Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: bl...@packages.debian.org, iwama...@debian.org
Control: affects -1 + src:bluez
User: release.debian....@packages.debian.org
Usertags: pu
Attached debdiff fixes three minor security issues. The update
has been tested on a Bookworm system. debdiff below.
Cheers,
Moritz
diff -Nru bluez-5.66/debian/changelog bluez-5.66/debian/changelog
--- bluez-5.66/debian/changelog 2023-12-10 17:57:24.000000000 +0100
+++ bluez-5.66/debian/changelog 2024-06-12 23:13:32.000000000 +0200
@@ -1,3 +1,10 @@
+bluez (5.66-1+deb12u2) bookworm; urgency=medium
+
+ * CVE-2023-27349
+ * CVE-2023-50229 / CVE-2023-50230
+
+ -- Moritz Mühlenhoff <j...@debian.org> Wed, 12 Jun 2024 23:13:32 +0200
+
bluez (5.66-1+deb12u1) bookworm-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru bluez-5.66/debian/patches/CVE-2023-27349.patch
bluez-5.66/debian/patches/CVE-2023-27349.patch
--- bluez-5.66/debian/patches/CVE-2023-27349.patch 1970-01-01
01:00:00.000000000 +0100
+++ bluez-5.66/debian/patches/CVE-2023-27349.patch 2024-06-12
16:27:04.000000000 +0200
@@ -0,0 +1,42 @@
+From f54299a850676d92c3dafd83e9174fcfe420ccc9 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.de...@intel.com>
+Date: Wed, 22 Mar 2023 11:34:24 -0700
+Subject: avrcp: Fix crash while handling unsupported events
+
+The following crash can be observed if the remote peer send and
+unsupported event:
+
+ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000148f11
+ at pc 0x559644552088 bp 0x7ffe28b3c7b0 sp 0x7ffe28b3c7a0
+ WRITE of size 1 at 0x60b000148f11 thread T0
+ #0 0x559644552087 in avrcp_handle_event profiles/audio/avrcp.c:3907
+ #1 0x559644536c22 in control_response profiles/audio/avctp.c:939
+ #2 0x5596445379ab in session_cb profiles/audio/avctp.c:1108
+ #3 0x7fbcb3e51c43 in g_main_context_dispatch
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43)
+ #4 0x7fbcb3ea66c7 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xaa6c7)
+ #5 0x7fbcb3e512b2 in g_main_loop_run
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2)
+ #6 0x559644754ab6 in mainloop_run src/shared/mainloop-glib.c:66
+ #7 0x559644755606 in mainloop_run_with_signal
src/shared/mainloop-notify.c:188
+ #8 0x5596445bb963 in main src/main.c:1289
+ #9 0x7fbcb3bafd8f in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
+ #10 0x7fbcb3bafe3f in __libc_start_main_impl ../csu/libc-start.c:392
+ #11 0x5596444e8224 in _start
(/usr/local/libexec/bluetooth/bluetoothd+0xf0224)
+---
+ profiles/audio/avrcp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- bluez-5.66.orig/profiles/audio/avrcp.c
++++ bluez-5.66/profiles/audio/avrcp.c
+@@ -3901,6 +3901,12 @@ static gboolean avrcp_handle_event(struc
+ case AVRCP_EVENT_UIDS_CHANGED:
+ avrcp_uids_changed(session, pdu);
+ break;
++ default:
++ if (event > AVRCP_EVENT_LAST) {
++ warn("Unsupported event: %u", event);
++ return FALSE;
++ }
++ break;
+ }
+
+ session->registered_events |= (1 << event);
diff -Nru bluez-5.66/debian/patches/CVE-2023-50229_CVE-2023-50230.patch
bluez-5.66/debian/patches/CVE-2023-50229_CVE-2023-50230.patch
--- bluez-5.66/debian/patches/CVE-2023-50229_CVE-2023-50230.patch
1970-01-01 01:00:00.000000000 +0100
+++ bluez-5.66/debian/patches/CVE-2023-50229_CVE-2023-50230.patch
2024-06-12 16:28:23.000000000 +0200
@@ -0,0 +1,61 @@
+From 5ab5352531a9cc7058cce569607f3a6831464443 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.de...@intel.com>
+Date: Tue, 19 Sep 2023 12:14:01 -0700
