Hello community, here is the log from the commit of package bluez.11939 for openSUSE:Leap:15.1:Update checked in at 2020-02-11 18:12:31 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.1:Update/bluez.11939 (Old) and /work/SRC/openSUSE:Leap:15.1:Update/.bluez.11939.new.26092 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "bluez.11939" Tue Feb 11 18:12:31 2020 rev:1 rq:770636 version:5.48 Changes: -------- New Changes file: --- /dev/null 2019-12-19 10:12:34.003146842 +0100 +++ /work/SRC/openSUSE:Leap:15.1:Update/.bluez.11939.new.26092/bluez.changes 2020-02-11 18:12:33.279229402 +0100 @@ -0,0 +1,2250 @@ +------------------------------------------------------------------- +Thu Dec 5 03:08:47 UTC 2019 - Al Cho <a...@suse.com> + +- Add tools-Fix-build-after-y2038-changes-in-glibc.patch + * The 32-bit SIOCGSTAMP has been deprecated. Use the deprecated + name to fix the build.(bsc#1156544) + +------------------------------------------------------------------- +Tue Oct 15 09:09:39 UTC 2019 - Al Cho <a...@suse.com> + +- Add + hcidump-Fixed-malformed-segment-frame-length.patch + * Ensure the L2CAP SDUs whose length field match the actual frame + length.(bsc#1013712)(CVE-2016-9798) +- Modify bluez.changes: + Remove (bsc#1013712)(CVE-2016-9798) tag from patch + hcidump-Add-assoc-dump-function-assoc-date-length-ch.patch + +------------------------------------------------------------------- +Thu Apr 25 08:49:38 UTC 2019 - Al Cho <a...@suse.com> + +- Add + hcidump-Add-assoc-dump-function-assoc-date-length-ch.patch + * amp_assoc_dump() didn't check the length of amp assoc struct. + (bsc#1013712)(CVE-2016-9798)(bsc#1013708)(CVE-2016-9797) + Add hcidump-Fix-memory-leak-with-malformed-packet.patch + * Do not allow to read more than allocated data buffer size. + (bsc#1015171)(CVE-2016-9917) +- Refresh patches: + patches/bluez-cups-libexec.patch + patches/bluez-5.45-disable-broken-tests.diff +- fix bluez.changes: + add (bsc#1013893)(CVE-2016-9802) tag for last log. + +------------------------------------------------------------------- +Thu Jan 24 10:18:23 UTC 2019 - Al Cho <a...@suse.com> + +- Add:btmon: multiple memory management vulnerabilities fixed + Multiple different memory management vulnerabilities were discovered + in btmon while fuzzing it with American Fuzzy Lop. Purpose of this + fuzzing effort was to find some bugs in btmon, analyse and fix them + but also try to exploit them. Also goal was to prove that fuzzing is + low effort way to find bugs that could end up being severe ones. + Most common weakness appeared to be buffer over-read which was + usually caused by missing boundary checks before accessing array. + Integer underflows were also quite common. Most interesting bug was + simple buffer overflow that was actually discovered already couple + years ago by op7ic: + https://www.spinics.net/lists/linux-bluetooth/msg68898.html + but it was still not fixed. This particular vulnerability ended up + being quite easily exploitable if certain mitigation technics were + disabled.(bsc#1015173)(CVE-2016-9918)(bsc#1013893)(CVE-2016-9802) + 0001-btmon-fix-segfault-caused-by-buffer-over-read.patch + 0002-btmon-fix-segfault-caused-by-buffer-over-read.patch + 0003-btmon-fix-segfault-caused-by-buffer-over-read.patch + 0004-btmon-Fix-crash-caused-by-integer-underflow.patch + 0005-btmon-fix-stack-buffer-overflow.patch + 0006-btmon-fix-multiple-segfaults.patch + 0007-btmon-fix-segfault-caused-by-integer-underflow.patch + 0008-btmon-fix-segfault-caused-by-integer-undeflow.patch + 0009-btmon-fix-segfault-caused-by-buffer-over-read.patch + 0010-btmon-fix-segfault-caused-by-buffer-overflow.patch + 0011-btmon-fix-segfault-caused-by-integer-underflow.patch + 0012-btmon-fix-segfault-caused-by-buffer-over-read.patch + +------------------------------------------------------------------- +Fri Dec 7 03:11:32 UTC 2018 - Al Cho <a...@suse.com> + +- Add hcidump-fixed-hci-frame-dump-stack-buffer-overflow.patch + to replace + CVE-2016-9800-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch + (PATCH-FIX-UPSTREAM)(bsc#1013721)(CVE-2016-9800) + Add hcidump-Fix-set_ext_ctrl-global-buffer-overflow.patch + to fix global buffer overflow (PATCH-FIX-UPSTREAM) + (bsc#1013732)(CVE-2016-9801) +- Fix %ifarch range. + +------------------------------------------------------------------- +Fri Jul 13 09:16:23 UTC 2018 - seife+...@b1-systems.com + +- add 0001-core-Fixes-order-InterfaceAdded.patch (boo#1101119) + to fix headset connect after suspend/resume + +------------------------------------------------------------------- +Thu Jun 28 10:27:23 UTC 2018 - a...@suse.com + +- Add lost patches for RPi3 bluetooth support (bsc#995059)(bsc#1094902) + 0001-rpi3-bcm43xx-The-UART-speed-must-be-reset-after-the-firmw.patch + 0002-rpi3-Move-the-43xx-firmware-into-lib-firmware.patch + +------------------------------------------------------------------- +Fri May 4 04:20:36 UTC 2018 - a...@suse.com + +- Add + CVE-2016-9800-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch + * Fix hcidump memory leak in pin_code_reply_dump(). + (bsc#1013721)(CVE-2016-9800) + CVE-2016-9804-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch + * Fix hcidump buffer overflow in commands_dump(). + (bsc#1013877)(CVE-2016-9804) + +------------------------------------------------------------------- +Tue Jan 30 16:05:52 UTC 2018 - norm...@linux.vnet.ibm.com + +- Add disable_some_obex_tests.patch bypass boo#1078285 for PowerPC + +------------------------------------------------------------------- +Fri Dec 29 17:21:34 UTC 2017 - seife+...@b1-systems.com + +- update to version 5.48: + This release brings many fixes and feature enhancements. + Some notable enhancements include support for devices with the + BLE battery service, as well as improved Mesh support in the + meshctl tool. Several previously experimental D-Bus APIs have now + been marked as stable, notably the Advertising Manager API as + well as the AquireWrite & AquireNotify GATT APIs. + As far as fixes go, these can be found in many areas of the stack, + including A2DP, AVCTP, device discovery, Mesh, and GATT. + +------------------------------------------------------------------- +Tue Dec 12 08:23:07 UTC 2017 - seife+...@b1-systems.com + +- add 0001-obexd-use-AM_LDFLAGS-for-linking.patch +- document systemd dependency during %post + +------------------------------------------------------------------- +Sun Sep 17 22:34:07 UTC 2017 - seife+...@b1-systems.com + +- update to version 5.47: + This release contains various fixes to GATT, A2DP and BR/EDR vs + LE bearer handling. There’s also a notable SDP fix for CVE-2017- + 1000250 (part of the recently announced BlueBorne vulnerabilities). + Feature-wise, there’s now support for adding the appearance and + local name to advertising data through the Advertising D-Bus + interface. The btmon tool is now also able to better decode most + Bluetooth 5.0 HCI commands and events. + The Bluetooth Mesh Profile specification was released recently, + and this BlueZ release comes with initial support for it in the + form of a new meshctl tool. Using this tool it’s possible to + provision mesh devices through the GATT Provisioning Bearer + (PB-GATT), as well as communicate with them (e.g. configure them) + using the GATT Proxy protocol. + +------------------------------------------------------------------- +Sat Jul 15 07:14:55 UTC 2017 - seife+...