Hello community, here is the log from the commit of package bluez for openSUSE:Factory checked in at 2018-05-19 15:40:10 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/bluez (Old) and /work/SRC/openSUSE:Factory/.bluez.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "bluez" Sat May 19 15:40:10 2018 rev:156 rq:607315 version:5.49 Changes: -------- --- /work/SRC/openSUSE:Factory/bluez/bluez.changes 2018-03-29 11:50:32.141355643 +0200 +++ /work/SRC/openSUSE:Factory/.bluez.new/bluez.changes 2018-05-19 15:40:14.303518353 +0200 @@ -1,0 +2,11 @@ +Fri May 11 07:14:16 UTC 2018 - [email protected] + +- Add + CVE-2016-9800-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch + * Fix hcidump memory leak in pin_code_reply_dump(). + (bsc#1013721)(CVE-2016-9800) + CVE-2016-9804-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch + * Fix hcidump buffer overflow in commands_dump(). + (bsc#1013877)(CVE-2016-9804) + +------------------------------------------------------------------- New: ---- CVE-2016-9800-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch CVE-2016-9804-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ bluez.spec ++++++ --- /var/tmp/diff_new_pack.SLyIHY/_old 2018-05-19 15:40:15.987456742 +0200 +++ /var/tmp/diff_new_pack.SLyIHY/_new 2018-05-19 15:40:15.987456742 +0200 @@ -40,6 +40,9 @@ Patch6: disable_some_obex_tests.patch # PATCH-FIX-UPSTREAM: crasher bug, boo#1086731 [email protected] Patch7: 0001-Don-t-refresh-adv_manager-for-non-LE-devices.patch +# fix some memory leak with malformed packet (reported upstream but not yet fixed) +Patch101: CVE-2016-9800-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch +Patch102: CVE-2016-9804-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch BuildRequires: automake BuildRequires: flex BuildRequires: libtool @@ -148,6 +151,8 @@ %patch6 -p1 %endif %patch7 -p1 +%patch101 -p1 +%patch102 -p1 mkdir dbus-apis cp -a doc/*.txt dbus-apis/ # FIXME: Change the dbus service to be a real service, not systemd launched ++++++ CVE-2016-9800-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch ++++++ >From 5ca9510314d15d562e9ef5515a5483be5f28258d Mon Sep 17 00:00:00 2001 From: "Cho, Yu-Chen" <[email protected]> Date: Wed, 21 Mar 2018 17:32:45 +0800 Subject: [PATCH BlueZ] tool/hcidump: Fix memory leak with malformed packet Do not allow to read more then buffer size. --- tools/parser/hci.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/tools/parser/hci.c b/tools/parser/hci.c index 8c7bd2581..adfd9ab1d 100644 --- a/tools/parser/hci.c +++ b/tools/parser/hci.c @@ -988,8 +988,14 @@ static inline void pin_code_reply_dump(int level, struct frame *frm) memset(pin, 0, sizeof(pin)); if (parser.flags & DUMP_NOVENDOR) memset(pin, '*', cp->pin_len); - else + else { + if (cp->pin_len > sizeof(pin)){ + perror("Read failed"); + exit(1); + } + memcpy(pin, cp->pin_code, cp->pin_len); + } printf("bdaddr %s len %d pin \'%s\'\n", addr, cp->pin_len, pin); } -- 2.16.2 ++++++ CVE-2016-9804-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch ++++++ >From 00f50518f232c758855ac9884a841f707f41a301 Mon Sep 17 00:00:00 2001 From: "Cho, Yu-Chen" <[email protected]> Date: Thu, 3 May 2018 18:52:19 +0800 Subject: [PATCH BlueZ] tool/hcidump: Fix memory leak with malformed packet The Supported Commands is a 64 octet bit field. Do not allow to read more then the size. --- tools/parser/csr.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tools/parser/csr.c b/tools/parser/csr.c index a0a4eb5fe..2d3db878a 100644 --- a/tools/parser/csr.c +++ b/tools/parser/csr.c @@ -145,6 +145,11 @@ static inline void commands_dump(int level, char *str, struct frame *frm) unsigned char commands[64]; unsigned int i; + if (frm->len > 64) { + perror("Read failed"); + exit(1); + } + memcpy(commands, frm->ptr, frm->len); p_indent(level, frm); -- 2.16.3
