Control: tags 989495 + patch
Control: tags 989495 + pending
Control: tags 989614 + patch
Control: tags 989614 + pending

Dear maintainer,

I've prepared an NMU for bluez (versioned as 5.55-3.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore
diff -Nru bluez-5.55/debian/changelog bluez-5.55/debian/changelog
--- bluez-5.55/debian/changelog	2021-01-02 07:57:41.000000000 +0100
+++ bluez-5.55/debian/changelog	2021-06-08 21:34:10.000000000 +0200
@@ -1,3 +1,12 @@
+bluez (5.55-3.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * main: Don't warn for unset config option (Closes: #989495)
+  * shared/gatt-server: Fix not properly checking for secure flags
+    (CVE-2020-26558, CVE-2021-0129) (Closes: #989614)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Tue, 08 Jun 2021 21:34:10 +0200
+
 bluez (5.55-3) unstable; urgency=medium
 
   * Add d/salsa-ci.yml.
diff -Nru bluez-5.55/debian/patches/main-Don-t-warn-for-unset-config-option.patch bluez-5.55/debian/patches/main-Don-t-warn-for-unset-config-option.patch
--- bluez-5.55/debian/patches/main-Don-t-warn-for-unset-config-option.patch	1970-01-01 01:00:00.000000000 +0100
+++ bluez-5.55/debian/patches/main-Don-t-warn-for-unset-config-option.patch	2021-06-08 21:34:10.000000000 +0200
@@ -0,0 +1,23 @@
+From: Luiz Augusto von Dentz <luiz.von.de...@intel.com>
+Date: Mon, 9 Nov 2020 14:57:56 -0800
+Subject: main: Don't warn for unset config option
+Origin: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=02e46e9df6b0d897e6ba67dc3ea18e5e9c510e44
+Bug-Debian: https://bugs.debian.org/989495
+Bug: https://github.com/bluez/bluez/issues/51
+
+Unset options shall not be printed if debug is not enabled.
+---
+ src/main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/src/main.c
++++ b/src/main.c
+@@ -444,7 +444,7 @@ static void parse_controller_config(GKey
+ 		int val = g_key_file_get_integer(config, "Controller",
+ 						params[i].val_name, &err);
+ 		if (err) {
+-			warn("%s", err->message);
++			DBG("%s", err->message);
+ 			g_clear_error(&err);
+ 		} else {
+ 			info("%s=%d", params[i].val_name, val);
diff -Nru bluez-5.55/debian/patches/series bluez-5.55/debian/patches/series
--- bluez-5.55/debian/patches/series	2021-01-02 07:57:41.000000000 +0100
+++ bluez-5.55/debian/patches/series	2021-06-08 21:34:10.000000000 +0200
@@ -10,3 +10,5 @@
 shared-gatt-client-Fix-segfault-after-PIN-entry.patch
 main.conf-Add-more-details-Closes-904212.patch
 headers-use-releative-symlinks.patch
+main-Don-t-warn-for-unset-config-option.patch
+shared-gatt-server-Fix-not-properly-checking-for-sec.patch
diff -Nru bluez-5.55/debian/patches/shared-gatt-server-Fix-not-properly-checking-for-sec.patch bluez-5.55/debian/patches/shared-gatt-server-Fix-not-properly-checking-for-sec.patch
--- bluez-5.55/debian/patches/shared-gatt-server-Fix-not-properly-checking-for-sec.patch	1970-01-01 01:00:00.000000000 +0100
+++ bluez-5.55/debian/patches/shared-gatt-server-Fix-not-properly-checking-for-sec.patch	2021-06-08 21:34:10.000000000 +0200
@@ -0,0 +1,108 @@
+From: Luiz Augusto von Dentz <luiz.von.de...@intel.com>
+Date: Tue, 2 Mar 2021 11:38:33 -0800
+Subject: shared/gatt-server: Fix not properly checking for secure flags
+Origin: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit?id=00da0fb4972cf59e1c075f313da81ea549cb8738
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-26558
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-0129
+Bug-Debian: https://bugs.debian.org/989614
+