@b1-systems.com + +- update to version 5.46: + * Fix issue with handling ATT over BR/EDR connections. + * Fix issue with SDP browsing cleanup after connection. + * Fix issue with pointer dereference and OPP Put request. + * Fix issue with identity address updates during pairing. + * Fix issue with not removing services that had disappeared. + * Add support for improved discovery of included services. + * Add support for simplified characteristics discovery. + * Add support for GATT caching configuration option. + * Add experimental support for AcquireWrite and AcquireNotify. + +------------------------------------------------------------------- +Fri Jul 7 19:17:20 UTC 2017 - seife+...@b1-systems.com + +- enable sixaxis plugin + +------------------------------------------------------------------- +Sun Jun 25 11:53:02 UTC 2017 - msucha...@suse.com + +- Add %post/%postun to bluez-auto-enable-devices so the settings + change takes effect (boo#1039476) + +------------------------------------------------------------------- +Thu Jun 8 06:54:26 UTC 2017 - seife+...@b1-systems.com + +- add bluez-auto-enable-devices subpackage with main.conf which + auto-enables all devices (boo#1039476) + +------------------------------------------------------------------- +Fri May 26 13:16:07 UTC 2017 - seife+...@b1-systems.com + +- add bluez-5.45-disable-broken-tests.diff to disable two broken + tests (reported upstream but not yet fixed) + +------------------------------------------------------------------- +Sat May 6 18:59:55 UTC 2017 - seife+...@b1-systems.com + +- update to version 5.45: + This is mostly a bugfix release with fixes in ATT, GATT, OBEX + and AVDTP. + Feature-wise there are some new things as well, such as btmon + support decoding Bluetooth 5.0 HCI commands and events. + +------------------------------------------------------------------- +Fri Mar 3 09:16:29 UTC 2017 - seife+...@b1-systems.com + +- make testsuite run non-parallel (it has problems with running + parallel checks) and quiet + +------------------------------------------------------------------- +Wed Mar 1 21:22:42 UTC 2017 - seife+...@b1-systems.com ++++ 2053 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:Leap:15.1:Update/.bluez.11939.new.26092/bluez.changes New: ---- 0001-btmon-fix-segfault-caused-by-buffer-over-read.patch 0001-core-Fixes-order-InterfaceAdded.patch 0001-obexd-use-AM_LDFLAGS-for-linking.patch 0001-rpi3-bcm43xx-The-UART-speed-must-be-reset-after-the-firmw.patch 0002-btmon-fix-segfault-caused-by-buffer-over-read.patch 0002-rpi3-Move-the-43xx-firmware-into-lib-firmware.patch 0003-btmon-fix-segfault-caused-by-buffer-over-read.patch 0004-btmon-Fix-crash-caused-by-integer-underflow.patch 0005-btmon-fix-stack-buffer-overflow.patch 0006-btmon-fix-multiple-segfaults.patch 0007-btmon-fix-segfault-caused-by-integer-underflow.patch 0008-btmon-fix-segfault-caused-by-integer-undeflow.patch 0009-btmon-fix-segfault-caused-by-buffer-over-read.patch 0010-btmon-fix-segfault-caused-by-buffer-overflow.patch 0011-btmon-fix-segfault-caused-by-integer-underflow.patch 0012-btmon-fix-segfault-caused-by-buffer-over-read.patch CVE-2016-9804-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch baselibs.conf bluetooth.modprobe bluez-5.11-logitech-hid2hci.patch bluez-5.45-disable-broken-tests.diff bluez-5.48.tar.xz bluez-cups-libexec.patch bluez-sdp-unix-path.patch bluez.changes bluez.spec disable_some_obex_tests.patch hcidump-Add-assoc-dump-function-assoc-date-length-ch.patch hcidump-Fix-memory-leak-with-malformed-packet.patch hcidump-Fix-set_ext_ctrl-global-buffer-overflow.patch hcidump-Fixed-malformed-segment-frame-length.patch hcidump-fixed-hci-frame-dump-stack-buffer-overflow.patch tools-Fix-build-after-y2038-changes-in-glibc.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ bluez.spec ++++++ # # spec file for package bluez # # Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # Copyright (c) 2010-2017 B1 Systems GmbH, Vohburg, Germany # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: bluez Version: 5.48 Release: 0 Summary: Bluetooth Stack for Linux License: GPL-2.0+ Group: Hardware/Mobile Url: http://www.bluez.org Source: http://www.kernel.org/pub/linux/bluetooth/bluez-%{version}.tar.xz Source5: baselibs.conf Source7: bluetooth.modprobe # fix some logitech HID devices, bnc#681049, bnc#850478 --seife+...@b1-systems.com Patch1: bluez-5.11-logitech-hid2hci.patch Patch2: bluez-sdp-unix-path.patch # PATCH-FIX-UPSTREAM: find the cups dir in libexec not in libdir Patch3: bluez-cups-libexec.patch # workaround for broken tests (reported upstream but not yet fixed) Patch4: bluez-5.45-disable-broken-tests.diff # PATCH-FIX-UPSTREAM: obexd not compiled with -fpie -- seife+...@b1-systems.com Patch5: 0001-obexd-use-AM_LDFLAGS-for-linking.patch # disable tests for bypass boo#1078285 Patch6: disable_some_obex_tests.patch # PATCH_FIX-UPSTREAM: bsc#1013721 CVE-2016-9800 Patch101: hcidump-fixed-hci-frame-dump-stack-buffer-overflow.patch Patch102: CVE-2016-9804-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch # PATCH_FIX-UPSTREAM: bsc#1013732 CVE-2016-9801 Patch103: hcidump-Fix-set_ext_ctrl-global-buffer-overflow.patch # bsc#1013708 CVE-2016-9797 Patch104: hcidump-Add-assoc-dump-function-assoc-date-length-ch.patch # bsc#1015171 CVE-2016-9917 Patch105: hcidump-Fix-memory-leak-with-malformed-packet.patch # bsc#1013712 CVE-2016-9798 Patch106: hcidump-Fixed-malformed-segment-frame-length.patch # PATCH_FIX-UPSTREAM: btmon: multiple memory management vulnerabilities fixed bsc#1015173 CVE-2016-9918 Patch111: 0001-btmon-fix-segfault-caused-by-buffer-over-read.patch Patch112: 0002-btmon-fix-segfault-caused-by-buffer-over-read.patch Patch113: 0003-btmon-fix-segfault-caused-by-buffer-over-read.patch Patch114: 0004-btmon-Fix-crash-caused-by-integer-underflow.patch Patch115: 0005-btmon-fix-stack-buffer-overflow.patch Patch116: 0006-btmon-fix-multiple-segfaults.patch Patch117: 0007-btmon-fix-segfault-caused-by-integer-underflow.patch Patch118: 0008-btmon-fix-segfault-caused-by-integer-undeflow.patch Patch119: 0009-btmon-fix-segfault-caused-by-buffer-over-read.patch Patch120: 0010-btmon-fix-segfault-caused-by-buffer-overflow.patch Patch121: 0011-btmon-fix-segfault-caused-by-integer-underflow.patch Patch122: 0012-btmon-fix-segfault-caused-by-buffer-over-read.patch # PATCH-FIX-UPSTREAM: bsc#1156544 Patch123: tools-Fix-build-after-y2038-changes-in-glibc.patch # PATCH-FIX-UPSTREAM: boo#1101119 -- seife+...@b1-system.com Patch200: 0001-core-Fixes-order-InterfaceAdded.patch # RPi3 bluetooth support bsc#995059 bsc#1094902 Patch201: 0001-rpi3-bcm43xx-The-UART-speed-must-be-reset-after-the-firmw.patch Patch202: 0002-rpi3-Move-the-43xx-firmware-into-lib-firmware.patch BuildRequires: automake BuildRequires: flex BuildRequires: libtool BuildRequires: pkgconfig BuildRequires: readline-devel BuildRequires: systemd-rpm-macros BuildRequires: pkgconfig(alsa) BuildRequires: pkgconfig(check) BuildRequires: pkgconfig(dbus-1) >= 1.6 BuildRequires: pkgconfig(glib-2.0) >= 2.28 # json-c is needed for --enable-mesh BuildRequires: pkgconfig(json-c) BuildRequires: pkgconfig(libcap-ng) BuildRequires: pkgconfig(libical) BuildRequires: pkgconfig(libudev) BuildRequires: pkgconfig(sndfile) BuildRequires: pkgconfig(udev) Requires(post): systemd Recommends: sbc Provides: bluez-utils = 3.36 Obsoletes: bluez-utils <= 3.36 Provides: bluez-audio = 3.36 Obsoletes: bluez-audio <= 3.36 Obsoletes: bluez-hcidump < 5.0 Provides: bluez-hcidump = %{version} Obsoletes: obexd-client < 5.0 Provides: obexd-client = %{version} BuildRoot: %{_tmppath}/%{name}-%{version}-build %{?systemd_requires} %description BlueZ provides support for the core Bluetooth layers and protocols. %package devel Summary: Files needed for BlueZ development License: GPL-2.0+ Group: Development/Languages/C and C++ Requires: libbluetooth3 = %{version} %description devel Files needed to develop applications for the BlueZ Bluetooth protocol stack. %package -n libbluetooth3 Summary: Bluetooth Libraries License: GPL-2.0+ Group: System/Libraries Provides: bluez-libs = 3.36 Obsoletes: bluez-libs <= 3.36 %description -n libbluetooth3 BlueZ provides support for the core Bluetooth layers and protocols. It is uses a modular implementation. It has many interesting features: * Multithreaded data processing * Support for multiple Bluetooth devices * Real hardware abstraction * Standard socket interface to all layers * Device and service level security support %package cups Summary: CUPS Driver for Bluetooth Printers License: GPL-2.0+ Group: Hardware/Printing %description cups Contains the files required by CUPS for printing to Bluetooth-connected printers. %package test Summary: Tools for testing of various Bluetooth-functions License: GPL-2.0+ and MIT Group: Development/Tools/Debuggers Requires: dbus-1-python Requires: python-gobject2 %description test Contains a few tools for testing various bluetooth functions. The BLUETOOTH trademarks are owned by Bluetooth SIG, Inc., U.S.A. %package auto-enable-devices Summary: Configuration that automatically enables all bluetooth devices License: GPL-2.0+ Group: Hardware/Mobile BuildArch: noarch %description auto-enable-devices Contains configuration that automatically enables all bluetooth devices that are connected to the system if no other tool is handling them (e.g. desktop specific applets like blueman or GNOME or KDE applets). %post auto-enable-devices { systemctl status -n0 bluetooth.service > /dev/null && systemctl restart bluetooth.service ; } ||: %postun auto-enable-devices { systemctl status -n0 bluetooth.service > /dev/null && systemctl restart bluetooth.service ; } ||: %prep %setup -q %patch1 -p1 %patch2 -p1 %patch3 -p1 %patch4 -p1 %patch5 -p1 %ifarch ppc ppc64 ppc64le %patch6 -p1 %endif %patch101 -p1 %patch102 -p1 %patch103 -p1 %patch104 -p1 %patch105 -p1 %patch106 -p1 %patch111 -p1 %patch112 -p1 %patch113 -p1 %patch114 -p1 %patch115 -p1 %patch116 -p1 %patch117 -p1 %patch118 -p1 %patch119 -p1 %patch120 -p1 %patch121 -p1 %patch122 -p1 %patch123 -p1 %patch200 -p1 %ifarch aarch64 %patch201 -p1 %patch202 -p1 %endif mkdir dbus-apis cp -a doc/*.txt dbus-apis/ # FIXME: Change the dbus service to be a real service, not systemd launched sed -i "s:Exec=/bin/false:Exec=%{_libexecdir}/bluetooth/obexd:g" obexd/src/org.bluez.obex.service sed -i "/SystemdService=.*/d" obexd/src/org.bluez.obex.service # END FIXME # for auto-enable subpackage echo AutoEnable=true >> src/main.conf %build # because of patch4... autoreconf -fi # --enable-experimental is needed or btattach does not build (bug?) %configure \ --disable-silent-rules \ --enable-pie \ --enable-library \ --enable-tools \ --enable-cups \ --enable-mesh \ --enable-midi \ --enable-test \ --enable-experimental \ --enable-deprecated \ --enable-datafiles \ --enable-sixaxis \ --with-systemdsystemunitdir=%{_unitdir} \ --with-systemduserunitdir=%{_userunitdir} make %{?_smp_mflags} all %install %make_install find %{buildroot} -type f -name "*.la" -delete -print install --mode=0644 -D %{SOURCE7} %{buildroot}/%{_sysconfdir}/modprobe.d/50-bluetooth.conf # no idea why this is suddenly necessary... install --mode 0755 -d %{buildroot}%{_localstatedir}/lib/bluetooth # FIXME: Do not delete the systemd service once we support systemd user/session services rm %{buildroot}%{_userunitdir}/obex.service # end FIXME ## same as in fedora... # "make install" fails to install gatttool, used with Bluetooth Low Energy install -m0755 attrib/gatttool %{buildroot}%{_bindir} # for auto-enable subpackage find . -name main.conf install --mode 0644 -D src/main.conf %{buildroot}/%{_sysconfdir}/bluetooth/main.conf # rpmlint warnings... cd %{buildroot}%{_libdir}/bluez/test chmod 0644 *.py *.xml *.dtd %check %if ! 0%{?qemu_user_space_build} ##make %%{?_smp_mflags} check # deliberately not running parallel, as the test suite has spurious failures otherwise make check V=0 %endif %pre %service_add_pre bluetooth.service %post %{?udev_rules_update:%udev_rules_update} # todo: check if this is still obeyed / needed with systemd %{fillup_only -n bluetooth} # We need the bluez systemd service enabled at any time. It won't start up # on it's own, as it is triggered by udev in the end (bnc#796671) /bin/systemctl enable bluetooth.service 2>&1 || : /bin/systemctl daemon-reload >/dev/null 2>&1 || : %preun %service_del_preun bluetooth.service %postun %service_del_postun bluetooth.service %post -n libbluetooth3 -p /sbin/ldconfig %postun -n libbluetooth3 -p /sbin/ldconfig %files %defattr(-, root, root) %doc AUTHORS COPYING ChangeLog README dbus-apis %{_bindir}/bluemoon %{_bindir}/btattach %{_bindir}/gatttool %{_bindir}/hcitool %{_bindir}/l2ping %{_bindir}/rfcomm %{_bindir}/sdptool %{_bindir}/ciptool %{_bindir}/hciattach %{_bindir}/hciconfig %{_bindir}/hex2hcd %{_bindir}/mpris-proxy %dir %{_libdir}/bluetooth %dir %{_libdir}/bluetooth/plugins %{_libdir}/bluetooth/plugins/sixaxis.so %dir %{_libexecdir}/bluetooth %{_libexecdir}/bluetooth/bluetoothd %{_libexecdir}/bluetooth/obexd %{_bindir}/bluetoothctl %{_bindir}/btmon %{_bindir}/meshctl %{_bindir}/hcidump %{_bindir}/bccmd %{_libexecdir}/udev/ %{_mandir}/man1/btattach.1%{ext_man} %{_mandir}/man1/hcidump.1%{ext_man} %{_mandir}/man1/hciattach.1%{ext_man} %{_mandir}/man1/hciconfig.1%{ext_man} %{_mandir}/man8/bluetoothd.8%{ext_man} %{_mandir}/man1/hid2hci.1%{ext_man} %{_mandir}/man1/bccmd.1%{ext_man} %{_mandir}/man1/l2ping.1%{ext_man} %{_mandir}/man1/hcitool.1%{ext_man} %{_mandir}/man1/sdptool.1%{ext_man} %{_mandir}/man1/ciptool.1%{ext_man} %{_mandir}/man1/rfcomm.1%{ext_man} %{_mandir}/man1/rctest.1%{ext_man} %config %{_sysconfdir}/dbus-1/system.d/bluetooth.conf %dir %{_localstatedir}/lib/bluetooth %dir %{_sysconfdir}/modprobe.d %config(noreplace) %{_sysconfdir}/modprobe.d/50-bluetooth.conf %{_unitdir}/bluetooth.service %{_datadir}/dbus-1/system-services/org.bluez.service %{_datadir}/dbus-1/services/org.bluez.obex.service %files devel %defattr(-, root, root) %{_includedir}/bluetooth %{_libdir}/libbluetooth.so %{_libdir}/pkgconfig/bluez.pc %files -n libbluetooth3 %defattr(-, root, root) %{_libdir}/libbluetooth.so.* %doc AUTHORS COPYING ChangeLog README %files cups %defattr(-,root,root) %dir %{_libexecdir}/cups %dir %{_libexecdir}/cups/backend %{_libexecdir}/cups/backend/bluetooth %files test %defattr(-,root,root) #{_bindir}/hciemu %{_bindir}/l2test %{_bindir}/rctest %dir %{_libdir}/bluez %{_libdir}/bluez/test %files auto-enable-devices %defattr(-,root,root) %dir %{_sysconfdir}/bluetooth %config(noreplace) %{_sysconfdir}/bluetooth/main.conf %changelog ++++++ 0001-btmon-fix-segfault-caused-by-buffer-over-read.patch ++++++ >From ab14539c27b6e369e868c9b2227fd92d35511540 Mon Sep 17 00:00:00 2001 From: Matias Karhumaa <matias.karhu...@gmail.com> Date: Tue, 16 Oct 2018 23:19:38 +0300 Subject: [PATCH 01/13] btmon: fix segfault caused by buffer over-read Fix segfault caused by buffer over-read. Check that index is not bigger than MAX_INDEX. This bug was found by fuzzing with AFL. Program received signal SIGSEGV, Segmentation fault. 