~ruther/guix-local

27236a43486b8fbb9d55d533e558165bab07d020 — Mark H Weaver 8 years ago 35dadde 
gnu: bluez: Add replacement to fix CVE-2017-1000250.

* gnu/packages/patches/bluez-CVE-2017-1000250.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/linux.scm (bluez)[replacement]: New field.
(bluez/fixed): New variable.
patch browse .tar.gz 
3 files changed, 58 insertions(+), 0 deletions(-)

M gnu/local.mk
M gnu/packages/linux.scm
A gnu/packages/patches/bluez-CVE-2017-1000250.patch

M gnu/local.mk => gnu/local.mk +1 -0
@@ 536,6 536,7 @@ dist_patch_DATA =						\
  %D%/packages/patches/binutils-ld-new-dtags.patch		\
  %D%/packages/patches/binutils-loongson-workaround.patch	\
  %D%/packages/patches/blast+-fix-makefile.patch		\
  %D%/packages/patches/bluez-CVE-2017-1000250.patch		\
  %D%/packages/patches/byobu-writable-status.patch		\
  %D%/packages/patches/cairo-CVE-2016-9082.patch			\
  %D%/packages/patches/calibre-no-updates-dialog.patch		\


M gnu/packages/linux.scm => gnu/packages/linux.scm +15 -0
@@ 3013,6 3013,7 @@ Bluetooth audio output devices like headphones or loudspeakers.")
  (package
    (name "bluez")
    (version "5.45")
    (replacement bluez/fixed)
    (source (origin
              (method url-fetch)
              (uri (string-append


@@ 3074,6 3075,20 @@ Bluetooth audio output devices like headphones or loudspeakers.")
is flexible, efficient and uses a modular implementation.")
    (license license:gpl2+)))

(define bluez/fixed
  (package
    (inherit bluez)
    (version "5.45")
    (source (origin
              (method url-fetch)
              (uri (string-append
                    "mirror://kernel.org/linux/bluetooth/bluez-"
                    version ".tar.xz"))
              (sha256
               (base32
                "1sb4aflgyrl7apricjipa8wx95qm69yja0lmn2f19g560c3v1b2c"))
              (patches (search-patches "bluez-CVE-2017-1000250.patch"))))))

(define-public fuse-exfat
  (package
    (name "fuse-exfat")


A gnu/packages/patches/bluez-CVE-2017-1000250.patch => gnu/packages/patches/bluez-CVE-2017-1000250.patch +42 -0
@@ 0,0 1,42 @@
Description: CVE-2017-1000250: information disclosure vulnerability in service_search_attr_req
Origin: vendor
Bug-Debian: https://bugs.debian.org/875633
Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1489446
Bug-SuSE: https://bugzilla.suse.com/show_bug.cgi?id=1057342
Forwarded: no
Author: Armis Security <security@armis.com>
Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2017-09-13

--- a/src/sdpd-request.c
+++ b/src/sdpd-request.c
@@ -918,15 +918,20 @@ static int service_search_attr_req(sdp_r
 		/* continuation State exists -> get from cache */
 		sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);
 		if (pCache) {
-			uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
-			pResponse = pCache->data;
-			memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);
-			buf->data_size += sent;
-			cstate->cStateValue.maxBytesSent += sent;
-			if (cstate->cStateValue.maxBytesSent == pCache->data_size)
-				cstate_size = sdp_set_cstate_pdu(buf, NULL);
-			else
-				cstate_size = sdp_set_cstate_pdu(buf, cstate);
+			if (cstate->cStateValue.maxBytesSent >= pCache->data_size) {
+				status = SDP_INVALID_CSTATE;
+				SDPDBG("Got bad cstate with invalid size");
+			} else {
+				uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
+				pResponse = pCache->data;
+				memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);
+				buf->data_size += sent;
+				cstate->cStateValue.maxBytesSent += sent;
+				if (cstate->cStateValue.maxBytesSent == pCache->data_size)
+					cstate_size = sdp_set_cstate_pdu(buf, NULL);
+				else
+					cstate_size = sdp_set_cstate_pdu(buf, cstate);
+			}
 		} else {
 			status = SDP_INVALID_CSTATE;
 			SDPDBG("Non-null continuation state, but null cache buffer");