diff --git a/backport-CVE-2021-3588.patch b/backport-CVE-2021-3588.patch new file mode 100644 index 0000000..7976139 --- /dev/null +++ b/backport-CVE-2021-3588.patch @@ -0,0 +1,33 @@ +From 9e6889d3b9d8f4dcc1ba57e6345d1efb2fbe1e77 Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Mon, 4 Jan 2021 10:41:53 -0800 +Subject: [PATCH] gatt: Fix potential buffer out-of-bound + +When client features is read check if the offset is within the cli_feat +bounds. + +Fixes: https://github.com/bluez/bluez/issues/70 + +--- + src/gatt-database.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/gatt-database.c b/src/gatt-database.c +index c11d14b..a6530ba 100644 +--- a/src/gatt-database.c ++++ b/src/gatt-database.c +@@ -1082,6 +1082,11 @@ static void cli_feat_read_cb(struct gatt_db_attribute *attrib, + goto done; + } + ++ if (offset >= sizeof(state->cli_feat)) { ++ ecode = BT_ATT_ERROR_INVALID_OFFSET; ++ goto done; ++ } ++ + len = sizeof(state->cli_feat) - offset; + value = len ? &state->cli_feat[offset] : NULL; + +-- +2.23.0 + diff --git a/bluez.spec b/bluez.spec index b33accd..6fe54a2 100644 --- a/bluez.spec +++ b/bluez.spec @@ -1,7 +1,7 @@ Name: bluez Summary: Bluetooth utilities Version: 5.54 -Release: 3 +Release: 4 License: GPLv2+ URL: http://www.bluez.org/ Source0: http://www.kernel.org/pub/linux/bluetooth/bluez-%{version}.tar.xz @@ -17,6 +17,7 @@ Patch0003: 0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch Patch0004: 0003-systemd-Add-more-filesystem-lockdown.patch Patch0005: 0004-systemd-More-lockdown.patch Patch0006: 0005-Exit-test-mesh-crypto-on-any-detected-fail.patch +Patch0007: backport-CVE-2021-3588.patch BuildRequires: dbus-devel >= 1.6 libell-devel >= 0.28 autoconf BuildRequires: git-core glib2-devel libical-devel readline-devel @@ -173,6 +174,12 @@ make check %{_mandir}/man8/* %changelog +* Sat Jun 26 2021 zhanzhimin - 5.54-4 +- Type:CVE +- ID:CVE-2021-3588 +- SUG:NA +- DESC:fix CVE-2021-3588 + * Wed Sep 16 2020 orange-snn - 5.54-3 - bugfix test-mesh-crypto faild