* [Buildroot] [PATCH] bluez5_utils: add upstream security fix for CVE-2017-1000250
@ 2017-09-13 12:19 Peter Korsgaard
2017-09-16 8:44 ` Bernd Kuhls
2017-09-21 14:59 ` Peter Korsgaard
0 siblings, 2 replies; 4+ messages in thread
From: Peter Korsgaard @ 2017-09-13 12:19 UTC (permalink / raw)
To: buildroot
Fixes CVE-2017-1000250 - All versions of the SDP server in BlueZ 5.46 and
earlier are vulnerable to an information disclosure vulnerability which
allows remote attackers to obtain sensitive information from the bluetoothd
process memory. This vulnerability lies in the processing of SDP search
attribute requests.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
...-of-bounds-heap-read-in-service_search_at.patch | 29 ++++++++++++++++++++++
1 file changed, 29 insertions(+)
create mode 100644 package/bluez5_utils/0002-sdp-Fix-Out-of-bounds-heap-read-in-service_search_at.patch
diff --git a/package/bluez5_utils/0002-sdp-Fix-Out-of-bounds-heap-read-in-service_search_at.patch b/package/bluez5_utils/0002-sdp-Fix-Out-of-bounds-heap-read-in-service_search_at.patch
new file mode 100644
index 0000000000..a73c372e68
--- /dev/null
+++ b/package/bluez5_utils/0002-sdp-Fix-Out-of-bounds-heap-read-in-service_search_at.patch
@@ -0,0 +1,29 @@
+From 9e009647b14e810e06626dde7f1bb9ea3c375d09 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Wed, 13 Sep 2017 10:01:40 +0300
+Subject: [PATCH] sdp: Fix Out-of-bounds heap read in service_search_attr_req
+ function
+
+Check if there is enough data to continue otherwise return an error.
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ src/sdpd-request.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/sdpd-request.c b/src/sdpd-request.c
+index 1eefdce1a..318d04467 100644
+--- a/src/sdpd-request.c
++++ b/src/sdpd-request.c
+@@ -917,7 +917,7 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf)
+ } else {
+ /* continuation State exists -> get from cache */
+ sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);
+- if (pCache) {
++ if (pCache && cstate->cStateValue.maxBytesSent < pCache->data_size) {
+ uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
+ pResponse = pCache->data;
+ memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);
+--
+2.11.0
+
--
2.11.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH] bluez5_utils: add upstream security fix for CVE-2017-1000250
2017-09-13 12:19 [Buildroot] [PATCH] bluez5_utils: add upstream security fix for CVE-2017-1000250 Peter Korsgaard
@ 2017-09-16 8:44 ` Bernd Kuhls
2017-09-17 19:46 ` Peter Korsgaard
2017-09-21 14:59 ` Peter Korsgaard
1 sibling, 1 reply; 4+ messages in thread
From: Bernd Kuhls @ 2017-09-16 8:44 UTC (permalink / raw)
To: buildroot
Am Wed, 13 Sep 2017 14:19:55 +0200 schrieb Peter Korsgaard:
> Fixes CVE-2017-1000250 - All versions of the SDP server in BlueZ 5.46
> and earlier are vulnerable to an information disclosure vulnerability
> which allows remote attackers to obtain sensitive information from the
> bluetoothd process memory. This vulnerability lies in the processing of
> SDP search attribute requests.
Hi,
this patch was is included in upstream release 5.47 and can be marked as
superseded by this patch: http://patchwork.ozlabs.org/patch/814482/
Regards, Bernd
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH] bluez5_utils: add upstream security fix for CVE-2017-1000250
2017-09-16 8:44 ` Bernd Kuhls
@ 2017-09-17 19:46 ` Peter Korsgaard
0 siblings, 0 replies; 4+ messages in thread
From: Peter Korsgaard @ 2017-09-17 19:46 UTC (permalink / raw)
To: buildroot
>>>>> "Bernd" == Bernd Kuhls <bernd.kuhls@t-online.de> writes:
> Am Wed, 13 Sep 2017 14:19:55 +0200 schrieb Peter Korsgaard:
>> Fixes CVE-2017-1000250 - All versions of the SDP server in BlueZ 5.46
>> and earlier are vulnerable to an information disclosure vulnerability
>> which allows remote attackers to obtain sensitive information from the
>> bluetoothd process memory. This vulnerability lies in the processing of
>> SDP search attribute requests.
> Hi,
> this patch was is included in upstream release 5.47 and can be marked as
> superseded by this patch: http://patchwork.ozlabs.org/patch/814482/
Yes, now that 5.47 is out, bumping the version makes more sense.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH] bluez5_utils: add upstream security fix for CVE-2017-1000250
2017-09-13 12:19 [Buildroot] [PATCH] bluez5_utils: add upstream security fix for CVE-2017-1000250 Peter Korsgaard
2017-09-16 8:44 ` Bernd Kuhls
@ 2017-09-21 14:59 ` Peter Korsgaard
1 sibling, 0 replies; 4+ messages in thread
From: Peter Korsgaard @ 2017-09-21 14:59 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes CVE-2017-1000250 - All versions of the SDP server in BlueZ 5.46 and
> earlier are vulnerable to an information disclosure vulnerability which
> allows remote attackers to obtain sensitive information from the bluetoothd
> process memory. This vulnerability lies in the processing of SDP search
> attribute requests.
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2017.02.x, thanks (seems safer than bumping to 5.47).
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-09-21 14:59 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-09-13 12:19 [Buildroot] [PATCH] bluez5_utils: add upstream security fix for CVE-2017-1000250 Peter Korsgaard
2017-09-16 8:44 ` Bernd Kuhls
2017-09-17 19:46 ` Peter Korsgaard
2017-09-21 14:59 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.