|
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
.Potential security vulnerabilities in BlueZ may allow escalation of privilege or information disclosure. BlueZ is releasing Linux kernel fixes to address these potential vulnerabilities.
Affected Products:
All Linux kernel versions that support BlueZ.
For those who don’t know, BlueZ is the Linux Bluetooth stack.
cheers, Paul
another article dated the day after the intel warning over on ZDNet
Intel recommends updating to Linux kernel 5.9 to mitigate a serious flaw Google found in the Linux Bluetooth stack
From personal experience with linux distro’s, I’m sure Bluez is sometimes tied in with the device sound distro/ developer dependant
From personal experience with linux distro’s, I’m sure Bluez is sometimes tied in with the device sound distro/ developer dependant
That’s because bluetooth devices can act as audio sources or sinks. If you do not make a bluetooth connection, these bits of the audio stack are not used.
According to the ZDNet article, the attacker needs to be within bluetooth range and to know the bluetooth device address to be able to send specially crafted packets to be able to exploit this. If the radio is off, that can’t happen. IOW, you should be fine if bluetooth is disabled.
Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)
The ZDnet article also has a silly line that says,
BleedingTooth affects Linux kernel versions 5.8 and higher but not Linux 5.9 and higher.
So yeah, that’s at least somewhat wrong. The Google security folks seem to be a bit more on target, they say it’s from 4.8 onwards.
The fixes have been backported, Ubuntu has those in “proposed” state apparently right now, looks like 4.15.0-122 and 5.4.0-52 or newer in Ubuntu and derivatives will have the fix.
Intel recommends updating to Linux kernel 5.9
Intel has removed that line replacing it with “All Linux kernel versions that support BlueZ”
Its listed as installed. That’s a lot of vulnerable kernels since I’m running 4.15. But there’s no way I’m going to upgrade to 5.9. 5.9 isn’t even listed in “View Kernels”; the latest listed kernel is 5.4.
I got a notification the other day that there was a new 4.15 kernel available, but when I read the security descriptions there was no mention of Bluez or Bluetooth. Maybe I’ll just make sure Bluetooth is disabled.
I’m in the same boat with LM19.3 ‘Tricia’ on kernel 4.15.0.121 that’s supported to April 2023
I’ve moved back to this kernel to fix ipowersaving issues in 5.4.xxx and got system stability.
Have disabled blueberry and bluetooth OBEX Agent from startup (as this device has no bluetooth) and that was during installation six weeks ago.
I don’t use any Bluetooth devices and have Bluetooth disabled. Do I have to worry about this problem?
Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).
MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV
I don’t have any Bluetooth on the laptop I’m using either, but I checked and my 19.1, 32 bit install has the bluez things listed in the synaptic package manager. Can I just uninstall/remove these bluez items in synaptic package manager? I don’t see bluetooth in startup, and it’s already disabled.
I wouldn’t remove bluez, even if you don’t use it. (I’ve tried and it flagged up errors whilst testing)
Just disable blueberry and bluetooth OBEX Agent in
Control Centre/ startup applications/ then tick the ‘show hidden’ which will reveal these two options.
Edit: you can also go into Sytem Tools/ System monitor and open up the Processes tab
there in look for these processes, highlight/right click and kill it, so there is no need to restart.
? says:
patch will show up anytime now, last one(s) came along at the end of March (Upgraded the following packages:
bluez (5.37-0ubuntu5.1) to 5.37-0ubuntu5.3
bluez-cups (5.37-0ubuntu5.1) to 5.37-0ubuntu5.3
bluez-obexd (5.37-0ubuntu5.1) to 5.37-0ubuntu5.3
libbluetooth3 (5.37-0ubuntu5.1) to 5.37-0ubuntu5.3)
meanwhile i’m listening\watching ad free youtube thanks to microfix…
Its listed as installed. That’s a lot of vulnerable kernels since I’m running 4.15. But there’s no way I’m going to upgrade to 5.9. 5.9 isn’t even listed in “View Kernels”; the latest listed kernel is 5.4.
This is a kernel-side vulnerability, applications can’t fix it, they can merely disable the trigger condition at most.
Looks like Ubuntu has fixed versions of 4.15, 5.4 and 5.8 branches in the testing pipe (“proposed”) right now… oh, there’s also at least one for 5.3 too…
Well, at least they aren’t jumping straight from build to wide release 
the eagle has landed…Linux Mint 19.3 kernel update 4.15.0-122.124
* CVE-2020-12351 // CVE-2020-12352 // CVE-2020-24490
– Bluetooth: Disable High Speed by default
– Bluetooth: MGMT: Fix not checking if BT_HS is enabled
– [Config] Disable BlueZ highspeed support* CVE-2020-12351
– Bluetooth: L2CAP: Fix calling sk_filter on non-socket based channel* CVE-2020-12352
– Bluetooth: A2MP: Fix not initializing all members
extract taken from:
http://changelogs.ubuntu.com/changelogs/pool/main/l/linux/linux_4.15.0-122.124/changelog
Well, I was just offered it for Mint 19.2 64 bit Cinnamon. So, Microfix and 19.3, me and 19.2, probably extrapolates to you and 19.1.
the eagle has landed…
Well, one of them.
Not seeing a 5.4 yet… oh, apparently being distributed to mirrors, guess it takes a few minutes. ( https://launchpad.net/ubuntu/+source/linux-hwe-5.4/5.4.0-52.57~18.04.1 “7 minutes ago”)
Yep, I just got it after doing an update check. So I think I’m good to go for now.
I’ve had the Bluetooth disabled always in Mint on any laptop that has internal Bluetooth radio capability but does Disabling Bluetooth also disable any Bluetooth discovery services as well?
Assuming everything is working properly, then yes, it would disable the discovery of bluetooth device by the laptop in question.
I’m always a little bit sketchy on saying that action A that is supposed to cause result B will cause result B, because sometimes things malfunction and don’t behave as they are meant to. There’s no special reason to think that’s the case here, only that I feel compelled to allow for that possibility.
I just received the update to kernel 5.4.0-52.57 in Neon as well.
Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Notifications
