[arch-commits] Commit in bluez/trunk (CVE-2017-1000250.patch PKGBUILD)
Levente Polyak
anthraxx at archlinux.org
Tue Sep 12 21:14:06 UTC 2017
Date: Tuesday, September 12, 2017 @ 21:14:05
Author: anthraxx
Revision: 305388
upgpkg: bluez 5.46-2 (CVE-2017-1000250 security update)
Added:
bluez/trunk/CVE-2017-1000250.patch
Modified:
bluez/trunk/PKGBUILD
------------------------+
CVE-2017-1000250.patch | 55 +++++++++++++++++++++++++++++++++++++++++++++++
PKGBUILD | 15 +++++++++---
2 files changed, 66 insertions(+), 4 deletions(-)
Added: CVE-2017-1000250.patch
===================================================================
--- CVE-2017-1000250.patch (rev 0)
+++ CVE-2017-1000250.patch 2017-09-12 21:14:05 UTC (rev 305388)
@@ -0,0 +1,55 @@
+From 6821472c7509c54c5b1ef4744af8f6eab9be4aa7 Mon Sep 17 00:00:00 2001
+From: Fedora Bluez maintainers <bluez-owner at fedoraproject.org>
+Date: Mon, 11 Sep 2017 11:19:18 -0400
+Subject: [PATCH] Out of bounds heap read in service_search_attr_req function
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When a long response is returned to a specific search attribute request, a
+continuation state is returned to allow reception of additional fragments, via
+additional requests that contain the last continuation state sent. However, the
+incoming “cstate” that requests additional fragments isn’t validated properly,
+and thus an out-of-bounds read of the response buffer (pResponse) can be
+achieved, leading to information disclosure of the heap.
+---
+ src/sdpd-request.c | 23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+diff --git a/src/sdpd-request.c b/src/sdpd-request.c
+index 1eefdce..ddeea7f 100644
+--- a/src/sdpd-request.c
++++ b/src/sdpd-request.c
+@@ -918,15 +918,20 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf)
+ /* continuation State exists -> get from cache */
+ sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);
+ if (pCache) {
+- uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
+- pResponse = pCache->data;
+- memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);
+- buf->data_size += sent;
+- cstate->cStateValue.maxBytesSent += sent;
+- if (cstate->cStateValue.maxBytesSent == pCache->data_size)
+- cstate_size = sdp_set_cstate_pdu(buf, NULL);
+- else
+- cstate_size = sdp_set_cstate_pdu(buf, cstate);
++ if (cstate->cStateValue.maxBytesSent >= pCache->data_size) {
++ status = SDP_INVALID_CSTATE;
++ SDPDBG("Got bad cstate with invalid size");
++ } else {
++ uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
++ pResponse = pCache->data;
++ memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);
++ buf->data_size += sent;
++ cstate->cStateValue.maxBytesSent += sent;
++ if (cstate->cStateValue.maxBytesSent == pCache->data_size)
++ cstate_size = sdp_set_cstate_pdu(buf, NULL);
++ else
++ cstate_size = sdp_set_cstate_pdu(buf, cstate);
++ }
+ } else {
+ status = SDP_INVALID_CSTATE;
+ SDPDBG("Non-null continuation state, but null cache buffer");
+--
+2.13.5
+
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2017-09-12 21:12:23 UTC (rev 305387)
+++ PKGBUILD 2017-09-12 21:14:05 UTC (rev 305388)
@@ -6,19 +6,26 @@
pkgbase=bluez
pkgname=('bluez' 'bluez-utils' 'bluez-libs' 'bluez-cups' 'bluez-hid2hci' 'bluez-plugins')
pkgver=5.46
-pkgrel=1
+pkgrel=2
url="http://www.bluez.org/"
arch=('i686' 'x86_64')
license=('GPL2')
makedepends=('dbus' 'libical' 'systemd')
source=(https://www.kernel.org/pub/linux/bluetooth/${pkgname}-${pkgver}.tar.{xz,sign}
- bluetooth.modprobe)
+ bluetooth.modprobe
+ CVE-2017-1000250.patch)
# see https://www.kernel.org/pub/linux/bluetooth/sha256sums.asc
sha256sums=('ddab3d3837c1afb8ae228a94ba17709a4650bd4db24211b6771ab735c8908e28'
'SKIP'
- '46c021be659c9a1c4e55afd04df0c059af1f3d98a96338236412e449bf7477b4')
+ '46c021be659c9a1c4e55afd04df0c059af1f3d98a96338236412e449bf7477b4'
+ '56e6b225c8d0e9557b5e01b484a587596e58b289f87ecb9577cc1e847ccb5d70')
validpgpkeys=('E932D120BC2AEC444E558F0106CA9F5D1DCF2659') # Marcel Holtmann <marcel at holtmann.org>
+prepare() {
+ cd ${pkgname}-${pkgver}
+ patch -p1 < "${srcdir}/CVE-2017-1000250.patch"
+}
+
build() {
cd ${pkgname}-${pkgver}
./configure \
@@ -65,7 +72,7 @@
cp -a doc/*.txt ${pkgdir}/usr/share/doc/${pkgbase}/dbus-apis/
# fix module loading errors
install -dm755 ${pkgdir}/usr/lib/modprobe.d
- install -Dm644 ${srcdir}/bluetooth.modprobe ${pkgdir}/usr/lib/modprobe.d/bluetooth-usb.conf
+ install -Dm644 ${srcdir}/bluetooth.modprobe ${pkgdir}/usr/lib/modprobe.d/bluetooth-usb.conf
# fix obex file transfer - https://bugs.archlinux.org/task/45816
ln -fs /usr/lib/systemd/user/obex.service ${pkgdir}/usr/lib/systemd/user/dbus-org.bluez.obex.service
More information about the arch-commits
mailing list