From 39b76b396e8e5fbff66496e1f21e5c9e18fece69 Mon Sep 17 00:00:00 2001 From: yanan-rock Date: Sun, 18 Apr 2021 09:24:41 -0400 Subject: [PATCH] fix CVE-2021-3658 Signed-off-by: yanan-rock (cherry picked from commit a307688086929be509ef792dbdc4145020640310) --- backport-0001-CVE-2021-3658.patch | 193 ++++++++++++++++++++++++++++++ backport-0002-CVE-2021-3658.patch | 94 +++++++++++++++ bluez.spec | 7 +- 3 files changed, 293 insertions(+), 1 deletion(-) create mode 100644 backport-0001-CVE-2021-3658.patch create mode 100644 backport-0002-CVE-2021-3658.patch diff --git a/backport-0001-CVE-2021-3658.patch b/backport-0001-CVE-2021-3658.patch new file mode 100644 index 0000000..8d6ed52 --- /dev/null +++ b/backport-0001-CVE-2021-3658.patch @@ -0,0 +1,193 @@ +From 0ce535ecb2bb58079513ccbd1fe086409c77beb8 Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Thu, 11 Jun 2020 13:23:06 -0700 +Subject: [PATCH] adapter: Rename watch_client to discovery_client + +watch term is quite vague so this replace it with discovery which is +what is used for the filter as well. + +Conflict:NA +Reference:https://github.com/bluez/bluez/commit/0ce535ecb2bb58079513ccbd1fe086409c77beb8 +--- + src/adapter.c | 38 +++++++++++++++++++------------------- + 1 file changed, 19 insertions(+), 19 deletions(-) + +diff --git a/src/adapter.c b/src/adapter.c +index 972d887..160f199 100644 +--- a/src/adapter.c ++++ b/src/adapter.c +@@ -182,7 +182,7 @@ struct discovery_filter { + bool discoverable; + }; + +-struct watch_client { ++struct discovery_client { + struct btd_adapter *adapter; + DBusMessage *msg; + char *owner; +@@ -1474,7 +1474,7 @@ static void start_discovery_complete(uint8_t status, uint16_t length, + const void *param, void *user_data) + { + struct btd_adapter *adapter = user_data; +- struct watch_client *client; ++ struct discovery_client *client; + const struct mgmt_cp_start_discovery *rp = param; + DBusMessage *reply; + +@@ -1851,8 +1851,8 @@ static void discovery_cleanup(struct btd_adapter *adapter) + + static void discovery_free(void *user_data) + { +- struct watch_client *client = user_data; + ++ struct discovery_client *client = user_data; + if (client->watch) + g_dbus_remove_watch(dbus_conn, client->watch); + +@@ -1882,7 +1882,7 @@ static bool set_discovery_discoverable(struct btd_adapter *adapter, bool enable) + return set_discoverable(adapter, enable, 0); + } + +-static void discovery_remove(struct watch_client *client, bool exit) ++static void discovery_remove(struct discovery_client *client, bool exit) + { + struct btd_adapter *adapter = client->adapter; + +@@ -1913,7 +1913,7 @@ static void discovery_remove(struct watch_client *client, bool exit) + static void stop_discovery_complete(uint8_t status, uint16_t length, + const void *param, void *user_data) + { +- struct watch_client *client = user_data; ++ struct discovery_client *client = user_data; + struct btd_adapter *adapter = client->adapter; + DBusMessage *reply; + +@@ -1949,7 +1949,7 @@ done: + + static int compare_sender(gconstpointer a, gconstpointer b) + { +- const struct watch_client *client = a; ++ const struct discovery_client *client = a; + const char *sender = b; + + return g_strcmp0(client->owner, sender); +@@ -1982,7 +1982,7 @@ static int merge_discovery_filters(struct btd_adapter *adapter, int *rssi, + bool has_filtered_discovery = false; + + for (l = adapter->discovery_list; l != NULL; l = g_slist_next(l)) { +- struct watch_client *client = l->data; ++ struct discovery_client *client = l->data; + struct discovery_filter *item = client->discovery_filter; + + if (!item) { +@@ -2149,7 +2149,7 @@ static int update_discovery_filter(struct btd_adapter *adapter) + } + + for (l = adapter->discovery_list; l; l = g_slist_next(l)) { +- struct watch_client *client = l->data; ++ struct discovery_client *client = l->data; + + if (!client->discovery_filter) + continue; +@@ -2179,7 +2179,7 @@ static int