From patchwork Thu Sep 14 12:27:53 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 112551 Delivered-To: patch@linaro.org Received: by 10.80.163.150 with SMTP id s22csp593369edb; Thu, 14 Sep 2017 05:28:08 -0700 (PDT) X-Received: by 10.84.241.67 with SMTP id u3mr24129396plm.135.1505392088878; Thu, 14 Sep 2017 05:28:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1505392088; cv=none; d=google.com; s=arc-20160816; b=dMWSYsaP5M8Ye05JnXENujSWUZnvg5J/r+1MVvTfcsIdh3TYHL1lB6CHrgAyLT6Nt5 Bc4jkJe91EC2sJjKHjR1z2AhfBNxQY6o7O59laBL6yqB3c9Lu/UmHBYx4xiXT9c5b6Ii LvFLV2Wbom0gVu+mh511n5fe+6BBngoL3LxB4sbfQ4fhWvO2pTLWe8h/C7jbz/UUqICU cGgayyDlk8890Lihnu1dzKbNFfgsQMrwo94CgdZxPu4zHdnlCzZqeZBiFGTcuFQmqCBH HLdGsljA07ntsT4P9NUnvDRjQPOvwMx3FV5KWYNrsiOtrAGVb4jQV5hR1ZSQ7GjcmqFK hssw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:mime-version :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:message-id:date:to:from:dkim-signature :delivered-to:arc-authentication-results; bh=2iI+8GQll9FeS+tvPGptEwEEs2MRHd//8OugHZHDbDs=; b=cP7fKhzTxOogoigWsREgAy+pkJDeKUVDVsuiwOMQbDW/RLZjW8ASMeirtxYZzGFS9J Vf6+87dnw4EGRCsxhX9j5ofZGSHterXOnlnsEpvkso/kt4m+t6YoLDfSo4r14lG9UPaC qvEU7LZuHuYzwL4YKF/laMobYUm4q2QvrWW2a8Qw6NS8tWDAbiJBTwaAvWAa+kA5MLZa ItFzZQaI+y4PpRMnFl20lbsM6PoXhmEFtbC9RsAfaRjlhAz4l/0hgDPLVGCcfnuCeryk pocVjGB/Yt52K/cvSbDA/pecZCOxLCahZ53Z0tkeRo4xpLCN5BvY32kS4rSFN8dDkob3 Bd+w== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=SHngL/St; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id c79si1463728pfd.234.2017.09.14.05.28.08; Thu, 14 Sep 2017 05:28:08 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=SHngL/St; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org Received: from review.yoctoproject.org (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id 4D4E9785D4; Thu, 14 Sep 2017 12:28:05 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mail-wm0-f43.google.com (mail-wm0-f43.google.com [74.125.82.43]) by mail.openembedded.org (Postfix) with ESMTP id 55BD3785D3 for ; Thu, 14 Sep 2017 12:28:02 +0000 (UTC) Received: by mail-wm0-f43.google.com with SMTP id 189so5584804wmh.1 for ; Thu, 14 Sep 2017 05:28:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel-com.20150623.gappssmtp.com; s=20150623; h=from:to:subject:date:message-id; bh=AOIA7Q8deetocsk5wEQSMbJxAODkg3XNGwiNvaymYLo=; b=SHngL/Stq6A//NPT1n+apnVtrTcJ0gMGplfwJKmwi6e+rmKHtsQVx4Btm3jm5GiRS5 oZqC6rENAMyy7u7tXu6ilCCXCGMdHmURV1GaEhOdQf0SpGAWLKtfndtHuDiLqljCng+i WhFXgnu0RTqOpeNUFkZHBUXXNNWtl9fWdyukty+Caj7jaGQXQQsG8JzaJnFGmVvxGAIa B9+4sla7MvFQcDj4ivirizUNN+OCbkHOzbSt4LJk8BCVOJymAj4MNl9Ml85XtkpasD/d W8YVhn25u00F0LkUzPL/QVPJ+1faNQSRdzEE1+cG1WScCDHy3jSgXn4awdx2hIROETO+ RIUg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id; bh=AOIA7Q8deetocsk5wEQSMbJxAODkg3XNGwiNvaymYLo=; b=D3yVOmU5qTaFWHaLMT8DlGMyF2bTkNSYcICX6+zsDpyy6ZSg3J7KWTl0N1oMYb83P1 mBDJ4tIHlfKVOfHxtdIDDQeSTdMheG5WLqTZGbtIhYYjRRuhY0K/WdIlEh6uO8xZa+08 UNuyTdK/2K0zUb3JWX6J+ZNr77OzCSTUyXHZqxGsaRyazYN476xU1uaB4gLjYJx7v5Wv OS2cw/tx6e60eIcE4hL1fL39Ty5ubxkJ/UZ8P8lusaTEHm6R/Ffr9PYsxWj/xFi1zMes 3/Dcu6/rD64OyyEhzN7c39YmtA0PFiwqDH0EBV1NRFeaf6aFY/MnUcimy6FRLo7kFyjs ig1Q== X-Gm-Message-State: AHPjjUjh6qhYLntKUeSAT7ZZLlb4bQl+2YAA7QUQ43hyFs+uyW3RR2h6 xb2FPN+Zewl7nWuO8IU= X-Google-Smtp-Source: