diff --git a/0001-avrcp-Fix-crash-while-handling-unsupported-events.patch b/0001-avrcp-Fix-crash-while-handling-unsupported-events.patch new file mode 100644 index 0000000000000000000000000000000000000000..8be67f42d9fb4124968216e70a79186dad0407fb --- /dev/null +++ b/0001-avrcp-Fix-crash-while-handling-unsupported-events.patch @@ -0,0 +1,54 @@ +From: David Marlin + +Subject: avrcp: Fix crash while handling unsupported events + +Resolves: RHEL-35371 +Resolves: RHEL-35492 + +Fixes CVE-2023-27349 +Fixes CVE-2023-51589 + +commit f54299a850676d92c3dafd83e9174fcfe420ccc9 +Author: Luiz Augusto von Dentz +Date: Wed Mar 22 11:34:24 2023 -0700 + + avrcp: Fix crash while handling unsupported events + + The following crash can be observed if the remote peer send and + unsupported event: + + ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000148f11 + at pc 0x559644552088 bp 0x7ffe28b3c7b0 sp 0x7ffe28b3c7a0 + WRITE of size 1 at 0x60b000148f11 thread T0 + #0 0x559644552087 in avrcp_handle_event profiles/audio/avrcp.c:3907 + #1 0x559644536c22 in control_response profiles/audio/avctp.c:939 + #2 0x5596445379ab in session_cb profiles/audio/avctp.c:1108 + #3 0x7fbcb3e51c43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43) + #4 0x7fbcb3ea66c7 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xaa6c7) + #5 0x7fbcb3e512b2 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2) + #6 0x559644754ab6 in mainloop_run src/shared/mainloop-glib.c:66 + #7 0x559644755606 in mainloop_run_with_signal src/shared/mainloop-notify.c:188 + #8 0x5596445bb963 in main src/main.c:1289 + #9 0x7fbcb3bafd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 + #10 0x7fbcb3bafe3f in __libc_start_main_impl ../csu/libc-start.c:392 + #11 0x5596444e8224 in _start (/usr/local/libexec/bluetooth/bluetoothd+0xf0224) + +Signed-off-by: David Marlin + +diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c +index 80f34c7a77a17ddad89abe62e8a7a028c6fecf3c..dda9a303fb711ca009258ba671dc47b7fdd15f94 100644 +--- a/profiles/audio/avrcp.c ++++ b/profiles/audio/avrcp.c +@@ -3901,6 +3901,12 @@ static gboolean avrcp_handle_event(struct avctp *conn, uint8_t code, + case AVRCP_EVENT_UIDS_CHANGED: + avrcp_uids_changed(session, pdu); + break; ++ default: ++ if (event > AVRCP_EVENT_LAST) { ++ warn("Unsupported event: %u", event); ++ return FALSE; ++ } ++ break; + } + + session->registered_events |= (1 << event); diff --git a/0001-pbap-Fix-not-checking-Primary_Secundary-Counter-lengt.patch b/0001-pbap-Fix-not-checking-Primary_Secundary-Counter-lengt.patch new file mode 100644 index 0000000000000000000000000000000000000000..2c155de1023e8a8fdd9a7a976837e5a5a4667823 --- /dev/null +++ b/0001-pbap-Fix-not-checking-Primary_Secundary-Counter-lengt.patch @@ -0,0 +1,73 @@ +From: David Marlin + +Subject: pbap: Fix not checking Primary/Secundary Counter length + +Resolves: RHEL-35501 +Resolves: RHEL-35504 + +CVE: CVE-2023-50230 +CVE: CVE-2023-50229 + +commit 5ab5352531a9cc7058cce569607f3a6831464443 +Author: Luiz Augusto von Dentz +Date: Tue Sep 19 12:14:01 2023 -0700 + + pbap: Fix not checking Primary/Secundary Counter length + + Primary/Secundary Counters are supposed to be 16 bytes values, if the + server has implemented them incorrectly it may lead to the following + crash: + + ================================================================= + ==31860==ERROR: AddressSanitizer: heap-buffer-overflow on address + 0x607000001878 at pc 0x7f95a1575638 bp 0x7fff58c6bb80 sp 0x7fff58c6b328 + + READ of size 48 at 0x607000001878 thread T0 + #0 0x7f95a1575637 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:860 + #1 