Arch Linux Security Advisory ASA-201709-3 ========================================= Severity: High Date : 2017-09-12 CVE-ID : CVE-2017-1000250 Package : bluez Type : information disclosure Remote : Yes Link : https://security.archlinux.org/AVG-396 Summary ======= The package bluez before version 5.46-2 is vulnerable to information disclosure. Resolution ========== Upgrade to 5.46-2. # pacman -Syu "bluez>=5.46-2" The problem has been fixed upstream but no release is available yet. Workaround ========== None. Description =========== An information-disclosure flaw was found in the bluetoothd implementation of the Service Discovery Protocol (SDP). A specially crafted Bluetooth device could, without prior pairing or user interaction, retrieve portions of the bluetoothd process memory, including potentially sensitive information such as Bluetooth encryption keys. Impact ====== A remote attacker is able to use a specially crafted Bluetooth device to obtain sensitive information such as Bluetooth encryption keys. References ========== https://bugs.archlinux.org/task/55603 https://www.armis.com/blueborne/ http://pkgs.fedoraproject.org/cgit/rpms/bluez.git/plain/0010-Out-of-bounds-heap-read-in-service_search_attr_req-f.patch https://security.archlinux.org/CVE-2017-1000250