Control: tags 989700 + patch Control: tags 989700 + pending
Dear maintainer, I've prepared an NMU for bluez (versioned as 5.55-3.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Note, I did cancel the previoulsy pending NMU to include the CVE-2021-3588 fix as well. Regards, Salvatore
diff -Nru bluez-5.55/debian/changelog bluez-5.55/debian/changelog --- bluez-5.55/debian/changelog 2021-01-02 07:57:41.000000000 +0100 +++ bluez-5.55/debian/changelog 2021-06-10 21:34:56.000000000 +0200 @@ -1,3 +1,13 @@ +bluez (5.55-3.1) unstable; urgency=high + + * Non-maintainer upload. + * main: Don't warn for unset config option (Closes: #989495) + * shared/gatt-server: Fix not properly checking for secure flags + (CVE-2020-26558, CVE-2021-0129) (Closes: #989614) + * gatt: Fix potential buffer out-of-bound (CVE-2021-3588) (Closes: #989700) + + -- Salvatore Bonaccorso <car...@debian.org> Thu, 10 Jun 2021 21:34:56 +0200 + bluez (5.55-3) unstable; urgency=medium * Add d/salsa-ci.yml. diff -Nru bluez-5.55/debian/patches/gatt-Fix-potential-buffer-out-of-bound.patch bluez-5.55/debian/patches/gatt-Fix-potential-buffer-out-of-bound.patch --- bluez-5.55/debian/patches/gatt-Fix-potential-buffer-out-of-bound.patch 1970-01-01 01:00:00.000000000 +0100 +++ bluez-5.55/debian/patches/gatt-Fix-potential-buffer-out-of-bound.patch 2021-06-10 21:34:56.000000000 +0200 @@ -0,0 +1,35 @@ +From: Luiz Augusto von Dentz <luiz.von.de...@intel.com> +Date: Mon, 4 Jan 2021 10:38:31 -0800 +Subject: gatt: Fix potential buffer out-of-bound +Origin: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit?id=3a40bef49305f8327635b81ac8be52a3ca063d5a +Bug: https://github.com/bluez/bluez/issues/70 +Bug-Debian: https://bugs.debian.org/989700 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3588 + +When client features is read check if the offset is within the cli_feat +bounds. + +Fixes: https://github.com/bluez/bluez/issues/70 +--- + src/gatt-database.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/gatt-database.c b/src/gatt-database.c +index 90cc4bade3d9..f2d7b5821734 100644 +--- a/src/gatt-database.c ++++ b/src/gatt-database.c +@@ -1075,6 +1075,11 @@ static void cli_feat_read_cb(struct gatt_db_attribute *attrib, + goto done; + } + ++ if (offset >= sizeof(state->cli_feat)) { ++ ecode = BT_ATT_ERROR_INVALID_OFFSET; ++ goto done; ++ } ++ + len = sizeof(state->cli_feat) - offset; + value = len ? &state->cli_feat[offset] : NULL; + +-- +2.32.0 + diff -Nru bluez-5.55/debian/patches/main-Don-t-warn-for-unset-config-option.patch bluez-5.55/debian/patches/main-Don-t-warn-for-unset-config-option.patch --- bluez-5.55/debian/patches/main-Don-t-warn-for-unset-config-option.patch 1970-01-01 01:00:00.000000000 +0100 +++ bluez-5.55/debian/patches/main-Don-t-warn-for-unset-config-option.patch 2021-06-10 21:34:56.000000000 +0200 @@ -0,0 +1,23 @@ +From: Luiz Augusto von Dentz <luiz.von.de...@intel.com> +Date: Mon, 9 Nov 2020 14:57:56 -0800 +Subject: main: Don't warn for unset config option +Origin: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=02e46e9df6b0d897e6ba67dc3ea18e5e9c510e44 +Bug-Debian: https://bugs.debian.org/989495 +Bug: https://github.com/bluez/bluez/issues/51 + +Unset options shall not be printed if debug is not enabled. +--- + src/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/src/main.c ++++ b/src/main.c +@@ -444,7 +444,7 @@ static void parse_controller_config(GKey + int val = g_key_file_get_integer(config, "Controller", + params[i].val_name, &err); + if (err) { +- warn("%s", err->message); ++ DBG("%s", err->message); + g_clear_error(&err); + } else { + info("%s=%d", params[i].val_name, val); diff -Nru bluez-5.55/debian/patches/series bluez-5.55/debian/patches/series --- bluez-5.55/debian/patches/series 2021-01-02 07:57:41.000000000 +0100 +++ bluez-5.55/debian/patches/series 2021-06-10 21:34:56.000000000 +0200 @@ -10,3 +10,6 @@ shared-gatt-client-Fix-segfault-after-PIN-entry.patch main.conf-Add-more-details-Closes-904212.patch headers-use-releative-symlinks.patch +main-Don-t-warn-for-unset-config-option.patch +shared-gatt-server-Fix-not-properly-checking-for-sec.patch +gatt-Fix-potential-buffer-out-of-bound.patch diff -Nru bluez-5.55/debian/patches/shared-gatt-server-Fix-not-properly-checking-for-sec.patch bluez-5.55/debian/patches/shared-gatt-server-Fix-not-properly-checking-for-sec.patch --- bluez-5.55/debian/patches/shared-gatt-server-Fix-not-properly-checking-for-sec.patch 1970-01-01 01:00:00.000000000 +0100 +++ bluez-5.55/debian/patches/shared-gatt-server-Fix-not-properly-checking-for-sec.patch 2021-06-10 21:34:56.000000000 +0200 @@ -0,0 +1,108 @@ +From: Luiz Augusto von Dentz <luiz.von.de...