[Pkg-bluetooth-maintainers] Bug#875633: bluez: CVE-2017-1000250: information disclosure vulnerability in service_search_attr_req

Wed Sep 13 09:16:57 UTC 2017

Hi

Proposed debdiff for unstable.

Regards,
Salvatore
-------------- next part --------------
diff -Nru bluez-5.45/debian/changelog bluez-5.45/debian/changelog

--- bluez-5.45/debian/changelog	2017-07-02 02:07:00.000000000 +0200
+++ bluez-5.45/debian/changelog	2017-09-13 10:28:07.000000000 +0200
@@ -1,3 +1,11 @@
+bluez (5.45-1.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * CVE-2017-1000250: information disclosure vulnerability in
+    service_search_attr_req (Closes: #875633)
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Wed, 13 Sep 2017 10:28:07 +0200
+
 bluez (5.45-1) unstable; urgency=medium
 
   * Update to 5.45.
diff -Nru bluez-5.45/debian/patches/CVE-2017-1000250.patch bluez-5.45/debian/patches/CVE-2017-1000250.patch
--- bluez-5.45/debian/patches/CVE-2017-1000250.patch	1970-01-01 01:00:00.000000000 +0100
+++ bluez-5.45/debian/patches/CVE-2017-1000250.patch	2017-09-13 10:28:07.000000000 +0200
@@ -0,0 +1,42 @@
+Description: CVE-2017-1000250: information disclosure vulnerability in service_search_attr_req
+Origin: vendor
+Bug-Debian: https://bugs.debian.org/875633
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1489446
+Bug-SuSE: https://bugzilla.suse.com/show_bug.cgi?id=1057342
+Forwarded: no
+Author: Armis Security <security at armis.com>
+Reviewed-by: Salvatore Bonaccorso <carnil at debian.org>
+Last-Update: 2017-09-13
+
+--- a/src/sdpd-request.c
++++ b/src/sdpd-request.c
+@@ -918,15 +918,20 @@ static int service_search_attr_req(sdp_r
+ 		/* continuation State exists -> get from cache */
+ 		sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);
+ 		if (pCache) {
+-			uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
+-			pResponse = pCache->data;
+-			memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);
+-			buf->data_size += sent;
+-			cstate->cStateValue.maxBytesSent += sent;
+-			if (cstate->cStateValue.maxBytesSent == pCache->data_size)
+-				cstate_size = sdp_set_cstate_pdu(buf, NULL);
+-			else
+-				cstate_size = sdp_set_cstate_pdu(buf, cstate);
++			if (cstate->cStateValue.maxBytesSent >= pCache->data_size) {
++				status = SDP_INVALID_CSTATE;
++				SDPDBG("Got bad cstate with invalid size");
++			} else {
++				uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
++				pResponse = pCache->data;
++				memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);
++				buf->data_size += sent;
++				cstate->cStateValue.maxBytesSent += sent;
++				if (cstate->cStateValue.maxBytesSent == pCache->data_size)
++					cstate_size = sdp_set_cstate_pdu(buf, NULL);
++				else
++					cstate_size = sdp_set_cstate_pdu(buf, cstate);
++			}
+ 		} else {
+ 			status = SDP_INVALID_CSTATE;
+ 			SDPDBG("Non-null continuation state, but null cache buffer");
diff -Nru bluez-5.45/debian/patches/series bluez-5.45/debian/patches/series
--- bluez-5.45/debian/patches/series	2017-07-02 02:07:00.000000000 +0200
+++ bluez-5.45/debian/patches/series	2017-09-13 10:28:07.000000000 +0200
@@ -8,3 +8,4 @@
 change_path_of_hogsuspend.patch
 fix_udevadm_in_hid2hci.patch
 org.bluez.obex.service.in.patch
+CVE-2017-1000250.patch
