[OE-core] [PATCH][morty] bluez5: fix out-of-bounds access in SDP server (CVE-2017-1000250)

akuster808 akuster808 at gmail.com
Thu Sep 14 19:26:13 UTC 2017 

Bruce,


On 09/14/2017 06:13 AM, Bruce Ashfield wrote:
> .. and if anyone notices, there's a kernel part to this CVE as well.
>
> I've applied to fix to all the active linux-yocto kernels, and the 
> change will be part
> of my consolidated pull request that comes out later today.

thanks. I will merge with pyro and morty when they hit master.

- armin
>
> Cheers,
>
> Bruce
>
> On Thu, Sep 14, 2017 at 8:27 AM, Ross Burton <ross.burton at intel.com 
> <mailto:ross.burton at intel.com>> wrote:
>
>     All versions of the SDP server in BlueZ 5.46 and earlier are
>     vulnerable to an
>     information disclosure vulnerability which allows remote attackers
>     to obtain
>     sensitive information from the bluetoothd process memory. This
>     vulnerability
>     lies in the processing of SDP search attribute requests.
>
>     Signed-off-by: Ross Burton <ross.burton at intel.com
>     <mailto:ross.burton at intel.com>>
>     ---
>      meta/recipes-connectivity/bluez5/bluez5.inc |  1 +
>      .../bluez5/bluez5/cve-2017-1000250.patch  | 34 ++++++++++++++++++++++
>      2 files changed, 35 insertions(+)
>      create mode 100644
>     meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch
>
>     diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc
>     b/meta/recipes-connectivity/bluez5/bluez5.inc
>     index ecefb7b593e..3421c382063 100644
>     --- a/meta/recipes-connectivity/bluez5/bluez5.inc
>     +++ b/meta/recipes-connectivity/bluez5/bluez5.inc
>     @@ -23,6 +23,7 @@ SRC_URI = "\
>          file://run-ptest \
>          ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '',
>     'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch',
>     d)} \
>        
>      file://0001-tests-add-a-target-for-building-tests-without-runnin.patch
>     \
>     +    file://cve-2017-1000250.patch \
>      "
>      S = "${WORKDIR}/bluez-${PV}"
>
>     diff --git
>     a/meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch
>     b/meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch
>     new file mode 100644
>     index 00000000000..9fac961bcf6
>     --- /dev/null
>     +++ b/meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch
>     @@ -0,0 +1,34 @@
>     +All versions of the SDP server in BlueZ 5.46 and earlier are
>     vulnerable to an
>     +information disclosure vulnerability which allows remote
>     attackers to obtain
>     +sensitive information from the bluetoothd process memory. This
>     vulnerability
>     +lies in the processing of SDP search attribute requests.
>     +
>     +CVE: CVE-2017-1000250
>     +Upstream-Status: Backport
>     +Signed-off-by: Ross Burton <ross.burton at intel.com
>     <mailto:ross.burton at intel.com>>
>     +
>     +From 9e009647b14e810e06626dde7f1bb9ea3c375d09 Mon Sep 17 00:00:00
>     2001
>     +From: Luiz Augusto von Dentz <luiz.von.dentz at intel.com
>     <mailto:luiz.von.dentz at intel.com>>
>     +Date: Wed, 13 Sep 2017 10:01:40 +0300
>     +Subject: sdp: Fix Out-of-bounds heap read in
>     service_search_attr_req function
>     +
>     +Check if there is enough data to continue otherwise return an error.
>     +---
>     + src/sdpd-request.c | 2 +-
>     + 1 file changed, 1 insertion(+), 1 deletion(-)
>     +
>     +diff --git a/src/sdpd-request.c b/src/sdpd-request.c
>     +index 1eefdce..318d044 100644
>     +--- a/src/sdpd-request.c
>     ++++ b/src/sdpd-request.c
>     +@@ -917,7 +917,7 @@ static int service_search_attr_req(sdp_req_t
>     *req, sdp_buf_t *buf)
>     +       } else {
>     +               /* continuation State exists -> get from cache */
>     +               sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);
>     +-              if (pCache) {
>     ++              if (pCache && cstate->cStateValue.maxBytesSent <
>     pCache->data_size) {
>     +                       uint16_t sent = MIN(max, pCache->data_size
>     - cstate->cStateValue.maxBytesSent);
>     +                       pResponse = pCache->data;
>     +                       memcpy(buf->data, pResponse +
>     cstate->cStateValue.maxBytesSent, sent);
>     +--
>     +cgit v1.1
>     --
>     2.11.0
>
>     --
>     _______________________________________________
>     Openembedded-core mailing list
>     Openembedded-core at lists.openembedded.org
>     <mailto:Openembedded-core at lists.openembedded.org>
>     http://lists.openembedded.org/mailman/listinfo/openembedded-core
>     <http://lists.openembedded.org/mailman/listinfo/openembedded-core>
>
>
>
>
> -- 
> "Thou shalt not follow the NULL pointer, for chaos and madness await 
> thee at its end"
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20170914/48390ca3/attachment-0002.html>

More information about the Openembedded-core mailing list