0x0000000000420bb8 in print_packet (tv=<optimized out>, cred=<optimized out>, ident=<optimized out>, index=<optimized out>, channel=<optimized out>, color=<optimized out>, label=<optimized out>, text=<optimized out>, extra=<optimized out>) at monitor/packet.c:317 warning: Source file is more recent than executable. 317 index_list[index].frame != last_frame) { (gdb) bt #0 0x0000000000420bb8 in print_packet (tv=<optimized out>, cred=<optimized out>, ident=<optimized out>, index=<optimized out>, channel=<optimized out>, color=<optimized out>, label=<optimized out>, text=<optimized out>, extra=<optimized out>) at monitor/packet.c:317 #1 0x000000000041a8c3 in packet_new_index (tv=<optimized out>, index=<optimized out>, name=0x7fffffffda68 "rsion 4.18.0-matias-patch2 (x86_64)", label=<optimized out>, type=<optimized out>, bus=<optimized out>) at monitor/packet.c:9818 #2 packet_monitor (tv=0x7fffffffda50, cred=<optimized out>, index=<optimized out>, opcode=<optimized out>, data=0x7fffffffda60, size=<optimized out>) at monitor/packet.c:3881 #3 0x000000000040e177 in control_reader (path=<optimized out>, pager=true) at monitor/control.c:1462 #4 0x0000000000403b00 in main (argc=<optimized out>, argv=<optimized out>) at monitor/main.c:243 --- monitor/packet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: bluez-5.48/monitor/packet.c =================================================================== --- bluez-5.48.orig/monitor/packet.c +++ bluez-5.48/monitor/packet.c @@ -298,7 +298,7 @@ static void print_packet(struct timeval ts_pos += n; ts_len += n; } - } else if (index != HCI_DEV_NONE && + } else if (index != HCI_DEV_NONE && index < MAX_INDEX && index_list[index].frame != last_frame) { if (use_color()) { n = sprintf(ts_str + ts_pos, "%s", COLOR_FRAME_LABEL); ++++++ 0001-core-Fixes-order-InterfaceAdded.patch ++++++ >From 1873096352f518d3247f8efb3c2e0aa8804e50ac Mon Sep 17 00:00:00 2001 From: Luiz Augusto von Dentz <luiz.von.de...@intel.com> Date: Wed, 7 Feb 2018 09:35:07 -0200 Subject: [PATCH] core: Fixes order InterfaceAdded Registering on the callback of MGMT_OP_READ_ADV_FEATURES causes InterfacesAdded to be reschedule after the device objects which causes tools such as PulseAudio to consider it invalid. Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1534857 --- src/advertising.c | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/src/advertising.c b/src/advertising.c index 94a8c4050..970c3d87b 100644 --- a/src/advertising.c +++ b/src/advertising.c @@ -1032,14 +1032,6 @@ static void read_adv_features_callback(uint8_t status, uint16_t length, if (manager->max_ads == 0) return; - if (!g_dbus_register_interface(btd_get_dbus_connection(), - adapter_get_path(manager->adapter), - LE_ADVERTISING_MGR_IFACE, methods, - NULL, properties, manager, NULL)) { - error("Failed to register " LE_ADVERTISING_MGR_IFACE); - return; - } - /* Reset existing instances */ if (feat->num_instances) remove_advertising(manager, 0); @@ -1061,19 +1053,29 @@ static struct btd_adv_manager *manager_create(struct btd_adapter *adapter) } manager->mgmt_index = btd_adapter_get_index(adapter); + manager->clients = queue_new(); + manager->supported_flags = MGMT_ADV_FLAG_LOCAL_NAME; + + if (!g_dbus_register_interface(btd_get_dbus_connection(), + adapter_get_path(manager->adapter), + LE_ADVERTISING_MGR_IFACE, methods, + NULL, properties, manager, NULL)) { + error("Failed to register " LE_ADVERTISING_MGR_IFACE); + goto fail; + } if (!mgmt_send(manager->mgmt, MGMT_OP_READ_ADV_FEATURES, manager->mgmt_index, 0, NULL, read_adv_features_callback, manager, NULL)) { error("Failed to read advertising features"); - manager_destroy(manager); - return NULL; + goto fail; } - manager->clients = queue_new(); - manager->supported_flags = MGMT_ADV_FLAG_LOCAL_NAME; - return manager; + +fail: + manager_destroy(manager); + return NULL; } struct btd_adv_manager *btd_adv_manager_new(struct btd_adapter *adapter) -- 2.16.1 ++++++ 0001-obexd-use-AM_LDFLAGS-for-linking.patch ++++++ >From b912306ae756eaf75caa1ab7e04e3112fac4a01c Mon Sep 17 00:00:00 2001 From: Stefan Seyfried <seife+...@b1-systems.com> Date: Mon, 11 Dec 2017 22:52:28 +0100 Subject: [PATCH] obexd: use AM_LDFLAGS for linking without this, --enable-pie does not work for obexd --- Makefile.obexd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile.obexd b/Makefile.obexd index 2e33cbc72..86c395305 100644 --- a/Makefile.obexd +++ b/Makefile.obexd @@ -83,7 +83,7 @@ obexd_src_obexd_LDADD = lib/libbluetooth-internal.la \ gdbus/libgdbus-internal.la \ @ICAL_LIBS@ @DBUS_LIBS@ @GLIB_LIBS@ -ldl -obexd_src_obexd_LDFLAGS = -Wl,--export-dynamic +obexd_src_obexd_LDFLAGS = $(AM_LDFLAGS) -Wl,--export-dynamic obexd_src_obexd_CFLAGS = $(AM_CFLAGS) @GLIB_CFLAGS@ @DBUS_CFLAGS@ \ @ICAL_CFLAGS@ -DOBEX_PLUGIN_BUILTIN \ -- 2.15.1 ++++++ 0001-rpi3-bcm43xx-The-UART-speed-must-be-reset-after-the-firmw.patch ++++++ >From 4de2871675d3b039b5797e77cc1d6ce4070e86b2 Mon Sep 17 00:00:00 2001 From: Phil Elwell <p...@raspberrypi.org> Date: Tue, 16 Feb 2016 16:39:09 +0000 Subject: [PATCH] bcm43xx: The UART speed must be reset after the firmware download --- tools/hciattach_bcm43xx.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/tools/hciattach_bcm43xx.c b/tools/hciattach_bcm43xx.c index 3d36c20..f3231ec 100644 --- a/tools/hciattach_bcm43xx.c +++ b/tools/hciattach_bcm43xx.c @@ -366,11 +366,8 @@ int bcm43xx_init(int fd, int def_speed, int speed, struct termios *ti, return -1; if (bcm43xx_locate_patch(FIRMWARE_DIR, chip_name, fw_path)) { - fprintf(stderr, "Patch not found, continue anyway\n"); + fprintf(stderr, "Patch not found for %s, continue anyway\n", chip_name); } else { - if (bcm43xx_set_speed(fd, ti, speed)) - return -1; - if (bcm43xx_load_firmware(fd, fw_path)) return -1; @@ -380,6 +377,7 @@ int bcm43xx_init(int fd, int def_speed, int speed, struct termios *ti, return -1; } + sleep(1); if (bcm43xx_reset(fd)) return -1; } -- 2.9.3 ++++++ 0002-btmon-fix-segfault-caused-by-buffer-over-read.patch ++++++ >From c3d4ca78385dccd5daf49444605a5a8363a6e84b Mon Sep 17 00:00:00 2001 From: Matias Karhumaa <matias.karhu...@gmail.com> Date: Tue, 16 Oct 2018 23:20:08 +0300 Subject: [PATCH 02/13] btmon: fix segfault caused by buffer over-read Fix segmentation fault caused by buffer over-read in packet_ctrl_open(). Fix is to check that ident_len is not bigger than size. This bug was found by fuzzing btmon with AFL. Program received signal SIGSEGV, Segmentation fault. 0x0000000000419e88 in packet_hexdump (buf=0x7fffffffda7e "22", len=<optimized out>) at monitor/packet.c:3813 3813 str[((i % 16) * 3) + 1] = hexdigits[buf[i] & 0xf]; (gdb) bt #0 0x0000000000419e88 in packet_hexdump (buf=0x7fffffffda7e "22", len=<optimized out>) at monitor/packet.c:3813 #1 0x000000000041eda4 in packet_ctrl_open (tv=<optimized out>, cred=<optimized out>, index=<optimized out>, data=0x7fffffffda7e, size=<optimized out>) at monitor/packet.c:10286 #2 0x000000000041b193 in packet_monitor (tv=0x7fffffffda50, cred=<optimized out>, index=65535, opcode=<optimized out>, data=0x7fffffffda60, size=14) at monitor/packet.c:3957 #3 0x000000000040e177 in control_reader (path=<optimized out>, pager=true) at monitor/control.c:1462 #4 0x0000000000403b00 in main (argc=<optimized out>, argv=<optimized out>) at monitor/main.c:243 (gdb) --- monitor/packet.c | 6 ++++++ 1 file changed, 6 insertions(+) Index: bluez-5.48/monitor/packet.c =================================================================== --- bluez-5.48.orig/monitor/packet.c +++ bluez-5.48/monitor/packet.c @@ -10354,6 +10354,12 @@ void packet_ctrl_open(struct timeval *tv flags = get_le32(data + 3); ident_len = get_u8(data + 7); + if (ident_len > size) { + print_packet(tv, cred, '*', index, NULL, COLOR_ERROR, + "Malformed Control Open packet", NULL, NULL); + return; + } + data += 8; size -= 8; ++++++ 0002-rpi3-Move-the-43xx-firmware-into-lib-firmware.patch ++++++ >From 72a2a6a6fd0e623c4048d105b34d221bde87eb74 Mon Sep 17 00:00:00 2001 From: Phil Elwell <p...