Your message dated Sat, 29 Jun 2024 10:46:21 +0000 with message-id <e1snvb3-002bjd...@coccia.debian.org> and subject line Released with 12.6 has caused the Debian Bug report #1073235, regarding bookworm-pu: package bluez/5.66-1+deb12u2 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1073235: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073235 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: bl...@packages.debian.org, iwama...@debian.org Control: affects -1 + src:bluez User: release.debian....@packages.debian.org Usertags: pu Attached debdiff fixes three minor security issues. The update has been tested on a Bookworm system. debdiff below. Cheers, Moritz diff -Nru bluez-5.66/debian/changelog bluez-5.66/debian/changelog --- bluez-5.66/debian/changelog 2023-12-10 17:57:24.000000000 +0100 +++ bluez-5.66/debian/changelog 2024-06-12 23:13:32.000000000 +0200 @@ -1,3 +1,10 @@ +bluez (5.66-1+deb12u2) bookworm; urgency=medium + + * CVE-2023-27349 + * CVE-2023-50229 / CVE-2023-50230 + + -- Moritz Mühlenhoff <j...@debian.org> Wed, 12 Jun 2024 23:13:32 +0200 + bluez (5.66-1+deb12u1) bookworm-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru bluez-5.66/debian/patches/CVE-2023-27349.patch bluez-5.66/debian/patches/CVE-2023-27349.patch --- bluez-5.66/debian/patches/CVE-2023-27349.patch 1970-01-01 01:00:00.000000000 +0100 +++ bluez-5.66/debian/patches/CVE-2023-27349.patch 2024-06-12 16:27:04.000000000 +0200 @@ -0,0 +1,42 @@ +From f54299a850676d92c3dafd83e9174fcfe420ccc9 Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz <luiz.von.de...@intel.com> +Date: Wed, 22 Mar 2023 11:34:24 -0700 +Subject: avrcp: Fix crash while handling unsupported events + +The following crash can be observed if the remote peer send and +unsupported event: + +ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000148f11 + at pc 0x559644552088 bp 0x7ffe28b3c7b0 sp 0x7ffe28b3c7a0 + WRITE of size 1 at 0x60b000148f11 thread T0 + #0 0x559644552087 in avrcp_handle_event profiles/audio/avrcp.c:3907 + #1 0x559644536c22 in control_response profiles/audio/avctp.c:939 + #2 0x5596445379ab in session_cb profiles/audio/avctp.c:1108 + #3 0x7fbcb3e51c43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43) + #4 0x7fbcb3ea66c7 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xaa6c7) + #5 0x7fbcb3e512b2 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2) + #6 0x559644754ab6 in mainloop_run src/shared/mainloop-glib.c:66 + #7 0x559644755606 in mainloop_run_with_signal src/shared/mainloop-notify.c:188 + #8 0x5596445bb963 in main src/main.c:1289 + #9 0x7fbcb3bafd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 + #10 0x7fbcb3bafe3f in __libc_start_main_impl ../csu/libc-start.c:392 + #11 0x5596444e8224 in _start (/usr/local/libexec/bluetooth/bluetoothd+0xf0224) +--- + profiles/audio/avrcp.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- bluez-5.66.orig/profiles/audio/avrcp.c ++++ bluez-5.66/profiles/audio/avrcp.c +@@ -3901,6 +3901,12 @@ static gboolean avrcp_handle_event(struc + case AVRCP_EVENT_UIDS_CHANGED: + avrcp_uids_changed(session, pdu); + break; ++ default: ++ if (event > AVRCP_EVENT_LAST) { ++ warn("Unsupported event: %u", event); ++ return FALSE; ++ } ++ break; + } + + session->registered_events |= (1 << event); diff -Nru bluez-5.66/debian/patches/CVE-2023-50229_CVE-2023-50230.patch bluez-5.66/debian/patches/CVE-2023-50229_CVE-2023-50230.patch --- bluez-5.66/debian/patches/CVE-2023-50229_CVE-2023-50230.patch 1970-01-01 01:00:00.000000000 +0100 +++ bluez-5.66/debian/patches/CVE-2023-50229_CVE-2023-50230.patch 2024-06-12 16:28:23.000000000 +0200 @@ -0,0 +1,61 @@ +From 5ab5352531a9cc7058cce569607f3a6831464443 Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz <luiz.von.de...