+When passing the mask to check_permissions all valid permissions for
+the operation must be set including BT_ATT_PERM_SECURE flags.
+---
+ src/shared/att-types.h   |  8 ++++++++
+ src/shared/gatt-server.c | 25 +++++++------------------
+ 2 files changed, 15 insertions(+), 18 deletions(-)
+
+diff --git a/src/shared/att-types.h b/src/shared/att-types.h
+index 7108b4e94ab3..3adc05d9e357 100644
+--- a/src/shared/att-types.h
++++ b/src/shared/att-types.h
+@@ -129,6 +129,14 @@ struct bt_att_pdu_error_rsp {
+ #define BT_ATT_PERM_WRITE_SECURE	0x0200
+ #define BT_ATT_PERM_SECURE		(BT_ATT_PERM_READ_SECURE | \
+ 					BT_ATT_PERM_WRITE_SECURE)
++#define BT_ATT_PERM_READ_MASK		(BT_ATT_PERM_READ | \
++					BT_ATT_PERM_READ_AUTHEN | \
++					BT_ATT_PERM_READ_ENCRYPT | \
++					BT_ATT_PERM_READ_SECURE)
++#define BT_ATT_PERM_WRITE_MASK		(BT_ATT_PERM_WRITE | \
++					BT_ATT_PERM_WRITE_AUTHEN | \
++					BT_ATT_PERM_WRITE_ENCRYPT | \
++					BT_ATT_PERM_WRITE_SECURE)
+ 
+ /* GATT Characteristic Properties Bitfield values */
+ #define BT_GATT_CHRC_PROP_BROADCAST			0x01
+diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c
+index b5f7de7dc3d9..970c35f94e51 100644
+--- a/src/shared/gatt-server.c
++++ b/src/shared/gatt-server.c
+@@ -444,9 +444,7 @@ static void process_read_by_type(struct async_read_op *op)
+ 		return;
+ 	}
+ 
+-	ecode = check_permissions(server, attr, BT_ATT_PERM_READ |
+-						BT_ATT_PERM_READ_AUTHEN |
+-						BT_ATT_PERM_READ_ENCRYPT);
++	ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK);
+ 	if (ecode)
+ 		goto error;
+ 
+@@ -811,9 +809,7 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
+ 				(opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd",
+ 				handle);
+ 
+-	ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE |
+-						BT_ATT_PERM_WRITE_AUTHEN |
+-						BT_ATT_PERM_WRITE_ENCRYPT);
++	ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
+ 	if (ecode)
+ 		goto error;
+ 
+@@ -913,9 +909,7 @@ static void handle_read_req(struct bt_att_chan *chan,
+ 			opcode == BT_ATT_OP_READ_BLOB_REQ ? "Blob " : "",
+ 			handle);
+ 
+-	ecode = check_permissions(server, attr, BT_ATT_PERM_READ |
+-						BT_ATT_PERM_READ_AUTHEN |
+-						BT_ATT_PERM_READ_ENCRYPT);
++	ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK);
+ 	if (ecode)
+ 		goto error;
+ 
+@@ -1051,9 +1045,8 @@ static void read_multiple_complete_cb(struct gatt_db_attribute *attr, int err,
+ 		goto error;
+ 	}
+ 
+-	ecode = check_permissions(data->server, next_attr, BT_ATT_PERM_READ |
+-						BT_ATT_PERM_READ_AUTHEN |
+-						BT_ATT_PERM_READ_ENCRYPT);
++	ecode = check_permissions(data->server, next_attr,
++						BT_ATT_PERM_READ_MASK);
+ 	if (ecode)
+ 		goto error;
+ 
+@@ -1129,9 +1122,7 @@ static void read_multiple_cb(struct bt_att_chan *chan, uint8_t opcode,
+ 		goto error;
+ 	}
+ 
+-	ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ |
+-						BT_ATT_PERM_READ_AUTHEN |
+-						BT_ATT_PERM_READ_ENCRYPT);
++	ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ_MASK);
+ 	if (ecode)
+ 		goto error;
+ 
+@@ -1308,9 +1299,7 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode,
+ 	util_debug(server->debug_callback, server->debug_data,
+ 				"Prep Write Req - handle: 0x%04x", handle);
+ 
+-	ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE |
+-						BT_ATT_PERM_WRITE_AUTHEN |
+-						BT_ATT_PERM_WRITE_ENCRYPT);
++	ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
+ 	if (ecode)
+ 		goto error;
+ 
+-- 
+2.32.0
+

Reply via email to