@raspberrypi.org> Date: Tue, 23 Feb 2016 17:52:29 +0000 Subject: [PATCH] Move the 43xx firmware into /lib/firmware --- tools/hciattach_bcm43xx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/hciattach_bcm43xx.c b/tools/hciattach_bcm43xx.c index f3231ec..21450ac 100644 --- a/tools/hciattach_bcm43xx.c +++ b/tools/hciattach_bcm43xx.c @@ -43,7 +43,7 @@ #include "hciattach.h" #ifndef FIRMWARE_DIR -#define FIRMWARE_DIR "/etc/firmware" +#define FIRMWARE_DIR "/lib/firmware" #endif #define FW_EXT ".hcd" -- 2.9.3 ++++++ 0003-btmon-fix-segfault-caused-by-buffer-over-read.patch ++++++ >From 5ceef2cbde0b4407e61dc2370780bda895c8019c Mon Sep 17 00:00:00 2001 From: Matias Karhumaa <matias.karhu...@gmail.com> Date: Tue, 16 Oct 2018 23:20:40 +0300 Subject: [PATCH 03/13] btmon: fix segfault caused by buffer over-read Fix segfault caused by buffer over-read in packet_hci_scodata function of monitor/packet.c. Fix is to check that index is not bigger than MAX_INDEX. This bug was found by fuzzing with AFL. --- monitor/packet.c | 5 +++++ 1 file changed, 5 insertions(+) Index: bluez-5.48/monitor/packet.c =================================================================== --- bluez-5.48.orig/monitor/packet.c +++ bluez-5.48/monitor/packet.c @@ -10283,6 +10283,11 @@ void packet_hci_scodata(struct timeval * uint8_t flags = acl_flags(handle); char handle_str[16], extra_str[32]; + if (index > MAX_INDEX) { + print_field("Invalid index (%d).", index); + return; + } + index_list[index].frame++; if (size < HCI_SCO_HDR_SIZE) { ++++++ 0004-btmon-Fix-crash-caused-by-integer-underflow.patch ++++++ >From f01e006a26e42581c092efc10b68c2f51f3bb6f3 Mon Sep 17 00:00:00 2001 From: Matias Karhumaa <matias.karhu...@gmail.com> Date: Tue, 16 Oct 2018 23:21:17 +0300 Subject: [PATCH 04/13] btmon: Fix crash caused by integer underflow Check in packet_ctrl_open that parsed length is not more than buffer size. Bug was found by fuzzing btmon with AFL. --- monitor/packet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: bluez-5.48/monitor/packet.c =================================================================== --- bluez-5.48.orig/monitor/packet.c +++ bluez-5.48/monitor/packet.c @@ -10359,7 +10359,7 @@ void packet_ctrl_open(struct timeval *tv flags = get_le32(data + 3); ident_len = get_u8(data + 7); - if (ident_len > size) { + if ((8 + ident_len) > size) { print_packet(tv, cred, '*', index, NULL, COLOR_ERROR, "Malformed Control Open packet", NULL, NULL); return; ++++++ 0005-btmon-fix-stack-buffer-overflow.patch ++++++ >From 0f4b19f7f94df696983d0ce3bb0515e960474cba Mon Sep 17 00:00:00 2001 From: Matias Karhumaa <matias.karhu...@gmail.com> Date: Tue, 16 Oct 2018 23:21:50 +0300 Subject: [PATCH 05/13] btmon: fix stack buffer overflow Arbitrary code execution vulnerability was discovered in btmon. pklg_read_hci function read from file attacker controllable amount of data which caused stack buffer overflow. Fixes old and previously unfixed CVE-2016-9799. Initially this was reported by op7ic: https://www.spinics.net/lists/linux-bluetooth/msg68898.html Later this was re-discovered by fuzzing btmon with AFL. Proof-of-concept exploit that shutowns the machine: $ python -c 'print "\x00\x00\x0c\x10"+ "\x90"*609 +"\x48\x31\xc0\x48\x31\xd2\x50\x6a\x77\x66\x68\x6e\x6f\x48\x89\xe3\x50\x66\x68\x2d\x68\x48\x89\xe1\x50\x49\xb8\x2f\x73\x62\x69\x6e\x2f\x2f\x2f\x49\xba\x73\x68\x75\x74\x64\x6f\x77\x6e\x41\x52\x41\x50\x48\x89\xe7\x52\x53\x51\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05"+ "\x90"*847 +"\xb0\xda\xff\xff\xff\x7f\x00\x00"' > exploit $ ./btmon -r exploit Proof of concept requires that ASLR is disabled and following CFLAGS are set: -fno-stack-protector -zexecstack --- src/shared/btsnoop.c | 5 +++++ 1 file changed, 5 insertions(+) Index: bluez-5.48/src/shared/btsnoop.c =================================================================== --- bluez-5.48.orig/src/shared/btsnoop.c +++ bluez-5.48/src/shared/btsnoop.c @@ -339,6 +339,11 @@ static bool pklg_read_hci(struct btsnoop tv->tv_usec = ts & 0xffffffff; } + if (toread > BTSNOOP_MAX_PACKET_SIZE) { + btsnoop->aborted = true; + return false; + } + switch (pkt.type) { case 0x00: *index = 0x0000; ++++++ 0006-btmon-fix-multiple-segfaults.patch ++++++ >From c5d07196d3937c726e0d809a9b5c8100c083890b Mon Sep 17 00:00:00 2001 From: Matias Karhumaa <matias.karhu...@gmail.com> Date: Tue, 16 Oct 2018 23:22:16 +0300 Subject: [PATCH 06/13] btmon: fix multiple segfaults Fix multiple segfaults caused by buffer over-read in packet_hci_command, packet_hci_event and packet_hci_acldata. Fix is to check that index is not bigger than MAX_INDEX before accessing index_list. Crashes were found by fuzzing btmon with AFL. --- monitor/packet.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) Index: bluez-5.48/monitor/packet.c =================================================================== --- bluez-5.48.orig/monitor/packet.c +++ bluez-5.48/monitor/packet.c @@ -10062,13 +10062,17 @@ void packet_hci_command(struct timeval * char extra_str[25], vendor_str[150]; int i; + if (index > MAX_INDEX) { + print_field("Invalid index (%d).", index); + return; + } + index_list[index].frame++; - if (size < HCI_COMMAND_HDR_SIZE) { + if (size < HCI_COMMAND_HDR_SIZE || size > BTSNOOP_MAX_PACKET_SIZE) { sprintf(extra_str, "(len %d)", size); print_packet(tv, cred, '*', index, NULL, COLOR_ERROR, "Malformed HCI Command packet", NULL, extra_str); - packet_hexdump(data, size); return; } @@ -10165,6 +10169,12 @@ void packet_hci_event(struct timeval *tv char extra_str[25]; int i; + if (index > MAX_INDEX) { + print_field("Invalid index (%d).", index); + return; + } + + index_list[index].frame++; if (size < HCI_EVENT_HDR_SIZE) { @@ -10239,6 +10249,11 @@ void packet_hci_acldata(struct timeval * uint8_t flags = acl_flags(handle); char handle_str[16], extra_str[32]; + if (index > MAX_INDEX) { + print_field("Invalid index (%d).", index); + return; + } + index_list[index].frame++; if (size < HCI_ACL_HDR_SIZE) { ++++++ 0007-btmon-fix-segfault-caused-by-integer-underflow.patch ++++++ >From 8da5f210c47832404f01c5d059c4956e745b858b Mon Sep 17 00:00:00 2001 From: Matias Karhumaa <matias.karhu...@gmail.com> Date: Tue, 16 Oct 2018 23:22:42 +0300 Subject: [PATCH 07/13] btmon: fix segfault caused by integer underflow Fix segfault caused by integer underflow in set_event_filter_cmd(). Fix is to check that size is big enough before subtracting to prevent underflow. Crash was found by fuzzing btmon with AFL. --- monitor/packet.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) Index: bluez-5.48/monitor/packet.c =================================================================== --- bluez-5.48.orig/monitor/packet.c +++ bluez-5.48/monitor/packet.c @@ -4791,6 +4791,10 @@ static void set_event_filter_cmd(const v break; case 0x01: + if (size < 2) { + print_text(COLOR_ERROR, " invalid parameter size"); + break; + } filter = *((const uint8_t *) (data + 1)); switch (filter) { @@ -4830,11 +4834,21 @@ static void set_event_filter_cmd(const v break; } + if (size < 2) { + print_text(COLOR_ERROR, " invalid parameter size"); + break; + } + print_field("Filter: %s (0x%2.2x)", str, filter); packet_hexdump(data + 2, size - 2); break; default: + if (size < 2) { + print_text(COLOR_ERROR, " invalid parameter size"); + break; + } + filter = *((const uint8_t *) (data + 1)); print_field("Filter: Reserved (0x%2.2x)", filter); ++++++ 0008-btmon-fix-segfault-caused-by-integer-undeflow.patch ++++++ >From 1206eee71cd475882f0af9c4ec7990ae4822ddfe Mon Sep 17 00:00:00 2001 From: Matias Karhumaa <matias.karhu...