New BrakTooth Flaws Leave Millions of Bluetooth-enabled Devices Vulnerable

[axellin]

Hi,

FYI:
https://thehackernews.com/2021/09/new-b ... ns-of.html
https://asset-group.github.io/disclosures/braktooth/

Looking forward the fixes ASAP.

[ESP_Sprite]

No need to wait on the esp-idf side of things, we already have fixes, as indicated in our advisory on the matter.

[axellin]

No need to wait on the esp-idf side of things, we already have fixes, as indicated in our advisory on the matter.

I don't get it.
The fix is just comments?
https://github.com/espressif/esp-idf/co ... d7be653471

[ESP_Sprite]

My guess is that that is simply the final commit of a series that have solved this issue, but I'm not sure; let me ask the dev responsible.

Edit: Looks like it; this one is related and does have actual code changes.

[axellin]

I misread the advisory document and thought the commit id is the fix.
It actually means all fixes are included if you sync to that commit id.

BTW, it would be helpful if the developers can add the fixed CVE numbers in commit log in the future.
(Especially for closed source library, it's difficult to know if a CVE is fixed or not).

[ESP_Sprite]

BTW, it would be helpful if the developers can add the fixed CVE numbers in commit log in the future.
(Especially for closed source library, it's difficult to know if a CVE is fixed or not).

I agree with you there; I've internally passed the request on to the relevant teams.

[mendesgeo]

Hi, the specific commit which fixes all BrakTooth BT issues on ESP32 is this one:
https://github.com/espressif/esp-idf/co ... 598d9fc172