mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2025-01-24 19:49:25 -05:00
gnu: bluez: Add replacement to fix CVE-2017-1000250.
* gnu/packages/patches/bluez-CVE-2017-1000250.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/linux.scm (bluez)[replacement]: New field. (bluez/fixed): New variable.
This commit is contained in:
parent
35daddede1
commit
27236a4348
3 changed files with 58 additions and 0 deletions
|
@ -536,6 +536,7 @@ dist_patch_DATA = \
|
|||
%D%/packages/patches/binutils-ld-new-dtags.patch \
|
||||
%D%/packages/patches/binutils-loongson-workaround.patch \
|
||||
%D%/packages/patches/blast+-fix-makefile.patch \
|
||||
%D%/packages/patches/bluez-CVE-2017-1000250.patch \
|
||||
%D%/packages/patches/byobu-writable-status.patch \
|
||||
%D%/packages/patches/cairo-CVE-2016-9082.patch \
|
||||
%D%/packages/patches/calibre-no-updates-dialog.patch \
|
||||
|
|
|
@ -3013,6 +3013,7 @@ (define-public bluez
|
|||
(package
|
||||
(name "bluez")
|
||||
(version "5.45")
|
||||
(replacement bluez/fixed)
|
||||
(source (origin
|
||||
(method url-fetch)
|
||||
(uri (string-append
|
||||
|
@ -3074,6 +3075,20 @@ (define-public bluez
|
|||
is flexible, efficient and uses a modular implementation.")
|
||||
(license license:gpl2+)))
|
||||
|
||||
(define bluez/fixed
|
||||
(package
|
||||
(inherit bluez)
|
||||
(version "5.45")
|
||||
(source (origin
|
||||
(method url-fetch)
|
||||
(uri (string-append
|
||||
"mirror://kernel.org/linux/bluetooth/bluez-"
|
||||
version ".tar.xz"))
|
||||
(sha256
|
||||
(base32
|
||||
"1sb4aflgyrl7apricjipa8wx95qm69yja0lmn2f19g560c3v1b2c"))
|
||||
(patches (search-patches "bluez-CVE-2017-1000250.patch"))))))
|
||||
|
||||
(define-public fuse-exfat
|
||||
(package
|
||||
(name "fuse-exfat")
|
||||
|
|
42
gnu/packages/patches/bluez-CVE-2017-1000250.patch
Normal file
42
gnu/packages/patches/bluez-CVE-2017-1000250.patch
Normal file
|
@ -0,0 +1,42 @@
|
|||
Description: CVE-2017-1000250: information disclosure vulnerability in service_search_attr_req
|
||||
Origin: vendor
|
||||
Bug-Debian: https://bugs.debian.org/875633
|
||||
Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1489446
|
||||
Bug-SuSE: https://bugzilla.suse.com/show_bug.cgi?id=1057342
|
||||
Forwarded: no
|
||||
Author: Armis Security <security@armis.com>
|
||||
Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
|
||||
Last-Update: 2017-09-13
|
||||
|
||||
--- a/src/sdpd-request.c
|
||||
+++ b/src/sdpd-request.c
|
||||
@@ -918,15 +918,20 @@ static int service_search_attr_req(sdp_r
|
||||
/* continuation State exists -> get from cache */
|
||||
sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);
|
||||
if (pCache) {
|
||||
- uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
|
||||
- pResponse = pCache->data;
|
||||
- memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);
|
||||
- buf->data_size += sent;
|
||||
- cstate->cStateValue.maxBytesSent += sent;
|
||||
- if (cstate->cStateValue.maxBytesSent == pCache->data_size)
|
||||
- cstate_size = sdp_set_cstate_pdu(buf, NULL);
|
||||
- else
|
||||
- cstate_size = sdp_set_cstate_pdu(buf, cstate);
|
||||
+ if (cstate->cStateValue.maxBytesSent >= pCache->data_size) {
|
||||
+ status = SDP_INVALID_CSTATE;
|
||||
+ SDPDBG("Got bad cstate with invalid size");
|
||||
+ } else {
|
||||
+ uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
|
||||
+ pResponse = pCache->data;
|
||||
+ memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);
|
||||
+ buf->data_size += sent;
|
||||
+ cstate->cStateValue.maxBytesSent += sent;
|
||||
+ if (cstate->cStateValue.maxBytesSent == pCache->data_size)
|
||||
+ cstate_size = sdp_set_cstate_pdu(buf, NULL);
|
||||
+ else
|
||||
+ cstate_size = sdp_set_cstate_pdu(buf, cstate);
|
||||
+ }
|
||||
} else {
|
||||
status = SDP_INVALID_CSTATE;
|
||||
SDPDBG("Non-null continuation state, but null cache buffer");
|
Loading…
Reference in a new issue