@gmail.com> Date: Tue, 16 Oct 2018 23:23:12 +0300 Subject: [PATCH 08/13] btmon: fix segfault caused by integer undeflow Fix segfault caused by integer underflow. Fix is to check that rsp->num_codecs + 3 is not bigger than size before subtracting. Crash was found by fuzzing btmon with AFL. --- monitor/packet.c | 5 +++++ 1 file changed, 5 insertions(+) Index: bluez-5.48/monitor/packet.c =================================================================== --- bluez-5.48.orig/monitor/packet.c +++ bluez-5.48/monitor/packet.c @@ -5897,6 +5897,11 @@ static void read_local_codecs_rsp(const const struct bt_hci_rsp_read_local_codecs *rsp = data; uint8_t i, num_vnd_codecs; + if (rsp->num_codecs + 3 > size) { + print_field("Invalid number of codecs."); + return; + } + print_status(rsp->status); print_field("Number of supported codecs: %d", rsp->num_codecs); ++++++ 0009-btmon-fix-segfault-caused-by-buffer-over-read.patch ++++++ >From e63175ecf66f682721f2ba0337f65330aa798744 Mon Sep 17 00:00:00 2001 From: Matias Karhumaa <matias.karhu...@gmail.com> Date: Tue, 16 Oct 2018 23:23:47 +0300 Subject: [PATCH 09/13] btmon: fix segfault caused by buffer over-read Fix segfault caused by buffer over-read in btmon. Fix is to check in packet_monitor() that index is not bigger than MAX_INDEX before accessing index_list. Crash was found by fuzzing btmon with AFL. --- monitor/packet.c | 5 +++++ 1 file changed, 5 insertions(+) Index: bluez-5.48/monitor/packet.c =================================================================== --- bluez-5.48.orig/monitor/packet.c +++ bluez-5.48/monitor/packet.c @@ -3929,6 +3929,11 @@ void packet_monitor(struct timeval *tv, index_current = index; } + if (index != HCI_DEV_NONE && index > MAX_INDEX) { + print_field("Invalid index (%d)", index); + return; + } + if (tv && time_offset == ((time_t) -1)) time_offset = tv->tv_sec; ++++++ 0010-btmon-fix-segfault-caused-by-buffer-overflow.patch ++++++ >From b9085d74f19f693a91db85f3ac4be271e02e97af Mon Sep 17 00:00:00 2001 From: Matias Karhumaa <matias.karhu...@gmail.com> Date: Tue, 16 Oct 2018 23:24:15 +0300 Subject: [PATCH 10/13] btmon: fix segfault caused by buffer overflow Buffer overflow vulnerability in monitor/sdp.c SDP continuation handling caused btmon to crash. This happens in global static buffer which makes it non-trivial to exploit. This is nasty bug in a way that this can be triggered also over the air by sending malformed SDP Search Attribute request to device running btmon. This crash was foung by fuzzing btmon with AFL. Seems to be reproducible also with Synopsys Defensics SDP Server suite. --- monitor/sdp.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) Index: bluez-5.48/monitor/sdp.c =================================================================== --- bluez-5.48.orig/monitor/sdp.c +++ bluez-5.48/monitor/sdp.c @@ -43,12 +43,13 @@ #include "sdp.h" #define MAX_TID 16 +#define MAX_CONT_SIZE 17 struct tid_data { bool inuse; uint16_t tid; uint16_t channel; - uint8_t cont[17]; + uint8_t cont[MAX_CONT_SIZE]; }; static struct tid_data tid_list[MAX_TID]; @@ -410,6 +411,10 @@ static void print_continuation(const uin static void store_continuation(struct tid_data *tid, const uint8_t *data, uint16_t size) { + if (size > MAX_CONT_SIZE) { + print_text(COLOR_ERROR, "invalid continuation size"); + return; + } memcpy(tid->cont, data, size); print_continuation(data, size); } ++++++ 0011-btmon-fix-segfault-caused-by-integer-underflow.patch ++++++ >From 800257a5aae104ba73c5d299cd350643610998b0 Mon Sep 17 00:00:00 2001 From: Matias Karhumaa <matias.karhu...@gmail.com> Date: Tue, 16 Oct 2018 23:24:41 +0300 Subject: [PATCH 11/13] btmon: fix segfault caused by integer underflow Fix segfault caused by integer underflow in decode_data_element function of monitor/sdp.c. Fix is to check that elemlen is not bigger than size before subtracting elemlen from size. Also search_bytes + attr_bytes should not be bigger than frame->size. This bug can be triggered locally reading malformed btmon capture file and also over the air by sending specifically crafted SDP Search Attribute response to device running btmon. This bug was found by fuzzing btmon with AFL. --- monitor/sdp.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/monitor/sdp.c b/monitor/sdp.c index df5ccdb71..13a8807c7 100644 --- a/monitor/sdp.c +++ b/monitor/sdp.c @@ -309,6 +309,11 @@ static void decode_data_elements(uint32_t position, uint8_t indent, break; } + if (elemlen > size) { + print_text(COLOR_ERROR, "invalid data element size"); + return; + } + data += elemlen; size -= elemlen; @@ -655,6 +660,11 @@ static void search_attr_req(const struct l2cap_frame *frame, frame->size - search_bytes - 2); print_field("Attribute list: [len %d]", attr_bytes); + if (search_bytes + attr_bytes > frame->size) { + print_text(COLOR_ERROR, "invalid attribute list length"); + return; + } + decode_data_elements(0, 2, frame->data + search_bytes + 2, attr_bytes, NULL); -- 2.19.1 ++++++ 0012-btmon-fix-segfault-caused-by-buffer-over-read.patch ++++++ >From 3ebf246be6e9fbfe8262473f60f42ce08892c0f9 Mon Sep 17 00:00:00 2001 From: Matias Karhumaa <matias.karhu...@gmail.com> Date: Tue, 16 Oct 2018 23:25:08 +0300 Subject: [PATCH 12/13] btmon: fix segfault caused by buffer over-read Fix segfault caused by buffer over-read in service_rsp function of monitor/sdp.c. This bug can be triggered locally reading malformed btmon capture file and also over the air by sending specifically crafted SDP Search Attribute response to device running btmon. Bug was found by fuzzing btmon with AFL. --- monitor/sdp.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/monitor/sdp.c b/monitor/sdp.c index 13a8807c7..36708f426 100644 --- a/monitor/sdp.c +++ b/monitor/sdp.c @@ -585,6 +585,10 @@ static void service_rsp(const struct l2cap_frame *frame, struct tid_data *tid) } count = get_be16(frame->data + 2); + if (count * 4 > frame->size) { + print_text(COLOR_ERROR, "invalid record count"); + return; + } print_field("Total record count: %d", get_be16(frame->data)); print_field("Current record count: %d", count); -- 2.19.1 ++++++ CVE-2016-9804-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch ++++++ >From 00f50518f232c758855ac9884a841f707f41a301 Mon Sep 17 00:00:00 2001 From: "Cho, Yu-Chen" <a...@suse.com> Date: Thu, 3 May 2018 18:52:19 +0800 Subject: [PATCH BlueZ] tool/hcidump: Fix memory leak with malformed packet The Supported Commands is a 64 octet bit field. Do not allow to read more then the size. --- tools/parser/csr.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tools/parser/csr.c b/tools/parser/csr.c index a0a4eb5fe..2d3db878a 100644 --- a/tools/parser/csr.c +++ b/tools/parser/csr.c @@ -145,6 +145,11 @@ static inline void commands_dump(int level, char *str, struct frame *frm) unsigned char commands[64]; unsigned int i; + if (frm->len > 64) { + perror("Read failed"); + exit(1); + } + memcpy(commands, frm->ptr, frm->len); p_indent(level, frm); -- 2.16.3 ++++++ baselibs.conf ++++++ libbluetooth3 bluez-devel requires -bluez-<targettype> requires "libbluetooth3-<targettype> = <version>" ++++++ bluetooth.modprobe ++++++ # use "reset=1" as default, since it should be safe for recent devices and # solves all kind of problems. options btusb reset=1 ++++++ bluez-5.11-logitech-hid2hci.patch ++++++ Apparently some Logitech devices need different rules. https://bugzilla.novell.com/show_bug.cgi?id=681049 https://bugzilla.novell.com/show_bug.cgi?id=850478 Index: b/tools/hid2hci.rules =================================================================== --- a/tools/hid2hci.rules +++ b/tools/hid2hci.rules @@ -9,11 +9,13 @@ SUBSYSTEM!