@@ -1,7 +1,7 @@

 Summary:       A set of tools to manage bluetooth devices for linux

 Name:          bluez-tools

 Version:       0.2.0.20140808

-Release:       5%{?dist}

+Release:       6%{?dist}

 License:       GPL

 Group:         Applications/Communication

 Vendor:        VMware, Inc.

@@ -46,6 +46,8 @@ make DESTDIR=%{buildroot} install %{?_smp_mflags}

 %doc AUTHORS COPYING

 %changelog

+* Tue Apr 02 2024 Nitesh Kumar <nitesh-nk.kumar@broadcom.com> 0.2.0.20140808-6

+- Version Bump up to consume bluez v5.71

 * Fri Dec 16 2022 Nitesh Kumar <kunitesh@vmware.com> 0.2.0.20140808-5

 - Version Bump up to consume bluez v5.66

 * Fri Sep 16 2022 Nitesh Kumar <kunitesh@vmware.com> 0.2.0.20140808-4

deleted file mode 100644

@@ -1,44 +0,0 @@

-From f54299a850676d92c3dafd83e9174fcfe420ccc9 Mon Sep 17 00:00:00 2001

-From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

-Date: Wed, 22 Mar 2023 11:34:24 -0700

-Subject: [PATCH] avrcp: Fix crash while handling unsupported events

-

-The following crash can be observed if the remote peer send and

-unsupported event:

-

-ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000148f11

- at pc 0x559644552088 bp 0x7ffe28b3c7b0 sp 0x7ffe28b3c7a0

- WRITE of size 1 at 0x60b000148f11 thread T0

-     #0 0x559644552087 in avrcp_handle_event profiles/audio/avrcp.c:3907

-     #1 0x559644536c22 in control_response profiles/audio/avctp.c:939

-     #2 0x5596445379ab in session_cb profiles/audio/avctp.c:1108

-     #3 0x7fbcb3e51c43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43)

-     #4 0x7fbcb3ea66c7  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xaa6c7)

-     #5 0x7fbcb3e512b2 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2)

-     #6 0x559644754ab6 in mainloop_run src/shared/mainloop-glib.c:66

-     #7 0x559644755606 in mainloop_run_with_signal src/shared/mainloop-notify.c:188

-     #8 0x5596445bb963 in main src/main.c:1289

-     #9 0x7fbcb3bafd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

-     #10 0x7fbcb3bafe3f in __libc_start_main_impl ../csu/libc-start.c:392

-     #11 0x5596444e8224 in _start (/usr/local/libexec/bluetooth/bluetoothd+0xf0224)

- profiles/audio/avrcp.c | 6 ++++++

- 1 file changed, 6 insertions(+)

-

-diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c

-index 80f34c7a77..dda9a303fb 100644

-+++ b/profiles/audio/avrcp.c

-@@ -3901,6 +3901,12 @@ static gboolean avrcp_handle_event(struct avctp *conn, uint8_t code,

- 	case AVRCP_EVENT_UIDS_CHANGED:

- 		avrcp_uids_changed(session, pdu);

- 		break;

-+	default:

-+		if (event > AVRCP_EVENT_LAST) {

-+			warn("Unsupported event: %u", event);

-+			return FALSE;

-+		}

-+		break;

- 	}

- 

- 	session->registered_events |= (1 << event);

deleted file mode 100644

@@ -1,63 +0,0 @@

-From 5ab5352531a9cc7058cce569607f3a6831464443 Mon Sep 17 00:00:00 2001

-From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

-Date: Tue, 19 Sep 2023 12:14:01 -0700

-Subject: [PATCH] pbap: Fix not checking Primary/Secundary Counter length

-

-Primary/Secundary Counters are supposed to be 16 bytes values, if the

-server has implemented them incorrectly it may lead to the following

-crash:

-

-=================================================================

-==31860==ERROR: AddressSanitizer: heap-buffer-overflow on address

-0x607000001878 at pc 0x7f95a1575638 bp 0x7fff58c6bb80 sp 0x7fff58c6b328

-

- READ of size 48 at 0x607000001878 thread T0

-     #0 0x7f95a1575637 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:860

-     #1 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:892

-     #2 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:887

-     #3 0x564df69c77a0 in read_version obexd/client/pbap.c:288

-     #4 0x564df69c77a0 in read_return_apparam obexd/client/pbap.c:352

-     #5 0x564df69c77a0 in phonebook_size_callback obexd/client/pbap.c:374

-     #6 0x564df69bea3c in session_terminate_transfer obexd/client/session.c:921

-     #7 0x564df69d56b0 in get_xfer_progress_first obexd/client/transfer.c:729

-     #8 0x564df698b9ee in handle_response gobex/gobex.c:1140

-     #9 0x564df698cdea in incoming_data gobex/gobex.c:1385

-     #10 0x7f95a12fdc43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43)

-     #11 0x7f95a13526c7  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xaa6c7)

-     #12 0x7f95a12fd2b2 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2)

