fix CVE-2021-0129

backport-CVE-2021-0129.patch

@@ -0,0 +1,80 @@
+From e15a27eee8d48871089d621ab43a21f2c855df1e Mon Sep 17 00:00:00 2001
+From: xingxing <xingxing9@h-partners.com>
+Date: Tue, 1 Mar 2022 16:08:57 +0800
+Subject: [PATCH] CVE-2021-0129.patch
+
+---
+ src/shared/att-types.h   |  8 ++++++++
+ src/shared/gatt-server.c | 16 ++++------------
+ 2 files changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/src/shared/att-types.h b/src/shared/att-types.h
+index 99b1089..f468a98 100644
+--- a/src/shared/att-types.h
++++ b/src/shared/att-types.h
+@@ -142,6 +142,14 @@ struct bt_att_pdu_error_rsp {
+ #define BT_ATT_PERM_WRITE_SECURE	0x0200
+ #define BT_ATT_PERM_SECURE		(BT_ATT_PERM_READ_SECURE | \
+ 					BT_ATT_PERM_WRITE_SECURE)
++#define BT_ATT_PERM_READ_MASK		(BT_ATT_PERM_READ | \
++					BT_ATT_PERM_READ_AUTHEN | \
++					BT_ATT_PERM_READ_ENCRYPT | \
++					BT_ATT_PERM_READ_SECURE)
++#define BT_ATT_PERM_WRITE_MASK		(BT_ATT_PERM_WRITE | \
++					BT_ATT_PERM_WRITE_AUTHEN | \
++					BT_ATT_PERM_WRITE_ENCRYPT | \
++					BT_ATT_PERM_WRITE_SECURE)
+ 
+ /* GATT Characteristic Properties Bitfield values */
+ #define BT_GATT_CHRC_PROP_BROADCAST			0x01
+diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c
+index 7e5d652..a79a786 100644
+--- a/src/shared/gatt-server.c
++++ b/src/shared/gatt-server.c
+@@ -473,9 +473,7 @@ static void process_read_by_type(struct async_read_op *op)
+ 		return;
+ 	}
+ 
+-	ecode = check_permissions(server, attr, BT_ATT_PERM_READ |
+-						BT_ATT_PERM_READ_AUTHEN |
+-						BT_ATT_PERM_READ_ENCRYPT);
++	ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK);
+ 	if (ecode)
+ 		goto error;
+ 
+@@ -848,9 +846,7 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
+ 				(opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd",
+ 				handle);
+ 
+-	ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE |
+-						BT_ATT_PERM_WRITE_AUTHEN |
+-						BT_ATT_PERM_WRITE_ENCRYPT);
++	ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
+ 	if (ecode)
+ 		goto error;
+ 
+@@ -961,9 +957,7 @@ static void handle_read_req(struct bt_att_chan *chan,
+ 			opcode == BT_ATT_OP_READ_BLOB_REQ ? "Blob " : "",
+ 			handle);
+ 
+-	ecode = check_permissions(server, attr, BT_ATT_PERM_READ |
+-						BT_ATT_PERM_READ_AUTHEN |
+-						BT_ATT_PERM_READ_ENCRYPT);
++	ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK);
+ 	if (ecode)
+ 		goto error;
+ 
+@@ -1360,9 +1354,7 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode,
+ 	util_debug(server->debug_callback, server->debug_data,
+ 				"Prep Write Req - handle: 0x%04x", handle);
+ 
+-	ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE |
+-						BT_ATT_PERM_WRITE_AUTHEN |
+-						BT_ATT_PERM_WRITE_ENCRYPT);
++	ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
+ 	if (ecode)
+ 		goto error;
+ 
+-- 
+2.27.0
+

bluez.spec

@@ -1,7 +1,7 @@
 Name:             bluez
 Summary:          Bluetooth utilities
 Version:          5.54
-Release:          11
+Release:          12
 License:          GPLv2+
 URL:              http://www.bluez.org/
 Source0:          http://www.kernel.org/pub/linux/bluetooth/bluez-%{version}.tar.xz
@@ -25,6 +25,7 @@ Patch6000:        backport-CVE-2020-27153.patch
 Patch6001:        backport-0001-CVE-2021-3658.patch
 Patch6002:        backport-0002-CVE-2021-3658.patch
 Patch6003:        backport-CVE-2021-43400.patch
+Patch6004:        backport-CVE-2021-0129.patch
 
 BuildRequires:    dbus-devel >= 1.6 libell-devel >= 0.28 autoconf
 BuildRequires:    glib2-devel libical-devel readline-devel 
@@ -181,6 +182,12 @@ make check
 %{_mandir}/man8/*
 
 %changelog
+* Tue Mar 1 2022 xingxing <xingxing9@h-partners.com> - 5.54-12
+- Type:CVE
+- CVE:CVE-2021-0129
+- SUG:NA
+- DESC:fix CVE-2021-0129
+
 * Fri Feb 11 2022 xingxing <xingxing9@h-partners.com> - 5.54-11
 - Type:CVE
 - CVE:CVE-2021-43400