="usb*", GOTO="hid2hci_end" ATTR{bInterfaceClass}=="03", ATTR{bInterfaceSubClass}=="01", ATTR{bInterfaceProtocol}=="02", \ ATTRS{bDeviceClass}=="00", ATTRS{idVendor}=="413c", ATTRS{bmAttributes}=="e0", \ RUN+="hid2hci --method=dell --devpath=%p", ENV{HID2HCI_SWITCH}="1" # Logitech devices -KERNEL=="hiddev*", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c70[345abce]|c71[34bc]", \ +KERNEL=="hiddev*", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c70[5e]", \ + RUN+="hid2hci --method=logitech-hid --devpath=%p" +KERNEL=="hidraw*", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c70[34abc]|c71[34bc]", \ RUN+="hid2hci --method=logitech-hid --devpath=%p" ENV{DEVTYPE}!="usb_device", GOTO="hid2hci_end" # When a Dell device recovers from S3, the mouse child needs to be repoked ++++++ bluez-5.45-disable-broken-tests.diff ++++++ Index: bluez-5.48/Makefile.am =================================================================== --- bluez-5.48.orig/Makefile.am +++ bluez-5.48/Makefile.am @@ -392,7 +392,7 @@ unit_test_lib_SOURCES = unit/test-lib.c unit_test_lib_LDADD = src/libshared-glib.la \ lib/libbluetooth-internal.la @GLIB_LIBS@ -unit_tests += unit/test-gatt +#unit_tests += unit/test-gatt unit_test_gatt_SOURCES = unit/test-gatt.c unit_test_gatt_LDADD = src/libshared-glib.la \ @@ -421,7 +421,7 @@ unit_test_gattrib_LDADD = lib/libbluetoo @GLIB_LIBS@ @DBUS_LIBS@ -ldl -lrt if MIDI -unit_tests += unit/test-midi +#unit_tests += unit/test-midi unit_test_midi_CFLAGS = $(AM_CFLAGS) @ALSA_CFLAGS@ -DMIDI_TEST unit_test_midi_SOURCES = unit/test-midi.c \ profiles/midi/libmidi.h \ ++++++ bluez-cups-libexec.patch ++++++ Index: bluez-5.48/Makefile.in =================================================================== --- bluez-5.48.orig/Makefile.in +++ bluez-5.48/Makefile.in @@ -2764,7 +2764,7 @@ unit_tests = $(am__append_49) unit/test- @DEPRECATED_TRUE@@READLINE_TRUE@attrib_gatttool_LDADD = lib/libbluetooth-internal.la \ @DEPRECATED_TRUE@@READLINE_TRUE@ src/libshared-glib.la @GLIB_LIBS@ -lreadline -@CUPS_TRUE@cupsdir = $(libdir)/cups/backend +@CUPS_TRUE@cupsdir = $(libexecdir)/../cups/backend @CUPS_TRUE@profiles_cups_bluetooth_SOURCES = profiles/cups/main.c \ @CUPS_TRUE@ profiles/cups/cups.h \ @CUPS_TRUE@ profiles/cups/sdp.c \ Index: bluez-5.48/Makefile.tools =================================================================== --- bluez-5.48.orig/Makefile.tools +++ bluez-5.48/Makefile.tools @@ -413,7 +413,7 @@ endif endif if CUPS -cupsdir = $(libdir)/cups/backend +cupsdir = $(libexecdir)/../cups/backend cups_PROGRAMS = profiles/cups/bluetooth ++++++ bluez-sdp-unix-path.patch ++++++ --- bluez-5.8.orig/lib/sdp.h +++ bluez-5.8/lib/sdp.h @@ -34,7 +34,7 @@ extern "C" { #include <stdint.h> #include <bluetooth/bluetooth.h> -#define SDP_UNIX_PATH "/var/run/sdp" +#define SDP_UNIX_PATH "/run/sdp" #define SDP_RESPONSE_TIMEOUT 20 #define SDP_REQ_BUFFER_SIZE 2048 #define SDP_RSP_BUFFER_SIZE 65535 ++++++ disable_some_obex_tests.patch ++++++ From: Michel Normand <norm...@linux.vnet.ibm.com> Subject: disable some obex tests Date: Tue, 30 Jan 2018 17:01:45 +0100 disable some obex tests as transient failures reported by bug https://bugzilla.suse.com/show_bug.cgi?id=1078285 Signed-off-by: Michel Normand <norm...@linux.vnet.ibm.com> --- Makefile.am | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Index: bluez-5.48/Makefile.am =================================================================== --- bluez-5.48.orig/Makefile.am +++ bluez-5.48/Makefile.am @@ -363,8 +363,8 @@ unit_test_gdbus_client_SOURCES = unit/te unit_test_gdbus_client_LDADD = gdbus/libgdbus-internal.la \ src/libshared-glib.la @GLIB_LIBS@ @DBUS_LIBS@ -unit_tests += unit/test-gobex-header unit/test-gobex-packet unit/test-gobex \ - unit/test-gobex-transfer unit/test-gobex-apparam +unit_tests += unit/test-gobex-header unit/test-gobex-packet \ + unit/test-gobex-apparam unit_test_gobex_SOURCES = $(gobex_sources) unit/util.c unit/util.h \ unit/test-gobex.c ++++++ hcidump-Add-assoc-dump-function-assoc-date-length-ch.patch ++++++ >From 08a69d36726b6345df6e64892cadd5ab5d5ca2a6 Mon Sep 17 00:00:00 2001 From: "Cho, Yu-Chen" <a...@suse.com> Date: Tue, 19 Mar 2019 15:54:09 +0800 Subject: [PATCH BlueZ] hcidump: Add assoc dump function assoc date length check amp_assoc_dump() didn't check the length of amp assoc struct. If there is wrong length size of assoc date, amp_assoc_dump() and amp_dump_chanlist() will read over the size(heap-buffer-overflow). use t_len to save the length avoid use the wrong size of date. --- tools/parser/amp.c | 35 +++++++++++++++++++++++++++-------- tools/parser/hci.c | 4 ++-- tools/parser/l2cap.c | 6 ++++-- tools/parser/parser.h | 2 +- 4 files changed, 34 insertions(+), 13 deletions(-) Index: bluez-5.48/tools/parser/amp.c =================================================================== --- bluez-5.48.orig/tools/parser/amp.c +++ bluez-5.48/tools/parser/amp.c @@ -27,7 +27,8 @@ #include "parser.h" #include "lib/amp.h" -static void amp_dump_chanlist(int level, struct amp_tlv *tlv, char *prefix) +static void amp_dump_chanlist(int level, struct amp_tlv *tlv, + uint16_t t_len, char *prefix) { struct amp_chan_list *chan_list = (void *) tlv->val; struct amp_country_triplet *triplet; @@ -37,6 +38,12 @@ static void amp_dump_chanlist(int level, printf("%s (number of triplets %d)\n", prefix, num); + if (btohs(tlv->len) > t_len) { + p_indent(level+1, 0); + printf("Wrong number of triplets\n"); + num = (t_len - sizeof(*chan_list)) / sizeof(*triplet); + } + p_indent(level+2, 0); printf("Country code: %c%c%c\n", chan_list->country_code[0], @@ -67,7 +74,7 @@ static void amp_dump_chanlist(int level, } } -void amp_assoc_dump(int level, uint8_t *assoc, uint16_t len) +void amp_assoc_dump(int level, uint8_t *assoc, uint16_t len, uint16_t t_len) { struct amp_tlv *tlv = (void *) assoc; @@ -75,6 +82,14 @@ void amp_assoc_dump(int level, uint8_t * printf("Assoc data [len %d]:\n", len); while (len > sizeof(*tlv)) { + if (btohs(tlv->len) > (t_len - sizeof(struct amp_tlv))) { + p_indent(level+1, 0); + printf("Assoc data get error size\n"); + t_len -= sizeof(struct amp_tlv); + } else { + t_len -= sizeof(struct amp_tlv) + btohs(tlv->len); + } + uint16_t tlvlen = btohs(tlv->len); struct amp_pal_ver *ver; @@ -90,11 +105,13 @@ void amp_assoc_dump(int level, uint8_t * break; case A2MP_PREF_CHANLIST_TYPE: - amp_dump_chanlist(level, tlv, "Preferred Chan List"); + amp_dump_chanlist(level, tlv, + t_len, "Preferred Chan List"); break; case A2MP_CONNECTED_CHAN: - amp_dump_chanlist(level, tlv, "Connected Chan List"); + amp_dump_chanlist(level, tlv, + t_len, "Connected Chan List"); break; case A2MP_PAL_CAP_TYPE: @@ -118,9 +135,11 @@ void amp_assoc_dump(int level, uint8_t * printf("Unrecognized type %d\n", tlv->type); break; } - - len -= tlvlen + sizeof(*tlv); - assoc += tlvlen + sizeof(*tlv); - tlv = (struct amp_tlv *) assoc; + if (btohs(tlv->len) <= t_len) { + len -= tlvlen + sizeof(*tlv); + assoc += tlvlen + sizeof(*tlv); + tlv = (struct