AOwi7QD9DO+DYYGPae9jHcwadDz6FshaLIuzbQ5mwT9/qRfWvspDCBmwEFeqfaYaGN2kJ2l86ySX2g== X-Received: by 10.28.211.1 with SMTP id k1mr1843876wmg.94.1505392083442; Thu, 14 Sep 2017 05:28:03 -0700 (PDT) Received: from flashheart.burtonini.com (home.burtonini.com. [81.2.106.35]) by smtp.gmail.com with ESMTPSA id o138sm1592899wmg.36.2017.09.14.05.28.02 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 14 Sep 2017 05:28:02 -0700 (PDT) From: Ross Burton To: openembedded-core@lists.openembedded.org Date: Thu, 14 Sep 2017 13:27:53 +0100 Message-Id: <20170914122753.12713-1-ross.burton@intel.com> X-Mailer: git-send-email 2.11.0 Subject: [OE-core] [PATCH][morty] bluez5: fix out-of-bounds access in SDP server (CVE-2017-1000250) X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an information disclosure vulnerability which allows remote attackers to obtain sensitive information from the bluetoothd process memory. This vulnerability lies in the processing of SDP search attribute requests. Signed-off-by: Ross Burton --- meta/recipes-connectivity/bluez5/bluez5.inc | 1 + .../bluez5/bluez5/cve-2017-1000250.patch | 34 ++++++++++++++++++++++ 2 files changed, 35 insertions(+) create mode 100644 meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch -- 2.11.0 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core Signed-off-by: Ross Burton <ross.burton@intel.com>
diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc index ecefb7b593e..3421c382063 100644 --- a/meta/recipes-connectivity/bluez5/bluez5.inc +++ b/meta/recipes-connectivity/bluez5/bluez5.inc @@ -23,6 +23,7 @@ SRC_URI = "\ file://run-ptest \ ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \ file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \ + file://cve-2017-1000250.patch \ " S = "${WORKDIR}/bluez-${PV}" diff --git a/meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch b/meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch new file mode 100644 index 00000000000..9fac961bcf6 --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch @@ -0,0 +1,34 @@ +All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an +information disclosure vulnerability which allows remote attackers to obtain +sensitive information from the bluetoothd process memory. This vulnerability +lies in the processing of SDP search attribute requests. + +CVE: CVE-2017-1000250 +Upstream-Status: Backport +Signed-off-by: Ross Burton + +From 9e009647b14e810e06626dde7f1bb9ea3c375d09 Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Wed, 13 Sep 2017 10:01:40 +0300 +Subject: sdp: Fix Out-of-bounds heap read in service_search_attr_req function + +Check if there is enough data to continue otherwise return an error. +--- + src/sdpd-request.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/sdpd-request.c b/src/sdpd-request.c +index 1eefdce..318d044 100644 +--- a/src/sdpd-request.c ++++ b/src/sdpd-request.c +@@ -917,7 +917,7 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf) + } else { + /* continuation State exists -> get from cache */ + sdp_buf_t *pCache = sdp_get_cached_rsp(cstate); +- if (pCache) { ++ if (pCache && cstate->cStateValue.maxBytesSent < pCache->data_size) { + uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent); + pResponse = pCache->data; + memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent); +-- +cgit v1.1