+Subject: [PATCH] pbap: Fix not checking Primary/Secundary Counter length
+
+Primary/Secundary Counters are supposed to be 16 bytes values, if the
+server has implemented them incorrectly it may lead to the following
+crash:
+
+=================================================================
+==31860==ERROR: AddressSanitizer: heap-buffer-overflow on address
+0x607000001878 at pc 0x7f95a1575638 bp 0x7fff58c6bb80 sp 0x7fff58c6b328
+
+ READ of size 48 at 0x607000001878 thread T0
+ #0 0x7f95a1575637 in MemcmpInterceptorCommon(void*, int (*)(void const*,
void const*, unsigned long), void const*, void const*, unsigned long)
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:860
+ #1 0x7f95a1575ba6 in __interceptor_memcmp
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:892
+ #2 0x7f95a1575ba6 in __interceptor_memcmp
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:887
+ #3 0x564df69c77a0 in read_version obexd/client/pbap.c:288
+ #4 0x564df69c77a0 in read_return_apparam obexd/client/pbap.c:352
+ #5 0x564df69c77a0 in phonebook_size_callback obexd/client/pbap.c:374
+ #6 0x564df69bea3c in session_terminate_transfer obexd/client/session.c:921
+ #7 0x564df69d56b0 in get_xfer_progress_first obexd/client/transfer.c:729
+ #8 0x564df698b9ee in handle_response gobex/gobex.c:1140
+ #9 0x564df698cdea in incoming_data gobex/gobex.c:1385
+ #10 0x7f95a12fdc43 in g_main_context_dispatch
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43)
+ #11 0x7f95a13526c7 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xaa6c7)
+ #12 0x7f95a12fd2b2 in g_main_loop_run
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2)
+ #13 0x564df6977d41 in main obexd/src/main.c:307
+ #14 0x7f95a10a7d8f in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
+ #15 0x7f95a10a7e3f in __libc_start_main_impl ../csu/libc-start.c:392
+ #16 0x564df6978704 in _start (/usr/local/libexec/bluetooth/obexd+0x8b704)
+ 0x607000001878 is located 0 bytes to the right of 72-byte region
[0x607000001830,0x607000001878)
+
+ allocated by thread T0 here:
+ #0 0x7f95a1595a37 in __interceptor_calloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
+ #1 0x564df69c8b6a in pbap_probe obexd/client/pbap.c:1259
+---
+ obexd/client/pbap.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- bluez-5.66.orig/obexd/client/pbap.c
++++ bluez-5.66/obexd/client/pbap.c
+@@ -285,7 +285,7 @@ static void read_version(struct pbap_dat
+ data = value;
+ }
+
+- if (memcmp(pbap->primary, data, len)) {
++ if (len == sizeof(pbap->primary) && memcmp(pbap->primary, data, len)) {
+ memcpy(pbap->primary, data, len);
+ g_dbus_emit_property_changed(conn,
+ obc_session_get_path(pbap->session),
+@@ -299,7 +299,8 @@ static void read_version(struct pbap_dat
+ data = value;
+ }
+
+- if (memcmp(pbap->secondary, data, len)) {
++ if (len == sizeof(pbap->secondary) &&
++ memcmp(pbap->secondary, data, len)) {
+ memcpy(pbap->secondary, data, len);
+ g_dbus_emit_property_changed(conn,
+ obc_session_get_path(pbap->session),
diff -Nru bluez-5.66/debian/patches/series bluez-5.66/debian/patches/series
--- bluez-5.66/debian/patches/series 2023-12-10 17:57:24.000000000 +0100
+++ bluez-5.66/debian/patches/series 2024-06-12 16:28:08.000000000 +0200
@@ -12,3 +12,5 @@
headers-use-releative-symlinks.patch
Change-shebang-from-usr-bin-python-to-usr-bin-python.patch
input.conf-Change-default-of-ClassicBondedOnly.patch
+CVE-2023-27349.patch
+CVE-2023-50229_CVE-2023-50230.patch