amp_tlv *) assoc; + } else + len = 0; } } Index: bluez-5.48/tools/parser/hci.c =================================================================== --- bluez-5.48.orig/tools/parser/hci.c +++ bluez-5.48/tools/parser/hci.c @@ -1678,7 +1678,7 @@ static inline void write_remote_amp_asso printf("handle 0x%2.2x len_so_far %d remaining_len %d\n", cp->handle, cp->length_so_far, cp->remaining_length); - amp_assoc_dump(level + 1, cp->fragment, frm->len - 5); + amp_assoc_dump(level + 1, cp->fragment, frm->len - 5, frm->len - 5); } static inline void command_dump(int level, struct frame *frm) @@ -2661,7 +2661,7 @@ static inline void read_local_amp_assoc_ p_indent(level, frm); printf("Error: %s\n", status2str(rp->status)); } else { - amp_assoc_dump(level + 1, rp->fragment, len); + amp_assoc_dump(level + 1, rp->fragment, len, frm->len - 4); } } Index: bluez-5.48/tools/parser/l2cap.c =================================================================== --- bluez-5.48.orig/tools/parser/l2cap.c +++ bluez-5.48/tools/parser/l2cap.c @@ -1171,7 +1171,8 @@ static inline void a2mp_assoc_rsp(int le printf("Get AMP Assoc rsp: id %d status (%d) %s\n", h->id, h->status, a2mpstatus2str(h->status)); - amp_assoc_dump(level + 1, h->assoc_data, len - sizeof(*h)); + amp_assoc_dump(level + 1, h->assoc_data, + len - sizeof(*h), frm->len - sizeof(*h)); } static inline void a2mp_create_req(int level, struct frame *frm, uint16_t len) @@ -1180,7 +1181,8 @@ static inline void a2mp_create_req(int l printf("Create Physical Link req: local id %d remote id %d\n", h->local_id, h->remote_id); - amp_assoc_dump(level + 1, h->assoc_data, len - sizeof(*h)); + amp_assoc_dump(level + 1, h->assoc_data, + len - sizeof(*h), frm->len - sizeof(*h)); } static inline void a2mp_create_rsp(int level, struct frame *frm) Index: bluez-5.48/tools/parser/parser.h =================================================================== --- bluez-5.48.orig/tools/parser/parser.h +++ bluez-5.48/tools/parser/parser.h @@ -249,7 +249,7 @@ void ericsson_dump(int level, struct fra void csr_dump(int level, struct frame *frm); void bpa_dump(int level, struct frame *frm); -void amp_assoc_dump(int level, uint8_t *assoc, uint16_t len); +void amp_assoc_dump(int level, uint8_t *assoc, uint16_t len, uint16_t t_len); static inline void parse(struct frame *frm) { ++++++ hcidump-Fix-memory-leak-with-malformed-packet.patch ++++++ >From 98bee47cca1b8a6b17bb0178f951fe7902abc2f0 Mon Sep 17 00:00:00 2001 From: "Cho, Yu-Chen" <a...@suse.com> Date: Wed, 24 Apr 2019 16:10:56 +0800 Subject: [PATCH BlueZ] tool/hcidump: Fix memory leak with malformed packet Do not allow to read more than allocated data buffer size. Because of the buffer is malloc(HCI_MAX_FRAME_SIZE), so there is heap buffer overflow if read the size more than HCI_MAX_FRAME_SIZE and fd size is larger than HCI_MAX_FRAME_SIZE. --- tools/hcidump.c | 9 +++++++++ 1 file changed, 9 insertions(+) Index: bluez-5.48/tools/hcidump.c =================================================================== --- bluez-5.48.orig/tools/hcidump.c +++ bluez-5.48/tools/hcidump.c @@ -104,6 +104,15 @@ struct pktlog_hdr { static inline int read_n(int fd, char *buf, int len) { int t = 0, w; + off_t fsize, currentpos, startpos; + + currentpos = lseek(fd, 0, SEEK_CUR); + fsize = lseek(fd, 0, SEEK_END); + lseek(fd, currentpos, SEEK_SET); + fsize -= currentpos; + + if (fsize > HCI_MAX_FRAME_SIZE && len > HCI_MAX_FRAME_SIZE) + return -1; while (len > 0) { if ((w = read(fd, buf, len)) < 0) { ++++++ hcidump-Fix-set_ext_ctrl-global-buffer-overflow.patch ++++++ >From b18f628f613eda2a6fb013541fb8bb6eaee38cd2 Mon Sep 17 00:00:00 2001 From: "Cho, Yu-Chen" <a...@suse.com> Date: Wed, 31 Oct 2018 16:15:08 +0800 Subject: [PATCH] hcidump: Fix set_ext_ctrl() global buffer overflow Fix set_ext_ctrl() global buffer overflow. --- tools/parser/l2cap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/parser/l2cap.c b/tools/parser/l2cap.c index a05796482..5daefcbaa 100644 --- a/tools/parser/l2cap.c +++ b/tools/parser/l2cap.c @@ -56,7 +56,7 @@ typedef struct { uint8_t mode; uint8_t ext_ctrl; } cid_info; -#define CID_TABLE_SIZE 20 +#define CID_TABLE_SIZE 32 static cid_info cid_table[2][CID_TABLE_SIZE]; -- 2.19.1 ++++++ hcidump-Fixed-malformed-segment-frame-length.patch ++++++ >From da04ba5e6b3f151c1644a17ac0fa2317ebc81edd Mon Sep 17 00:00:00 2001 From: "Cho, Yu-Chen" <a...@suse.com> Date: Tue, 15 Oct 2019 15:45:43 +0800 Subject: [PATCH] hcidump: Fixed malformed segment frame length Ensure the L2CAP SDUs whose length field match the actual frame length. --- tools/parser/l2cap.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tools/parser/l2cap.c b/tools/parser/l2cap.c index a05796482..f57885074 100644 --- a/tools/parser/l2cap.c +++ b/tools/parser/l2cap.c @@ -771,6 +771,11 @@ static inline void conf_rsp(int level, l2cap_cmd_hdr *cmd, struct frame *frm) scid, btohs(h->flags), result, clen); if (clen > 0) { + if (clen != (btohs(frm->len) - L2CAP_CONF_RSP_SIZE)) { + fprintf(stderr, "Not match the actual frame length\n"); + clen = btohs(frm->len) - L2CAP_CONF_RSP_SIZE; + } + if (result) { p_indent(level + 1, frm); printf("%s\n", confresult2str(result)); -- 2.23.0 ++++++ hcidump-fixed-hci-frame-dump-stack-buffer-overflow.patch ++++++ >From 01146fff6e66742b5e256cf7cbae3e0d7f30c530 Mon Sep 17 00:00:00 2001 From: "Cho, Yu-Chen" <a...@suse.com> Date: Wed, 31 Oct 2018 16:15:07 +0800 Subject: [PATCH] hcidump:fixed hci frame dump stack-buffer-overflow hci_dump() didn't check the length of frame, and it would be a stack-buffer-overflow error. --- tools/parser/hci.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tools/parser/hci.c b/tools/parser/hci.c index 8c7bd2581..4e6c36040 100644 --- a/tools/parser/hci.c +++ b/tools/parser/hci.c @@ -4107,6 +4107,9 @@ void hci_dump(int level, struct frame *frm) frm->ptr++; frm->len--; + if (frm->len == 0) + return; + switch (type) { case HCI_COMMAND_PKT: command_dump(level, frm); -- 2.19.1 ++++++ tools-Fix-build-after-y2038-changes-in-glibc.patch ++++++ >From f36f71f60b1e68c0f12e615b9b128d089ec3dd19 Mon Sep 17 00:00:00 2001 From: Bastien Nocera <had...@hadess.net> Date: Fri, 7 Jun 2019 09:51:33 +0200 Subject: [PATCH] tools: Fix build after y2038 changes in glibc The 32-bit SIOCGSTAMP has been deprecated. Use the deprecated name to fix the build. --- tools/l2test.c | 6 +++++- tools/rctest.c | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-) Index: bluez-5.48/tools/l2test.c =================================================================== --- bluez-5.48.orig/tools/l2test.c +++ bluez-5.48/tools/l2test.c @@ -54,6 +54,10 @@ #define BREDR_DEFAULT_PSM 0x1011 #define LE_DEFAULT_PSM 0x0080 +#ifndef SIOCGSTAMP_OLD +#define SIOCGSTAMP_OLD SIOCGSTAMP +#endif + /* Test modes */ enum { SEND, @@ -906,7 +910,7 @@ static void recv_mode(int sk) if (timestamp) { struct timeval tv; - if (ioctl(sk, SIOCGSTAMP, &tv) < 0) { + if (ioctl(sk, SIOCGSTAMP_OLD, &tv) < 0) { timestamp = 0; memset(ts, 0, sizeof(ts)); } else { Index: bluez-5.48/tools/rctest.c =================================================================== --- bluez-5.48.orig/tools/rctest.c +++ bluez-5.48/tools/rctest.c @@ -49,6 +49,10 @@ #include "src/shared/util.h" +#ifndef SIOCGSTAMP_OLD +#define SIOCGSTAMP_OLD SIOCGSTAMP +#endif + /* Test modes */ enum { SEND, @@ -504,7 +508,7 @@ static void recv_mode(int sk) if (timestamp) { struct timeval tv; - if (ioctl(sk, SIOCGSTAMP, &tv) < 0) { + if (ioctl(sk, SIOCGSTAMP_OLD, &tv) < 0) { timestamp = 0; memset(ts, 0, sizeof(ts)); } else {