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:892 + #2 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:887 + #3 0x564df69c77a0 in read_version obexd/client/pbap.c:288 + #4 0x564df69c77a0 in read_return_apparam obexd/client/pbap.c:352 + #5 0x564df69c77a0 in phonebook_size_callback obexd/client/pbap.c:374 + #6 0x564df69bea3c in session_terminate_transfer obexd/client/session.c:921 + #7 0x564df69d56b0 in get_xfer_progress_first obexd/client/transfer.c:729 + #8 0x564df698b9ee in handle_response gobex/gobex.c:1140 + #9 0x564df698cdea in incoming_data gobex/gobex.c:1385 + #10 0x7f95a12fdc43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43) + #11 0x7f95a13526c7 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xaa6c7) + #12 0x7f95a12fd2b2 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2) + #13 0x564df6977d41 in main obexd/src/main.c:307 + #14 0x7f95a10a7d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 + #15 0x7f95a10a7e3f in __libc_start_main_impl ../csu/libc-start.c:392 + #16 0x564df6978704 in _start (/usr/local/libexec/bluetooth/obexd+0x8b704) + 0x607000001878 is located 0 bytes to the right of 72-byte region [0x607000001830,0x607000001878) + + allocated by thread T0 here: + #0 0x7f95a1595a37 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 + #1 0x564df69c8b6a in pbap_probe obexd/client/pbap.c:1259 + +Signed-off-by: David Marlin + +diff --git a/obexd/client/pbap.c b/obexd/client/pbap.c +index 1ed8c68eccd00097a8539aaa9ede9feed9b6d060..2d2aa950898c38984d544e7708610d4c2af43b59 100644 +--- a/obexd/client/pbap.c ++++ b/obexd/client/pbap.c +@@ -285,7 +285,7 @@ static void read_version(struct pbap_data *pbap, GObexApparam *apparam) + data = value; + } + +- if (memcmp(pbap->primary, data, len)) { ++ if (len == sizeof(pbap->primary) && memcmp(pbap->primary, data, len)) { + memcpy(pbap->primary, data, len); + g_dbus_emit_property_changed(conn, + obc_session_get_path(pbap->session), +@@ -299,7 +299,8 @@ static void read_version(struct pbap_data *pbap, GObexApparam *apparam) + data = value; + } + +- if (memcmp(pbap->secondary, data, len)) { ++ if (len == sizeof(pbap->secondary) && ++ memcmp(pbap->secondary, data, len)) { + memcpy(pbap->secondary, data, len); + g_dbus_emit_property_changed(conn, + obc_session_get_path(pbap->session), diff --git a/bluez.spec b/bluez.spec index 050de9cd2a63c9cc13d81063f2fa4772d080df1b..2605edb9c6195a41c66c3a853e18773f898ba152 100644 --- a/bluez.spec +++ b/bluez.spec @@ -2,7 +2,7 @@ Name: bluez Summary: Bluetooth utilities Version: 5.63 -Release: 3%{anolis_release}%{?dist} +Release: 5%{anolis_release}%{?dist} License: GPLv2+ URL: http://www.bluez.org/ @@ -52,6 +52,9 @@ Patch25: 0001-gdbus-Emit-InterfacesAdded-of-parents-objects-first.patch Patch40: 0001-Change-default-of-ClassicBondedOnly.patch +Patch50: 0001-pbap-Fix-not-checking-Primary_Secundary-Counter-lengt.patch +Patch51: 0001-avrcp-Fix-crash-while-handling-unsupported-events.patch + BuildRequires: git-core BuildRequires: dbus-devel >= 1.6 BuildRequires: glib2-devel @@ -299,9 +302,23 @@ make check %{_userunitdir}/obex.service %changelog -* Thu Dec 19 2024 Liwei Ge - 5.63-3.0.1 +* Thu Apr 24 2025 Liwei Ge - 5.63-5.0.1 - Add doc sub package +* Mon Dec 09 2024 David Marlin - 5.63-5 ++ bluez-5.63-5 +- Resolves: RHEL-35371 +- Fixing CVE-2023-27349 +- Resolves: RHEL-35492 +- Fixing CVE-2023-51589 + +* Mon Aug 05 2024 David Marlin - 5.63-4 ++ bluez-5.63-4 +- Resolves: RHEL-35501 +- Fixing CVE-2023-50230 +- Resolves: RHEL-35504 +- Fixing CVE-2023-50229 + * Thu Jun 06 2024 David Marlin - 5.63-3 + bluez-5.63-3 - Add back the tests for OSCI.