-     #13 0x564df6977d41 in main obexd/src/main.c:307

-     #14 0x7f95a10a7d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

-     #15 0x7f95a10a7e3f in __libc_start_main_impl ../csu/libc-start.c:392

-     #16 0x564df6978704 in _start (/usr/local/libexec/bluetooth/obexd+0x8b704)

- 0x607000001878 is located 0 bytes to the right of 72-byte region [0x607000001830,0x607000001878)

-

- allocated by thread T0 here:

-     #0 0x7f95a1595a37 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154

-     #1 0x564df69c8b6a in pbap_probe obexd/client/pbap.c:1259

- obexd/client/pbap.c | 5 +++--

- 1 file changed, 3 insertions(+), 2 deletions(-)

-

-diff --git a/obexd/client/pbap.c b/obexd/client/pbap.c

-index 1ed8c68ecc..2d2aa95089 100644

-+++ b/obexd/client/pbap.c

-@@ -285,7 +285,7 @@ static void read_version(struct pbap_data *pbap, GObexApparam *apparam)

- 		data = value;

- 	}

- 

--	if (memcmp(pbap->primary, data, len)) {

-+	if (len == sizeof(pbap->primary) && memcmp(pbap->primary, data, len)) {

- 		memcpy(pbap->primary, data, len);

- 		g_dbus_emit_property_changed(conn,

- 					obc_session_get_path(pbap->session),

-@@ -299,7 +299,8 @@ static void read_version(struct pbap_data *pbap, GObexApparam *apparam)

- 		data = value;

- 	}

- 

--	if (memcmp(pbap->secondary, data, len)) {

-+	if (len == sizeof(pbap->secondary) &&

-+			memcmp(pbap->secondary, data, len)) {

- 		memcpy(pbap->secondary, data, len);

- 		g_dbus_emit_property_changed(conn,

- 					obc_session_get_path(pbap->session),

@@ -1,7 +1,7 @@

 Summary:        Bluetooth utilities

 Name:           bluez

-Version:        5.66

-Release:        4%{?dist}

+Version:        5.71

+Release:        1%{?dist}

 License:        GPLv2+

 Group:          Applications/System

 Vendor:         VMware, Inc.

@@ -9,10 +9,7 @@ Distribution:   Photon

 URL:            http://www.bluez.org

 Source0: http://www.kernel.org/pub/linux/bluetooth/bluez-%{version}.tar.xz

-%define sha512 %{name}=ed0994932687eacf27207867366671b323671f5d5199daf36ea5eff8f254f2bc99ef989ef7df9883b35c06f2af60452be8bad0a06109428a4717cf2b247b4865

-

-Patch0: bluez-CVE-2023-27349.patch

-Patch1: bluez-CVE-2023-50229-50230.patch

+%define sha512 %{name}=648394bbe470405aa0e2d3914474e95c122f567deaaac20a5dd74bac29fa430dfb64cdb7bdb4fb7510e62fa73e96112a97197fc212b421bf480b8d1bb24cfb5d

 BuildRequires:  libical-devel

 BuildRequires:  glib-devel

@@ -77,7 +74,7 @@ make %{?_smp_mflags} -k check

 %{_datadir}/dbus-1/services/org.bluez.obex.service

 %{_libdir}/systemd/user/obex.service

 %{_unitdir}/bluetooth.service

-%config(noreplace) %{_sysconfdir}/dbus-1/system.d/bluetooth.conf

+%config(noreplace) %{_datadir}/dbus-1/system.d/bluetooth.conf

 %files devel

 %defattr(-,root,root)

@@ -87,6 +84,10 @@ make %{?_smp_mflags} -k check

 %{_datadir}/man/*

 %changelog

+* Tue Apr 02 2024 Nitesh Kumar <nitesh-nk.kumar@broadcom.com> 5.71-1

+- Version upgrade to v5.71 to fix following CVE's:

+- CVE-2023-44431, CVE-2023-51580, CVE-2023-51589,

+- CVE-2023-51592 and CVE-2023-51596

 * Fri Mar 22 2024 Nitesh Kumar <nitesh-nk.kumar@broadcom.com> 5.66-4

 - Patched to fix CVE-2023-50229 and CVE-2023-50230

 * Fri May 12 2023 Nitesh Kumar <kunitesh@vmware.com> 5.66-3

@@ -1,6 +1,6 @@

 Name:           gpsd

 Version:        3.25

-Release:        3%{?dist}

+Release:        4%{?dist}

 Summary:        Service daemon for mediating access to a GPS

 Group:          System Environment

 Vendor:         VMware, Inc.

@@ -229,6 +229,8 @@ install -p -m 0755 gpsinit %{buildroot}%{_sbindir}

 %exclude %{_datadir}/%{name}/gpsd-logo.png

 %changelog

+* Tue Apr 02 2024 Nitesh Kumar <nitesh-nk.kumar@broadcom.com> 3.25-4

+- Version Bump up to consume bluez v5.71

 * Tue Oct 24 2023 Shreenidhi Shedi <sshedi@vmware.com> 3.25-3

 - Bump version as a part of scons upgrade

 * Thu Sep 14 2023 Shreenidhi Shedi <sshedi@vmware.com> 3.25-2