New BrakTooth Flaws Leave Millions of Bluetooth-enabled Devices Vulnerable


ESP_Sprite
Posts: 9761
Joined: Thu Nov 26, 2015 4:08 am

Re: New BrakTooth Flaws Leave Millions of Bluetooth-enabled Devices Vulnerable

Postby ESP_Sprite » Thu Sep 09, 2021 4:50 am

No need to wait on the esp-idf side of things, we already have fixes, as indicated in our advisory on the matter.

axellin
Posts: 200
Joined: Mon Sep 17, 2018 9:09 am

Re: New BrakTooth Flaws Leave Millions of Bluetooth-enabled Devices Vulnerable

Postby axellin » Thu Sep 09, 2021 4:59 am

ESP_Sprite wrote:
Thu Sep 09, 2021 4:50 am
No need to wait on the esp-idf side of things, we already have fixes, as indicated in our advisory on the matter.
I don't get it.
The fix is just comments?
https://github.com/espressif/esp-idf/co ... d7be653471

ESP_Sprite
Posts: 9761
Joined: Thu Nov 26, 2015 4:08 am

Re: New BrakTooth Flaws Leave Millions of Bluetooth-enabled Devices Vulnerable

Postby ESP_Sprite » Thu Sep 09, 2021 5:42 am

My guess is that that is simply the final commit of a series that have solved this issue, but I'm not sure; let me ask the dev responsible.

Edit: Looks like it; this one is related and does have actual code changes.

axellin
Posts: 200
Joined: Mon Sep 17, 2018 9:09 am

Re: New BrakTooth Flaws Leave Millions of Bluetooth-enabled Devices Vulnerable

Postby axellin » Thu Sep 09, 2021 1:21 pm

I misread the advisory document and thought the commit id is the fix.
It actually means all fixes are included if you sync to that commit id.

BTW, it would be helpful if the developers can add the fixed CVE numbers in commit log in the future.
(Especially for closed source library, it's difficult to know if a CVE is fixed or not).

ESP_Sprite
Posts: 9761
Joined: Thu Nov 26, 2015 4:08 am

Re: New BrakTooth Flaws Leave Millions of Bluetooth-enabled Devices Vulnerable

Postby ESP_Sprite » Fri Sep 10, 2021 1:10 am

axellin wrote:
Thu Sep 09, 2021 1:21 pm
BTW, it would be helpful if the developers can add the fixed CVE numbers in commit log in the future.
(Especially for closed source library, it's difficult to know if a CVE is fixed or not).
I agree with you there; I've internally passed the request on to the relevant teams.

mendesgeo
Posts: 7
Joined: Sun Dec 06, 2020 12:31 pm

Re: New BrakTooth Flaws Leave Millions of Bluetooth-enabled Devices Vulnerable

Postby mendesgeo » Fri Sep 24, 2021 4:38 am

Hi, the specific commit which fixes all BrakTooth BT issues on ESP32 is this one:
https://github.com/espressif/esp-idf/co ... 598d9fc172

Who is online

Users browsing this forum: Gaston1980 and 114 guests