon2422

@Flohack I am with you,on the not delaying part,I am near retirement,I want to see you guys take over the world before ~~~~~

vandys

@Flohack FYI, probably just got attacked at the local Cafe. Turned on BT for my external keyboard, but keyboard typing was locked up, then an authentication dialog box popped up. I shut the device down ASAP, will do a clean install since God knows what got scribbled.

No BT in public for me until this is fixed!

vandys

Ok, I've studied the CVE and the patches, and I'm pretty sure I can get this applied for the kernel source net/bluetooth/l2cap_core.c, at least on hammerhead. I can take a similar look if somebody can tell me how to check out the source which includes src/sdpd-request.c.

UniSuperBox

This issue has already been fixed in the hammerhead kernel via this commit. I believe a pull from the upstream Fairphone kernel fixed it, too, but I'll need to get confirmation.

This fix has not been released to anything but the devel channel.

Talkless

From Community Update 15:

People have been asking about the KRACK and BlueBorne vulnerabilities lately, and for good reason. These are highly public explots. Both have been fixed in the RC and Devel channels, with the fixes landing in Stable with the next OTA.

Lakotaubp

@Talkless Are they todays OTA's or future ones. Thanks

Talkless

@Lakota said in [security][solved] Can we get BlueBorne (Bluetooth vulnerabilities) fixed in OTA-2 or OTA-1 hotfix?:

@Talkless Are they todays OTA's or future ones. Thanks

"next OTA", the future one.

Lakotaubp

@Talkless Thanks for clearing that up. Wasn't sure only read your comments after yesterday OT A's.

Talkless

@Lakota said in [security][solved] Can we get BlueBorne (Bluetooth vulnerabilities) fixed in OTA-2 or OTA-1 hotfix?:

@Talkless Thanks for clearing that up. Wasn't sure only read your comments after yesterday OT A's.

Uhm, what do you mean "after yesterday OT A's" ?

It will be fixed on OTA-3, if I understood correctly, which is not yet released AFAIK.

Lakotaubp

@Talkless Had forgotten mine are now on RC channel not stable and updated to r14 yesterday. Or am I getting mixed up with things and OTA's.