@intel.com> +Date: Tue, 2 Mar 2021 11:38:33 -0800 +Subject: shared/gatt-server: Fix not properly checking for secure flags +Origin: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit?id=00da0fb4972cf59e1c075f313da81ea549cb8738 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-26558 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-0129 +Bug-Debian: https://bugs.debian.org/989614 + +When passing the mask to check_permissions all valid permissions for +the operation must be set including BT_ATT_PERM_SECURE flags. +--- + src/shared/att-types.h | 8 ++++++++ + src/shared/gatt-server.c | 25 +++++++------------------ + 2 files changed, 15 insertions(+), 18 deletions(-) + +diff --git a/src/shared/att-types.h b/src/shared/att-types.h +index 7108b4e94ab3..3adc05d9e357 100644 +--- a/src/shared/att-types.h ++++ b/src/shared/att-types.h +@@ -129,6 +129,14 @@ struct bt_att_pdu_error_rsp { + #define BT_ATT_PERM_WRITE_SECURE 0x0200 + #define BT_ATT_PERM_SECURE (BT_ATT_PERM_READ_SECURE | \ + BT_ATT_PERM_WRITE_SECURE) ++#define BT_ATT_PERM_READ_MASK (BT_ATT_PERM_READ | \ ++ BT_ATT_PERM_READ_AUTHEN | \ ++ BT_ATT_PERM_READ_ENCRYPT | \ ++ BT_ATT_PERM_READ_SECURE) ++#define BT_ATT_PERM_WRITE_MASK (BT_ATT_PERM_WRITE | \ ++ BT_ATT_PERM_WRITE_AUTHEN | \ ++ BT_ATT_PERM_WRITE_ENCRYPT | \ ++ BT_ATT_PERM_WRITE_SECURE) + + /* GATT Characteristic Properties Bitfield values */ + #define BT_GATT_CHRC_PROP_BROADCAST 0x01 +diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c +index b5f7de7dc3d9..970c35f94e51 100644 +--- a/src/shared/gatt-server.c ++++ b/src/shared/gatt-server.c +@@ -444,9 +444,7 @@ static void process_read_by_type(struct async_read_op *op) + return; + } + +- ecode = check_permissions(server, attr, BT_ATT_PERM_READ | +- BT_ATT_PERM_READ_AUTHEN | +- BT_ATT_PERM_READ_ENCRYPT); ++ ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK); + if (ecode) + goto error; + +@@ -811,9 +809,7 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu, + (opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd", + handle); + +- ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE | +- BT_ATT_PERM_WRITE_AUTHEN | +- BT_ATT_PERM_WRITE_ENCRYPT); ++ ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK); + if (ecode) + goto error; + +@@ -913,9 +909,7 @@ static void handle_read_req(struct bt_att_chan *chan, + opcode == BT_ATT_OP_READ_BLOB_REQ ? "Blob " : "", + handle); + +- ecode = check_permissions(server, attr, BT_ATT_PERM_READ | +- BT_ATT_PERM_READ_AUTHEN | +- BT_ATT_PERM_READ_ENCRYPT); ++ ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK); + if (ecode) + goto error; + +@@ -1051,9 +1045,8 @@ static void read_multiple_complete_cb(struct gatt_db_attribute *attr, int err, + goto error; + } + +- ecode = check_permissions(data->server, next_attr, BT_ATT_PERM_READ | +- BT_ATT_PERM_READ_AUTHEN | +- BT_ATT_PERM_READ_ENCRYPT); ++ ecode = check_permissions(data->server, next_attr, ++ BT_ATT_PERM_READ_MASK); + if (ecode) + goto error; + +@@ -1129,9 +1122,7 @@ static void read_multiple_cb(struct bt_att_chan *chan, uint8_t opcode, + goto error; + } + +- ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ | +- BT_ATT_PERM_READ_AUTHEN | +- BT_ATT_PERM_READ_ENCRYPT); ++ ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ_MASK); + if (ecode) + goto error; + +@@ -1308,9 +1299,7 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode, + util_debug(server->debug_callback, server->debug_data, + "Prep Write Req - handle: 0x%04x", handle); + +- ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE | +- BT_ATT_PERM_WRITE_AUTHEN | +- BT_ATT_PERM_WRITE_ENCRYPT); ++ ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK); + if (ecode) + goto error; + +-- +2.32.0 +
