Browse code
bluez: Patched to fix CVE-2023-50229 and CVE-2023-50230
Change-Id: I42f8ee1423bdb7caa5742bd264fee70ed66108d0
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/c/photon/+/23558
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Shreenidhi Shedi <shreenidhi.shedi@broadcom.com>
Nitesh authored on 2024/03/22 16:36:06Showing 2 changed files
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,63 @@ |
| 0 |
+From 5ab5352531a9cc7058cce569607f3a6831464443 Mon Sep 17 00:00:00 2001 |
|
| 1 |
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> |
|
| 2 |
+Date: Tue, 19 Sep 2023 12:14:01 -0700 |
|
| 3 |
+Subject: [PATCH] pbap: Fix not checking Primary/Secundary Counter length |
|
| 4 |
+ |
|
| 5 |
+Primary/Secundary Counters are supposed to be 16 bytes values, if the |
|
| 6 |
+server has implemented them incorrectly it may lead to the following |
|
| 7 |
+crash: |
|
| 8 |
+ |
|
| 9 |
+================================================================= |
|
| 10 |
+==31860==ERROR: AddressSanitizer: heap-buffer-overflow on address |
|
| 11 |
+0x607000001878 at pc 0x7f95a1575638 bp 0x7fff58c6bb80 sp 0x7fff58c6b328 |
|
| 12 |
+ |
|
| 13 |
+ READ of size 48 at 0x607000001878 thread T0 |
|
| 14 |
+ #0 0x7f95a1575637 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:860 |
|
| 15 |
+ #1 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:892 |
|
| 16 |
+ #2 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:887 |
|
| 17 |
+ #3 0x564df69c77a0 in read_version obexd/client/pbap.c:288 |
|
| 18 |
+ #4 0x564df69c77a0 in read_return_apparam obexd/client/pbap.c:352 |
|
| 19 |
+ #5 0x564df69c77a0 in phonebook_size_callback obexd/client/pbap.c:374 |
|
| 20 |
+ #6 0x564df69bea3c in session_terminate_transfer obexd/client/session.c:921 |
|
| 21 |
+ #7 0x564df69d56b0 in get_xfer_progress_first obexd/client/transfer.c:729 |
|
| 22 |
+ #8 0x564df698b9ee in handle_response gobex/gobex.c:1140 |
|
| 23 |
+ #9 0x564df698cdea in incoming_data gobex/gobex.c:1385 |
|
| 24 |
+ #10 0x7f95a12fdc43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43) |
|
| 25 |
+ #11 0x7f95a13526c7 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xaa6c7) |
|
| 26 |
+ #12 0x7f95a12fd2b2 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2) |
|
| 27 |
+ #13 0x564df6977d41 in main obexd/src/main.c:307 |
|
| 28 |
+ #14 0x7f95a10a7d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 |
|
| 29 |
+ #15 0x7f95a10a7e3f in __libc_start_main_impl ../csu/libc-start.c:392 |
|
| 30 |
+ #16 0x564df6978704 in _start (/usr/local/libexec/bluetooth/obexd+0x8b704) |
|
| 31 |
+ 0x607000001878 is located 0 bytes to the right of 72-byte region [0x607000001830,0x607000001878) |
|
| 32 |
+ |
|
| 33 |
+ allocated by thread T0 here: |
|
| 34 |
+ #0 0x7f95a1595a37 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 |
|
| 35 |
+ #1 0x564df69c8b6a in pbap_probe obexd/client/pbap.c:1259 |
|
| 36 |
+--- |
|
| 37 |
+ obexd/client/pbap.c | 5 +++-- |
|
| 38 |
+ 1 file changed, 3 insertions(+), 2 deletions(-) |
|
| 39 |
+ |
|
| 40 |
+diff --git a/obexd/client/pbap.c b/obexd/client/pbap.c |
|
| 41 |
+index 1ed8c68ecc..2d2aa95089 100644 |
|
| 42 |
+--- a/obexd/client/pbap.c |
|
| 43 |
+@@ -285,7 +285,7 @@ static void read_version(struct pbap_data *pbap, GObexApparam *apparam) |
|
| 44 |
+ data = value; |
|
| 45 |
+ } |
|
| 46 |
+ |
|
| 47 |
+- if (memcmp(pbap->primary, data, len)) {
|
|
| 48 |
++ if (len == sizeof(pbap->primary) && memcmp(pbap->primary, data, len)) {
|
|
| 49 |
+ memcpy(pbap->primary, data, len); |
|
| 50 |
+ g_dbus_emit_property_changed(conn, |
|
| 51 |
+ obc_session_get_path(pbap->session), |
|
| 52 |
+@@ -299,7 +299,8 @@ static void read_version(struct pbap_data *pbap, GObexApparam *apparam) |
|
| 53 |
+ data = value; |
|
| 54 |
+ } |
|
| 55 |
+ |
|
| 56 |
+- if (memcmp(pbap->secondary, data, len)) {
|
|
| 57 |
++ if (len == sizeof(pbap->secondary) && |
|
| 58 |
++ memcmp(pbap->secondary, data, len)) {
|
|
| 59 |
+ memcpy(pbap->secondary, data, len); |
|
| 60 |
+ g_dbus_emit_property_changed(conn, |
|
| 61 |
+ obc_session_get_path(pbap->session), |
| ... | ... |
@@ -1,7 +1,7 @@ |
| 1 | 1 |
Summary: Bluetooth utilities |
| 2 | 2 |
Name: bluez |
| 3 | 3 |
Version: 5.66 |
| 4 |
-Release: 3%{?dist}
|
|
| 4 |
+Release: 4%{?dist}
|
|
| 5 | 5 |
License: GPLv2+ |
| 6 | 6 |
Group: Applications/System |
| 7 | 7 |
Vendor: VMware, Inc. |
| ... | ... |
@@ -12,6 +12,7 @@ Source0: http://www.kernel.org/pub/linux/bluetooth/bluez-%{version}.tar.xz
|
| 12 | 12 |
%define sha512 %{name}=ed0994932687eacf27207867366671b323671f5d5199daf36ea5eff8f254f2bc99ef989ef7df9883b35c06f2af60452be8bad0a06109428a4717cf2b247b4865
|
| 13 | 13 |
|
| 14 | 14 |
Patch0: bluez-CVE-2023-27349.patch |
| 15 |
+Patch1: bluez-CVE-2023-50229-50230.patch |
|
| 15 | 16 |
|
| 16 | 17 |
BuildRequires: libical-devel |
| 17 | 18 |
BuildRequires: glib-devel |
| ... | ... |
@@ -86,6 +87,8 @@ make %{?_smp_mflags} -k check
|
| 86 | 86 |
%{_datadir}/man/*
|
| 87 | 87 |
|
| 88 | 88 |
%changelog |
| 89 |
+* Fri Mar 22 2024 Nitesh Kumar <nitesh-nk.kumar@broadcom.com> 5.66-4 |
|
| 90 |
+- Patched to fix CVE-2023-50229 and CVE-2023-50230 |
|
| 89 | 91 |
* Fri May 12 2023 Nitesh Kumar <kunitesh@vmware.com> 5.66-3 |
| 90 | 92 |
- Patched to fix CVE-2023-27349 |
| 91 | 93 |
* Thu Dec 22 2022 Shreenidhi Shedi <sshedi@vmware.com> 5.66-2 |