@intel.com> +Date: Tue, 19 Sep 2023 12:14:01 -0700 +Subject: [PATCH] pbap: Fix not checking Primary/Secundary Counter length + +Primary/Secundary Counters are supposed to be 16 bytes values, if the +server has implemented them incorrectly it may lead to the following +crash: + +================================================================= +==31860==ERROR: AddressSanitizer: heap-buffer-overflow on address +0x607000001878 at pc 0x7f95a1575638 bp 0x7fff58c6bb80 sp 0x7fff58c6b328 + + READ of size 48 at 0x607000001878 thread T0 + #0 0x7f95a1575637 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:860 + #1 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:892 + #2 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:887 + #3 0x564df69c77a0 in read_version obexd/client/pbap.c:288 + #4 0x564df69c77a0 in read_return_apparam obexd/client/pbap.c:352 + #5 0x564df69c77a0 in phonebook_size_callback obexd/client/pbap.c:374 + #6 0x564df69bea3c in session_terminate_transfer obexd/client/session.c:921 + #7 0x564df69d56b0 in get_xfer_progress_first obexd/client/transfer.c:729 + #8 0x564df698b9ee in handle_response gobex/gobex.c:1140 + #9 0x564df698cdea in incoming_data gobex/gobex.c:1385 + #10 0x7f95a12fdc43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43) + #11 0x7f95a13526c7 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xaa6c7) + #12 0x7f95a12fd2b2 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2) + #13 0x564df6977d41 in main obexd/src/main.c:307 + #14 0x7f95a10a7d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 + #15 0x7f95a10a7e3f in __libc_start_main_impl ../csu/libc-start.c:392 + #16 0x564df6978704 in _start (/usr/local/libexec/bluetooth/obexd+0x8b704) + 0x607000001878 is located 0 bytes to the right of 72-byte region [0x607000001830,0x607000001878) + + allocated by thread T0 here: + #0 0x7f95a1595a37 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 + #1 0x564df69c8b6a in pbap_probe obexd/client/pbap.c:1259 +--- + obexd/client/pbap.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- bluez-5.66.orig/obexd/client/pbap.c ++++ bluez-5.66/obexd/client/pbap.c +@@ -285,7 +285,7 @@ static void read_version(struct pbap_dat + data = value; + } + +- if (memcmp(pbap->primary, data, len)) { ++ if (len == sizeof(pbap->primary) && memcmp(pbap->primary, data, len)) { + memcpy(pbap->primary, data, len); + g_dbus_emit_property_changed(conn, + obc_session_get_path(pbap->session), +@@ -299,7 +299,8 @@ static void read_version(struct pbap_dat + data = value; + } + +- if (memcmp(pbap->secondary, data, len)) { ++ if (len == sizeof(pbap->secondary) && ++ memcmp(pbap->secondary, data, len)) { + memcpy(pbap->secondary, data, len); + g_dbus_emit_property_changed(conn, + obc_session_get_path(pbap->session), diff -Nru bluez-5.66/debian/patches/series bluez-5.66/debian/patches/series --- bluez-5.66/debian/patches/series 2023-12-10 17:57:24.000000000 +0100 +++ bluez-5.66/debian/patches/series 2024-06-12 16:28:08.000000000 +0200 @@ -12,3 +12,5 @@ headers-use-releative-symlinks.patch Change-shebang-from-usr-bin-python-to-usr-bin-python.patch input.conf-Change-default-of-ClassicBondedOnly.patch +CVE-2023-27349.patch +CVE-2023-50229_CVE-2023-50230.patch
--- End Message ---
--- Begin Message ---Version: 12.6 The upload requested in this bug has been released as part of 12.6.
--- End Message ---