update_discovery_filter(struct btd_adapter *adapter) + return -EINPROGRESS; + } + +-static int discovery_stop(struct watch_client *client, bool exit) ++static int discovery_stop(struct discovery_client *client, bool exit) + { + struct btd_adapter *adapter = client->adapter; + struct mgmt_cp_stop_discovery cp; +@@ -2220,7 +2220,7 @@ static int discovery_stop(struct watch_client *client, bool exit) + + static void discovery_disconnect(DBusConnection *conn, void *user_data) + { +- struct watch_client *client = user_data; ++ struct discovery_client *client = user_data; + + DBG("owner %s", client->owner); + +@@ -2233,7 +2233,7 @@ static void discovery_disconnect(DBusConnection *conn, void *user_data) + */ + static bool get_discovery_client(struct btd_adapter *adapter, + const char *owner, +- struct watch_client **client) ++ struct discovery_client **client) + { + GSList *list = g_slist_find_custom(adapter->discovery_list, owner, + compare_sender); +@@ -2258,7 +2258,7 @@ static DBusMessage *start_discovery(DBusConnection *conn, + { + struct btd_adapter *adapter = user_data; + const char *sender = dbus_message_get_sender(msg); +- struct watch_client *client; ++ struct discovery_client *client; + bool is_discovering; + int err; + +@@ -2292,7 +2292,7 @@ static DBusMessage *start_discovery(DBusConnection *conn, + goto done; + } + +- client = g_new0(struct watch_client, 1); ++ client = g_new0(struct discovery_client, 1); + + client->adapter = adapter; + client->owner = g_strdup(sender); +@@ -2556,7 +2556,7 @@ static DBusMessage *set_discovery_filter(DBusConnection *conn, + DBusMessage *msg, void *user_data) + { + struct btd_adapter *adapter = user_data; +- struct watch_client *client; ++ struct discovery_client *client; + struct discovery_filter *discovery_filter; + const char *sender = dbus_message_get_sender(msg); + bool is_discovering; +@@ -2593,7 +2593,7 @@ static DBusMessage *set_discovery_filter(DBusConnection *conn, + DBG("successfully cleared pre-set filter"); + } else if (discovery_filter) { + /* Client pre-setting his filter for first time */ +- client = g_new0(struct watch_client, 1); ++ client = g_new0(struct discovery_client, 1); + client->adapter = adapter; + client->owner = g_strdup(sender); + client->discovery_filter = discovery_filter; +@@ -2614,7 +2614,7 @@ static DBusMessage *stop_discovery(DBusConnection *conn, + { + struct btd_adapter *adapter = user_data; + const char *sender = dbus_message_get_sender(msg); +- struct watch_client *client; ++ struct discovery_client *client; + GSList *list; + int err; + +@@ -6109,7 +6109,7 @@ static bool is_filter_match(GSList *discovery_filter, struct eir_data *eir_data, + + for (l = discovery_filter; l != NULL && got_match != true; + l = g_slist_next(l)) { +- struct watch_client *client = l->data; ++ struct discovery_client *client = l->data; + struct discovery_filter *item = client->discovery_filter; + + /* +@@ -6157,7 +6157,7 @@ static bool is_filter_match(GSList *discovery_filter, struct eir_data *eir_data, + + static void filter_duplicate_data(void *data, void *user_data) + { +- struct watch_client *client = data; ++ struct discovery_client *client = data; + bool *duplicate = user_data; + + if (*duplicate || !client->discovery_filter) +@@ -6187,7 +6187,7 @@ static bool device_is_discoverable(struct btd_adapter *adapter, + + /* Do a prefix match for both address and name if pattern is set */ + for (l = adapter->discovery_list; l; l = g_slist_next(l)) { +- struct watch_client *client = l->data; ++ struct discovery_client *client = l->data; + struct discovery_filter *filter = client->discovery_filter; + size_t pattern_len; + +-- +2.27.0 + diff --git a/backport-0002-CVE-2021-3658.patch b/backport-0002-CVE-2021-3658.patch new file mode 100644 index 0000000..dbf8e61 --- /dev/null +++ b/backport-0002-CVE-2021-3658.patch @@ -0,0 +1,94 @@ +From b497b5942a8beb8f89ca1c359c54ad67ec843055 Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Thu, 24 Jun 2021 16:32:04 -0700 +Subject: adapter: Fix storing discoverable setting + +discoverable setting shall only be store when changed via Discoverable +property and not when discovery client set it as that be considered +temporary just for the lifetime of the discovery. + +Conflict:NA +Reference:https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=b497b5942a8 +--- + src/adapter.c | 35 ++++++++++++++++++++++------------- + 1 file changed, 22 insertions(+), 13 deletions(-) + +diff --git a/src/adapter.c b/src/adapter.c +index 12e4ff5c0..663b778e4 100644 +--- a/src/adapter.c ++++ b/src/adapter.c +@@ -560,7 +560,11 @@ static void settings_changed(struct btd_adapter *adapter, uint32_t settings) + if (changed_mask & MGMT_SETTING_DISCOVERABLE) { + g_dbus_emit_property_changed(dbus_conn, adapter->path, + ADAPTER_INTERFACE, "Discoverable"); +- store_adapter_info(adapter); ++ /* Only persist discoverable setting if it was not set ++ * temporarily by discovery. ++ */ ++ if (!adapter->discovery_discoverable) ++ store_adapter_info(adapter); + btd_adv_manager_refresh(adapter->adv_manager); + } + +@@ -2162,8 +2166,6 @@ static bool filters_equal(struct mgmt_cp_start_service_discovery *a, + static int update_discovery_filter(struct btd_adapter *adapter) + { + struct mgmt_cp_start_service_discovery *sd_cp; +- GSList *l; +- + + DBG(""); + +@@ -2173,17 +2175,24 @@ static int update_discovery_filter(struct btd_adapter *adapter) + return -ENOMEM; + } + +- for (l = adapter->discovery_list; l; l = g_slist_next(l)) { +- struct discovery_client *client = l->data; ++ /* Only attempt to overwrite current discoverable setting when not ++ * discoverable. ++ */ ++ if (!(adapter->current_settings & MGMT_OP_SET_DISCOVERABLE)) { ++ GSList *l; + +- if (!client->discovery_filter) +- continue; ++ for (l = adapter->discovery_list; l; l = g_slist_next(l)) { ++ struct discovery_client *client = l->data; + +- if (client->discovery_filter->discoverable) +- break; +- } ++ if (!client->discovery_filter) ++ continue; + +- set_discovery_discoverable(adapter, l ? true : false); ++ if (client->discovery_filter->discoverable) { ++ set_discovery_discoverable(adapter, true); ++ break; ++ } ++ } ++ } + + /* + * If filters are equal, then don't update scan, except for when +@@ -2216,8 +2225,7 @@ static int discovery_stop(struct discovery_client *client, bool exit) + return 0; + } + +- if (adapter->discovery_discoverable) +- set_discovery_discoverable(adapter, false); ++ set_discovery_discoverable(adapter, false); + + /* + * In the idle phase of a discovery, there is no need to stop it +@@ -6913,6 +6921,7 @@ static void adapter_stop(struct btd_adapter *adapter) + g_free(adapter->current_discovery_filter); + adapter->current_discovery_filter = NULL; + ++ set_discovery_discoverable(adapter, false); + adapter->discovering = false; + + while (adapter->connections) { +-- +cgit 1.2.3-1.el7 diff --git a/bluez.spec b/bluez.spec index 3604b08..c5853a3 100644 --- a/bluez.spec +++ b/bluez.spec @@ -1,7 +1,7 @@ Name: bluez Summary: Bluetooth utilities Version: 5.54 -Release: 4 +Release: 5 License: GPLv2+ URL: http://www.bluez.org/ Source0: http://www.kernel.org/pub/linux/bluetooth/bluez-%{version}.tar.xz @@ -21,6 +21,8 @@ Patch0006: backport-CVE-2021-3588.patch # upstream:https://github.com/bluez/bluez/commit/5fc60b2ce7c4370ff8d9bc3d3c3434b212465f40 Patch0007: backport-bluez-disable-test-mesh-crypto.patch Patch6000: backport-CVE-2020-27153.patch +Patch6001: backport-0001-CVE-2021-3658.patch +Patch6002: backport-0002-CVE-2021-3658.patch BuildRequires: dbus-devel >= 1.6 libell-devel >= 0.28 autoconf BuildRequires: git-core glib2-devel libical-devel readline-devel @@ -177,6 +179,9 @@ make check %{_mandir}/man8/* %changelog +* Fri Sep 24 2021 yanan - 5.54-9 +- DESC:fix CVE-2021-3658 + * Tue Aug 10 2021 zhanzhimin - 5.54-4 - Type:CVE - ID:CVE-2020-27153 -- Gitee