Hi Proposed debdiff for unstable.
Regards, Salvatore
diff -Nru bluez-5.45/debian/changelog bluez-5.45/debian/changelog --- bluez-5.45/debian/changelog 2017-07-02 02:07:00.000000000 +0200 +++ bluez-5.45/debian/changelog 2017-09-13 10:28:07.000000000 +0200 @@ -1,3 +1,11 @@ +bluez (5.45-1.1) unstable; urgency=high + + * Non-maintainer upload. + * CVE-2017-1000250: information disclosure vulnerability in + service_search_attr_req (Closes: #875633) + + -- Salvatore Bonaccorso <[email protected]> Wed, 13 Sep 2017 10:28:07 +0200 + bluez (5.45-1) unstable; urgency=medium * Update to 5.45. diff -Nru bluez-5.45/debian/patches/CVE-2017-1000250.patch bluez-5.45/debian/patches/CVE-2017-1000250.patch --- bluez-5.45/debian/patches/CVE-2017-1000250.patch 1970-01-01 01:00:00.000000000 +0100 +++ bluez-5.45/debian/patches/CVE-2017-1000250.patch 2017-09-13 10:28:07.000000000 +0200 @@ -0,0 +1,42 @@ +Description: CVE-2017-1000250: information disclosure vulnerability in service_search_attr_req +Origin: vendor +Bug-Debian: https://bugs.debian.org/875633 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1489446 +Bug-SuSE: https://bugzilla.suse.com/show_bug.cgi?id=1057342 +Forwarded: no +Author: Armis Security <[email protected]> +Reviewed-by: Salvatore Bonaccorso <[email protected]> +Last-Update: 2017-09-13 + +--- a/src/sdpd-request.c ++++ b/src/sdpd-request.c +@@ -918,15 +918,20 @@ static int service_search_attr_req(sdp_r + /* continuation State exists -> get from cache */ + sdp_buf_t *pCache = sdp_get_cached_rsp(cstate); + if (pCache) { +- uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent); +- pResponse = pCache->data; +- memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent); +- buf->data_size += sent; +- cstate->cStateValue.maxBytesSent += sent; +- if (cstate->cStateValue.maxBytesSent == pCache->data_size) +- cstate_size = sdp_set_cstate_pdu(buf, NULL); +- else +- cstate_size = sdp_set_cstate_pdu(buf, cstate); ++ if (cstate->cStateValue.maxBytesSent >= pCache->data_size) { ++ status = SDP_INVALID_CSTATE; ++ SDPDBG("Got bad cstate with invalid size"); ++ } else { ++ uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent); ++ pResponse = pCache->data; ++ memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent); ++ buf->data_size += sent; ++ cstate->cStateValue.maxBytesSent += sent; ++ if (cstate->cStateValue.maxBytesSent == pCache->data_size) ++ cstate_size = sdp_set_cstate_pdu(buf, NULL); ++ else ++ cstate_size = sdp_set_cstate_pdu(buf, cstate); ++ } + } else { + status = SDP_INVALID_CSTATE; + SDPDBG("Non-null continuation state, but null cache buffer"); diff -Nru bluez-5.45/debian/patches/series bluez-5.45/debian/patches/series --- bluez-5.45/debian/patches/series 2017-07-02 02:07:00.000000000 +0200 +++ bluez-5.45/debian/patches/series 2017-09-13 10:28:07.000000000 +0200 @@ -8,3 +8,4 @@ change_path_of_hogsuspend.patch fix_udevadm_in_hid2hci.patch org.bluez.obex.service.in.patch +CVE-2017-1000250.patch
