Bruce,
On 09/14/2017 06:13 AM, Bruce Ashfield wrote:
.. and if anyone notices, there's a kernel part to this CVE as well.
I've applied to fix to all the active linux-yocto kernels, and the
change will be part
of my consolidated pull request that comes out later today.
thanks. I will merge with pyro and morty when they hit master.
- armin
Cheers,
Bruce
On Thu, Sep 14, 2017 at 8:27 AM, Ross Burton <[email protected]
<mailto:[email protected]>> wrote:
All versions of the SDP server in BlueZ 5.46 and earlier are
vulnerable to an
information disclosure vulnerability which allows remote attackers
to obtain
sensitive information from the bluetoothd process memory. This
vulnerability
lies in the processing of SDP search attribute requests.
Signed-off-by: Ross Burton <[email protected]
<mailto:[email protected]>>
---
meta/recipes-connectivity/bluez5/bluez5.inc | 1 +
.../bluez5/bluez5/cve-2017-1000250.patch | 34 ++++++++++++++++++++++
2 files changed, 35 insertions(+)
create mode 100644
meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch
diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc
b/meta/recipes-connectivity/bluez5/bluez5.inc
index ecefb7b593e..3421c382063 100644
--- a/meta/recipes-connectivity/bluez5/bluez5.inc
+++ b/meta/recipes-connectivity/bluez5/bluez5.inc
@@ -23,6 +23,7 @@ SRC_URI = "\
file://run-ptest \
${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '',
'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch',
d)} \
file://0001-tests-add-a-target-for-building-tests-without-runnin.patch
\
+ file://cve-2017-1000250.patch \
"
S = "${WORKDIR}/bluez-${PV}"
diff --git
a/meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch
b/meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch
new file mode 100644
index 00000000000..9fac961bcf6
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch
@@ -0,0 +1,34 @@
+All versions of the SDP server in BlueZ 5.46 and earlier are
vulnerable to an
+information disclosure vulnerability which allows remote
attackers to obtain
+sensitive information from the bluetoothd process memory. This
vulnerability
+lies in the processing of SDP search attribute requests.
+
+CVE: CVE-2017-1000250
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <[email protected]
<mailto:[email protected]>>
+
+From 9e009647b14e810e06626dde7f1bb9ea3c375d09 Mon Sep 17 00:00:00
2001
+From: Luiz Augusto von Dentz <[email protected]
<mailto:[email protected]>>
+Date: Wed, 13 Sep 2017 10:01:40 +0300
+Subject: sdp: Fix Out-of-bounds heap read in
service_search_attr_req function
+
+Check if there is enough data to continue otherwise return an error.
+---
+ src/sdpd-request.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/sdpd-request.c b/src/sdpd-request.c
+index 1eefdce..318d044 100644
+--- a/src/sdpd-request.c
++++ b/src/sdpd-request.c
+@@ -917,7 +917,7 @@ static int service_search_attr_req(sdp_req_t
*req, sdp_buf_t *buf)
+ } else {
+ /* continuation State exists -> get from cache */
+ sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);
+- if (pCache) {
++ if (pCache && cstate->cStateValue.maxBytesSent <
pCache->data_size) {
+ uint16_t sent = MIN(max, pCache->data_size
- cstate->cStateValue.maxBytesSent);
+ pResponse = pCache->data;
+ memcpy(buf->data, pResponse +
cstate->cStateValue.maxBytesSent, sent);
+--
+cgit v1.1
--
2.11.0
--
_______________________________________________
Openembedded-core mailing list
[email protected]
<mailto:[email protected]>
http://lists.openembedded.org/mailman/listinfo/openembedded-core
<http://lists.openembedded.org/mailman/listinfo/openembedded-core>
--
"Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end"
--
_______________________________________________
Openembedded-core mailing list
[email protected]
http://lists.openembedded.org/mailman/listinfo/openembedded-core
