Bug#697580: connman: CVE-2012-6459

John Paul Adrian Glaubitz Wed, 09 Jan 2013 06:39:14 -0800

Package: connman
Followup-For: Bug #697580

tags 697580 patch
thanks


Hi,

I have created an NMU which includes the upstream patch to fix
the vulnerabilty CVE-2012-6459. I am attaching the debdiff
towards the NMU version as well as the extracted upstream
patch.

I haven't tested the patch yet.

Cheers,

Adrian

diff -Nru connman-1.0/debian/changelog connman-1.0-CVE-2012-6459/debian/changelog
--- connman-1.0/debian/changelog	2012-05-25 04:27:50.000000000 +0200
+++ connman-1.0-CVE-2012-6459/debian/changelog	2013-01-09 15:34:04.186261911 +0100
@@ -1,3 +1,11 @@
+connman (1.0-1.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Include patch to fix bluetooth offline visibility
+    issue CVE-2012-6459 (Closes: #697580).
+
+ -- John Paul Adrian Glaubitz <glaub...@physik.fu-berlin.de>  Wed, 09 Jan 2013 15:32:22 +0100
+
 connman (1.0-1) unstable; urgency=high
 
   [ Andrew Brouwers ]
diff -Nru connman-1.0/debian/patches/02-CVE-2012-6459.patch connman-1.0-CVE-2012-6459/debian/patches/02-CVE-2012-6459.patch
--- connman-1.0/debian/patches/02-CVE-2012-6459.patch	1970-01-01 01:00:00.000000000 +0100
+++ connman-1.0-CVE-2012-6459/debian/patches/02-CVE-2012-6459.patch	2013-01-09 15:31:58.677492862 +0100
@@ -0,0 +1,48 @@
+From 01126286f96856aab6b0de171830f4e8e842e1da Mon Sep 17 00:00:00 2001
+From: Gustavo Padovan <gustavo.pado...@collabora.co.uk>
+Date: Thu, 9 Aug 2012 18:57:25 -0300
+Subject: [PATCH] bluetooth: Add device to hash before registration
+
+During the connman_device_register() procedure a lookup to the
+bluetooth_devices hash table happens, however the device is not on the
+hash at this point and the look out fails.
+
+If the registration fails, technology_disable() returns the Failed
+message on D-Bus with the error status zero. That happens because we
+don't have any device registered.
+
+This patch moves the insertion of the device to before the device
+registration.
+---
+ plugins/bluetooth.c |    5 +++--
+ 1 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/plugins/bluetooth.c b/plugins/bluetooth.c
+index b06460a..2ab29a6 100644
+--- a/plugins/bluetooth.c
++++ b/plugins/bluetooth.c
+@@ -660,6 +660,8 @@ static void adapter_properties_reply(DBusPendingCall *call, void *user_data)
+ 	if (device != NULL)
+ 		goto update;
+ 
++	g_hash_table_insert(bluetooth_devices, g_strdup(path), device);
++
+ 	ether_aton_r(address, &addr);
+ 
+ 	snprintf(ident, 13, "%02x%02x%02x%02x%02x%02x",
+@@ -680,11 +682,10 @@ static void adapter_properties_reply(DBusPendingCall *call, void *user_data)
+ 
+ 	if (connman_device_register(device) < 0) {
+ 		connman_device_unref(device);
++		g_hash_table_remove(bluetooth_devices, path);
+ 		goto done;
+ 	}
+ 
+-	g_hash_table_insert(bluetooth_devices, g_strdup(path), device);
+-
+ update:
+ 	connman_device_set_string(device, "Address", address);
+ 	connman_device_set_string(device, "Name", name);
+-- 
+1.7.7.6
+
diff -Nru connman-1.0/debian/patches/series connman-1.0-CVE-2012-6459/debian/patches/series
--- connman-1.0/debian/patches/series	2012-05-25 04:27:50.000000000 +0200
+++ connman-1.0-CVE-2012-6459/debian/patches/series	2013-01-09 15:32:17.892998525 +0100
@@ -1 +1,2 @@
 01-init-script-lsb-headers.patch
+02-CVE-2012-6459.patch

>From 01126286f96856aab6b0de171830f4e8e842e1da Mon Sep 17 00:00:00 2001
From: Gustavo Padovan <gustavo.pado...@collabora.co.uk>
Date: Thu, 9 Aug 2012 18:57:25 -0300
Subject: [PATCH] bluetooth: Add device to hash before registration

During the connman_device_register() procedure a lookup to the
bluetooth_devices hash table happens, however the device is not on the
hash at this point and the look out fails.

If the registration fails, technology_disable() returns the Failed
message on D-Bus with the error status zero. That happens because we
don't have any device registered.

This patch moves the insertion of the device to before the device
registration.
---
 plugins/bluetooth.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/plugins/bluetooth.c b/plugins/bluetooth.c
index b06460a..2ab29a6 100644
--- a/plugins/bluetooth.c
+++ b/plugins/bluetooth.c
@@ -660,6 +660,8 @@ static void adapter_properties_reply(DBusPendingCall *call, void *user_data)
 	if (device != NULL)
 		goto update;
 
+	g_hash_table_insert(bluetooth_devices, g_strdup(path), device);
+
 	ether_aton_r(address, &addr);
 
 	snprintf(ident, 13, "%02x%02x%02x%02x%02x%02x",
@@ -680,11 +682,10 @@ static void adapter_properties_reply(DBusPendingCall *call, void *user_data)
 
 	if (connman_device_register(device) < 0) {
 		connman_device_unref(device);
+		g_hash_table_remove(bluetooth_devices, path);
 		goto done;
 	}
 
-	g_hash_table_insert(bluetooth_devices, g_strdup(path), device);
-
 update:
 	connman_device_set_string(device, "Address", address);
 	connman_device_set_string(device, "Name", name);
-- 
1.7.7.6

Bug#697580: connman: CVE-2012-6459

Reply via email to