aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/linux.scm15
-rw-r--r--gnu/packages/patches/bluez-CVE-2017-1000250.patch42
3 files changed, 58 insertions, 0 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index c1bc391101..1f55e52bfd 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -536,6 +536,7 @@ dist_patch_DATA = \
%D%/packages/patches/binutils-ld-new-dtags.patch \
%D%/packages/patches/binutils-loongson-workaround.patch \
%D%/packages/patches/blast+-fix-makefile.patch \
+ %D%/packages/patches/bluez-CVE-2017-1000250.patch \
%D%/packages/patches/byobu-writable-status.patch \
%D%/packages/patches/cairo-CVE-2016-9082.patch \
%D%/packages/patches/calibre-no-updates-dialog.patch \
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 22f22c036c..28a5e5b885 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -3013,6 +3013,7 @@ Bluetooth audio output devices like headphones or loudspeakers.")
(package
(name "bluez")
(version "5.45")
+ (replacement bluez/fixed)
(source (origin
(method url-fetch)
(uri (string-append
@@ -3074,6 +3075,20 @@ Bluetooth audio output devices like headphones or loudspeakers.")
is flexible, efficient and uses a modular implementation.")
(license license:gpl2+)))
+(define bluez/fixed
+ (package
+ (inherit bluez)
+ (version "5.45")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append
+ "mirror://kernel.org/linux/bluetooth/bluez-"
+ version ".tar.xz"))
+ (sha256
+ (base32
+ "1sb4aflgyrl7apricjipa8wx95qm69yja0lmn2f19g560c3v1b2c"))
+ (patches (search-patches "bluez-CVE-2017-1000250.patch"))))))
+
(define-public fuse-exfat
(package
(name "fuse-exfat")
diff --git a/gnu/packages/patches/bluez-CVE-2017-1000250.patch b/gnu/packages/patches/bluez-CVE-2017-1000250.patch
new file mode 100644
index 0000000000..81f209d7b2
--- /dev/null
+++ b/gnu/packages/patches/bluez-CVE-2017-1000250.patch
@@ -0,0 +1,42 @@
+Description: CVE-2017-1000250: information disclosure vulnerability in service_search_attr_req
+Origin: vendor
+Bug-Debian: https://bugs.debian.org/875633
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1489446
+Bug-SuSE: https://bugzilla.suse.com/show_bug.cgi?id=1057342
+Forwarded: no
+Author: Armis Security <security@armis.com>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2017-09-13
+
+--- a/src/sdpd-request.c
++++ b/src/sdpd-request.c
+@@ -918,15 +918,20 @@ static int service_search_attr_req(sdp_r
+ /* continuation State exists -> get from cache */
+ sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);
+ if (pCache) {
+- uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
+- pResponse = pCache->data;
+- memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);
+- buf->data_size += sent;
+- cstate->cStateValue.maxBytesSent += sent;
+- if (cstate->cStateValue.maxBytesSent == pCache->data_size)
+- cstate_size = sdp_set_cstate_pdu(buf, NULL);
+- else
+- cstate_size = sdp_set_cstate_pdu(buf, cstate);
++ if (cstate->cStateValue.maxBytesSent >= pCache->data_size) {
++ status = SDP_INVALID_CSTATE;
++ SDPDBG("Got bad cstate with invalid size");
++ } else {
++ uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
++ pResponse = pCache->data;
++ memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);
++ buf->data_size += sent;
++ cstate->cStateValue.maxBytesSent += sent;
++ if (cstate->cStateValue.maxBytesSent == pCache->data_size)
++ cstate_size = sdp_set_cstate_pdu(buf, NULL);
++ else
++ cstate_size = sdp_set_cstate_pdu(buf, cstate);
++ }
+ } else {
+ status = SDP_INVALID_CSTATE;
+ SDPDBG("Non-null continuation state, but null cache buffer");