fix CVE-2023-27349

2023-04-18 10:53:40 +00:00 · 2023-04-18 10:53:40 +00:00 · df4dcca450
commit df4dcca450
parent 4ccc7d3015
2 changed files with 51 additions and 1 deletions
--- a/backport-CVE-2023-27349.patch
+++ b/backport-CVE-2023-27349.patch
@ -0,0 +1,46 @@
+From f54299a850676d92c3dafd83e9174fcfe420ccc9 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Wed, 22 Mar 2023 11:34:24 -0700
+Subject: avrcp: Fix crash while handling unsupported events
+
+The following crash can be observed if the remote peer send and
+unsupported event:
+
+ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000148f11
+ at pc 0x559644552088 bp 0x7ffe28b3c7b0 sp 0x7ffe28b3c7a0
+ WRITE of size 1 at 0x60b000148f11 thread T0
+     #0 0x559644552087 in avrcp_handle_event profiles/audio/avrcp.c:3907
+     #1 0x559644536c22 in control_response profiles/audio/avctp.c:939
+     #2 0x5596445379ab in session_cb profiles/audio/avctp.c:1108
+     #3 0x7fbcb3e51c43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43)
+     #4 0x7fbcb3ea66c7  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xaa6c7)
+     #5 0x7fbcb3e512b2 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2)
+     #6 0x559644754ab6 in mainloop_run src/shared/mainloop-glib.c:66
+     #7 0x559644755606 in mainloop_run_with_signal src/shared/mainloop-notify.c:188
+     #8 0x5596445bb963 in main src/main.c:1289
+     #9 0x7fbcb3bafd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
+     #10 0x7fbcb3bafe3f in __libc_start_main_impl ../csu/libc-start.c:392
+     #11 0x5596444e8224 in _start (/usr/local/libexec/bluetooth/bluetoothd+0xf0224)
+---
+ profiles/audio/avrcp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
+index 80f34c7a7..dda9a303f 100644
+--- a/profiles/audio/avrcp.c
+++ b/profiles/audio/avrcp.c
+@@ -3901,6 +3901,12 @@ static gboolean avrcp_handle_event(struct avctp *conn, uint8_t code,
+ 	case AVRCP_EVENT_UIDS_CHANGED:
+ 		avrcp_uids_changed(session, pdu);
+ 		break;
+	default:
+		if (event > AVRCP_EVENT_LAST) {
+			warn("Unsupported event: %u", event);
+			return FALSE;
+		}
+		break;
+ 	}
+ 
+ 	session->registered_events |= (1 << event);
+-- 
+cgit 
--- a/bluez.spec
+++ b/bluez.spec
@ -1,7 +1,7 @@
 Name:             bluez
 Summary:          Bluetooth utilities
 Version:          5.54
-Release:          16
+Release:          17
 License:          GPLv2+
 URL:              http://www.bluez.org/
 Source0:          http://www.kernel.org/pub/linux/bluetooth/bluez-%{version}.tar.xz
@ -37,6 +37,7 @@ Patch6012:	  backport-0002-CVE-2022-39177.patch
 %ifarch sw_64
 Patch6013:	  bluez-5.54-sw.patch
 %endif
+Patch6014:        backport-CVE-2023-27349.patch

 BuildRequires:    dbus-devel >= 1.6 libell-devel >= 0.28 autoconf
 BuildRequires:    glib2-devel libical-devel readline-devel 
@ -193,6 +194,9 @@ make check
 %{_mandir}/man8/*

 %changelog
+* Tue Apr 18 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 5.54-17
+- DESC:fix CVE-2023-27349
+
 * Thu Dec 08 2022 zhangzhixin <zhixin.zhang@i-soft.com.cn> - 5.54-16
 - add sw64 patch