fix CVE-2021-3588

backport-CVE-2021-3588.patch

@@ -0,0 +1,33 @@
+From 9e6889d3b9d8f4dcc1ba57e6345d1efb2fbe1e77 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Mon, 4 Jan 2021 10:41:53 -0800
+Subject: [PATCH] gatt: Fix potential buffer out-of-bound
+
+When client features is read check if the offset is within the cli_feat
+bounds.
+
+Fixes: https://github.com/bluez/bluez/issues/70
+
+---
+ src/gatt-database.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/gatt-database.c b/src/gatt-database.c
+index c11d14b..a6530ba 100644
+--- a/src/gatt-database.c
++++ b/src/gatt-database.c
+@@ -1082,6 +1082,11 @@ static void cli_feat_read_cb(struct gatt_db_attribute *attrib,
+ 		goto done;
+ 	}
+ 
++	if (offset >= sizeof(state->cli_feat)) {
++		ecode = BT_ATT_ERROR_INVALID_OFFSET;
++		goto done;
++	}
++
+ 	len = sizeof(state->cli_feat) - offset;
+ 	value = len ? &state->cli_feat[offset] : NULL;
+ 
+-- 
+2.23.0
+

bluez.spec

@@ -1,7 +1,7 @@
 Name:             bluez
 Summary:          Bluetooth utilities
 Version:          5.54
-Release:          3
+Release:          4
 License:          GPLv2+
 URL:              http://www.bluez.org/
 Source0:          http://www.kernel.org/pub/linux/bluetooth/bluez-%{version}.tar.xz
@@ -17,6 +17,7 @@ Patch0003:        0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch
 Patch0004:        0003-systemd-Add-more-filesystem-lockdown.patch
 Patch0005:        0004-systemd-More-lockdown.patch
 Patch0006:	  0005-Exit-test-mesh-crypto-on-any-detected-fail.patch
+Patch0007:        backport-CVE-2021-3588.patch
 
 BuildRequires:    dbus-devel >= 1.6 libell-devel >= 0.28 autoconf
 BuildRequires:    git-core glib2-devel libical-devel readline-devel 
@@ -173,6 +174,12 @@ make check
 %{_mandir}/man8/*
 
 %changelog
+* Sat Jun 26 2021 zhanzhimin <zhanzhimin@huawei.com> - 5.54-4
+- Type:CVE
+- ID:CVE-2021-3588
+- SUG:NA
+- DESC:fix CVE-2021-3588
+
 * Wed Sep 16 2020 orange-snn <songnannan2@huawei.com> - 5.54-3
 - bugfix test-mesh-crypto faild