guix-commits
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

01/01: gnu: bluez: Add replacement to fix CVE-2017-1000250.


From: Mark H. Weaver
Subject: 01/01: gnu: bluez: Add replacement to fix CVE-2017-1000250.
Date: Wed, 13 Sep 2017 10:46:32 -0400 (EDT)

mhw pushed a commit to branch master
in repository guix.

commit 27236a43486b8fbb9d55d533e558165bab07d020
Author: Mark H Weaver <address@hidden>
Date:   Wed Sep 13 10:30:47 2017 -0400

    gnu: bluez: Add replacement to fix CVE-2017-1000250.
    
    * gnu/packages/patches/bluez-CVE-2017-1000250.patch: New file.
    * gnu/local.mk (dist_patch_DATA): Add it.
    * gnu/packages/linux.scm (bluez)[replacement]: New field.
    (bluez/fixed): New variable.
---
 gnu/local.mk                                      |  1 +
 gnu/packages/linux.scm                            | 15 ++++++++
 gnu/packages/patches/bluez-CVE-2017-1000250.patch | 42 +++++++++++++++++++++++
 3 files changed, 58 insertions(+)

diff --git a/gnu/local.mk b/gnu/local.mk
index c1bc391..1f55e52 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -536,6 +536,7 @@ dist_patch_DATA =                                           
\
   %D%/packages/patches/binutils-ld-new-dtags.patch             \
   %D%/packages/patches/binutils-loongson-workaround.patch      \
   %D%/packages/patches/blast+-fix-makefile.patch               \
+  %D%/packages/patches/bluez-CVE-2017-1000250.patch            \
   %D%/packages/patches/byobu-writable-status.patch             \
   %D%/packages/patches/cairo-CVE-2016-9082.patch                       \
   %D%/packages/patches/calibre-no-updates-dialog.patch         \
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 22f22c0..28a5e5b 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -3013,6 +3013,7 @@ Bluetooth audio output devices like headphones or 
loudspeakers.")
   (package
     (name "bluez")
     (version "5.45")
+    (replacement bluez/fixed)
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -3074,6 +3075,20 @@ Bluetooth audio output devices like headphones or 
loudspeakers.")
 is flexible, efficient and uses a modular implementation.")
     (license license:gpl2+)))
 
+(define bluez/fixed
+  (package
+    (inherit bluez)
+    (version "5.45")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append
+                    "mirror://kernel.org/linux/bluetooth/bluez-"
+                    version ".tar.xz"))
+              (sha256
+               (base32
+                "1sb4aflgyrl7apricjipa8wx95qm69yja0lmn2f19g560c3v1b2c"))
+              (patches (search-patches "bluez-CVE-2017-1000250.patch"))))))
+
 (define-public fuse-exfat
   (package
     (name "fuse-exfat")
diff --git a/gnu/packages/patches/bluez-CVE-2017-1000250.patch 
b/gnu/packages/patches/bluez-CVE-2017-1000250.patch
new file mode 100644
index 0000000..81f209d
--- /dev/null
+++ b/gnu/packages/patches/bluez-CVE-2017-1000250.patch
@@ -0,0 +1,42 @@
+Description: CVE-2017-1000250: information disclosure vulnerability in 
service_search_attr_req
+Origin: vendor
+Bug-Debian: https://bugs.debian.org/875633
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1489446
+Bug-SuSE: https://bugzilla.suse.com/show_bug.cgi?id=1057342
+Forwarded: no
+Author: Armis Security <address@hidden>
+Reviewed-by: Salvatore Bonaccorso <address@hidden>
+Last-Update: 2017-09-13
+
+--- a/src/sdpd-request.c
++++ b/src/sdpd-request.c
+@@ -918,15 +918,20 @@ static int service_search_attr_req(sdp_r
+               /* continuation State exists -> get from cache */
+               sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);
+               if (pCache) {
+-                      uint16_t sent = MIN(max, pCache->data_size - 
cstate->cStateValue.maxBytesSent);
+-                      pResponse = pCache->data;
+-                      memcpy(buf->data, pResponse + 
cstate->cStateValue.maxBytesSent, sent);
+-                      buf->data_size += sent;
+-                      cstate->cStateValue.maxBytesSent += sent;
+-                      if (cstate->cStateValue.maxBytesSent == 
pCache->data_size)
+-                              cstate_size = sdp_set_cstate_pdu(buf, NULL);
+-                      else
+-                              cstate_size = sdp_set_cstate_pdu(buf, cstate);
++                      if (cstate->cStateValue.maxBytesSent >= 
pCache->data_size) {
++                              status = SDP_INVALID_CSTATE;
++                              SDPDBG("Got bad cstate with invalid size");
++                      } else {
++                              uint16_t sent = MIN(max, pCache->data_size - 
cstate->cStateValue.maxBytesSent);
++                              pResponse = pCache->data;
++                              memcpy(buf->data, pResponse + 
cstate->cStateValue.maxBytesSent, sent);
++                              buf->data_size += sent;
++                              cstate->cStateValue.maxBytesSent += sent;
++                              if (cstate->cStateValue.maxBytesSent == 
pCache->data_size)
++                                      cstate_size = sdp_set_cstate_pdu(buf, 
NULL);
++                              else
++                                      cstate_size = sdp_set_cstate_pdu(buf, 
cstate);
++                      }
+               } else {
+                       status = SDP_INVALID_CSTATE;
+                       SDPDBG("Non-null continuation state, but null cache 
buffer");



reply via email to

[Prev in Thread] Current Thread [Next in Thread]