| Name | CVE-2020-0556 |
| Description | Improper access control in subsystem for BlueZ before version 5.54 may allow an unauthenticated user to potentially enable escalation of privilege and denial of service via adjacent access |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-2240-1, DSA-4647-1 |
| Debian Bugs | 953770 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| bluez (PTS) | jessie, jessie (lts) | 5.43-2+deb9u2~deb8u6 | fixed |
| stretch (security) | 5.43-2+deb9u5 | fixed |
| stretch (lts), stretch | 5.43-2+deb9u8 | fixed |
| buster, buster (lts) | 5.50-1.2~deb10u6 | fixed |
| buster (security) | 5.50-1.2~deb10u5 | fixed |
| bullseye | 5.55-3.1+deb11u1 | fixed |
| bullseye (security) | 5.55-3.1+deb11u2 | fixed |
| bookworm | 5.66-1+deb12u2 | fixed |
| bookworm (security) | 5.66-1+deb12u1 | fixed |
| sid, trixie | 5.77-1 | fixed |
The information below is based on the following data on fixed versions.
Notes
https://lore.kernel.org/linux-bluetooth/20200310023516.209146-1-alainm@chromium.org/
Fixed by: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=8cdbd3b09f29da29374e2f83369df24228da0ad1
Fixed by: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3cccdbab2324086588df4ccf5f892fb3ce1f1787
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html
Second commit introduces new configuration option "ClassicBondedOnly" which defaults
to false, and allows to make sure that input connections only come from bonded
device connections.
Followup commits to avoid (functional) regression:
Followup: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=35d8d895cd0b724e58129374beb0bb4a2edf9519
Followup: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=f2778f5877d20696d68a452b26e4accb91bfb19e