diff options
Diffstat (limited to 'meta/recipes-connectivity/bluez5')
| -rw-r--r-- | meta/recipes-connectivity/bluez5/bluez5.inc | 12 | ||||
| -rw-r--r-- | meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch | 109 | ||||
| -rw-r--r-- | meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch | 34 | ||||
| -rw-r--r-- | meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3658.patch | 95 | ||||
| -rw-r--r-- | meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch | 66 | ||||
| -rw-r--r-- | meta/recipes-connectivity/bluez5/bluez5/CVE-2022-3637.patch | 39 | ||||
| -rw-r--r-- | meta/recipes-connectivity/bluez5/bluez5/CVE-2022-39176.patch | 126 | ||||
| -rw-r--r-- | meta/recipes-connectivity/bluez5/bluez5/CVE-2023-45866.patch | 54 | ||||
| -rw-r--r-- | meta/recipes-connectivity/bluez5/bluez5_5.55.bb (renamed from meta/recipes-connectivity/bluez5/bluez5_5.54.bb) | 14 |
9 files changed, 545 insertions, 4 deletions
diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc index 150d909d73..74fd344170 100644 --- a/meta/recipes-connectivity/bluez5/bluez5.inc +++ b/meta/recipes-connectivity/bluez5/bluez5.inc @@ -7,6 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \ file://COPYING.LIB;md5=fb504b67c50331fc78734fed90fb0e09 \ file://src/main.c;beginline=1;endline=24;md5=9bc54b93cd7e17bf03f52513f39f926e" DEPENDS = "dbus glib-2.0" +RDEPENDS:${PN} += "dbus" PROVIDES += "bluez-hcidump" RPROVIDES_${PN} += "bluez-hcidump" @@ -42,8 +43,8 @@ PACKAGECONFIG[sixaxis] = "--enable-sixaxis,--disable-sixaxis" PACKAGECONFIG[tools] = "--enable-tools,--disable-tools" PACKAGECONFIG[threads] = "--enable-threads,--disable-threads" PACKAGECONFIG[deprecated] = "--enable-deprecated,--disable-deprecated" -PACKAGECONFIG[mesh] = "--enable-mesh,--disable-mesh, json-c ell" -PACKAGECONFIG[btpclient] = "--enable-btpclient,--disable-btpclient, ell" +PACKAGECONFIG[mesh] = "--enable-mesh --enable-external-ell,--disable-mesh, json-c ell" +PACKAGECONFIG[btpclient] = "--enable-btpclient --enable-external-ell,--disable-btpclient, ell" PACKAGECONFIG[udev] = "--enable-udev,--disable-udev,udev" SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \ @@ -52,6 +53,13 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \ ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \ file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \ file://0001-test-gatt-Fix-hung-issue.patch \ + file://CVE-2021-0129.patch \ + file://CVE-2021-3588.patch \ + file://CVE-2021-3658.patch \ + file://CVE-2022-0204.patch \ + file://CVE-2022-39176.patch \ + file://CVE-2022-3637.patch \ + file://CVE-2023-45866.patch \ " S = "${WORKDIR}/bluez-${PV}" diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch new file mode 100644 index 0000000000..b39730dc10 --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch @@ -0,0 +1,109 @@ +From 00da0fb4972cf59e1c075f313da81ea549cb8738 Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> +Date: Tue, 2 Mar 2021 11:38:33 -0800 +Subject: shared/gatt-server: Fix not properly checking for secure flags + +When passing the mask to check_permissions all valid permissions for +the operation must be set including BT_ATT_PERM_SECURE flags. + +Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/patch/?id=00da0fb4972cf59e1c075f313da81ea549cb8738] +Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> +CVE: CVE-2021-0129 +--- + src/shared/att-types.h | 8 ++++++++ + src/shared/gatt-server.c | 25 +++++++------------------ + 2 files changed, 15 insertions(+), 18 deletions(-) + +diff --git a/src/shared/att-types.h b/src/shared/att-types.h +index 7108b4e94..3adc05d9e 100644 +--- a/src/shared/att-types.h ++++ b/src/shared/att-types.h +@@ -129,6 +129,14 @@ struct bt_att_pdu_error_rsp { + #define BT_ATT_PERM_WRITE_SECURE 0x0200 + #define BT_ATT_PERM_SECURE (BT_ATT_PERM_READ_SECURE | \ + BT_ATT_PERM_WRITE_SECURE) ++#define BT_ATT_PERM_READ_MASK (BT_ATT_PERM_READ | \ ++ BT_ATT_PERM_READ_AUTHEN | \ ++ BT_ATT_PERM_READ_ENCRYPT | \ ++ BT_ATT_PERM_READ_SECURE) ++#define BT_ATT_PERM_WRITE_MASK (BT_ATT_PERM_WRITE | \ ++ BT_ATT_PERM_WRITE_AUTHEN | \ ++ BT_ATT_PERM_WRITE_ENCRYPT | \ ++ BT_ATT_PERM_WRITE_SECURE) + + /* GATT Characteristic Properties Bitfield values */ + #define BT_GATT_CHRC_PROP_BROADCAST 0x01 +diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c +index b5f7de7dc..970c35f94 100644 +--- a/src/shared/gatt-server.c ++++ b/src/shared/gatt-server.c +@@ -444,9 +444,7 @@ static void process_read_by_type(struct async_read_op *op) + return; + } + +- ecode = check_permissions(server, attr, BT_ATT_PERM_READ | +- BT_ATT_PERM_READ_AUTHEN | +- BT_ATT_PERM_READ_ENCRYPT); ++ ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK); + if (ecode) + goto error; + +@@ -811,9 +809,7 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu, + (opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd", + handle); + +- ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE | +- BT_ATT_PERM_WRITE_AUTHEN | +- BT_ATT_PERM_WRITE_ENCRYPT); ++ ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK); + if (ecode) + goto error; + +@@ -913,9 +909,7 @@ static void handle_read_req(struct bt_att_chan *chan, + opcode == BT_ATT_OP_READ_BLOB_REQ ? "Blob " : "", + handle); + +- ecode = check_permissions(server, attr, BT_ATT_PERM_READ | +- BT_ATT_PERM_READ_AUTHEN | +- BT_ATT_PERM_READ_ENCRYPT); ++ ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK); + if (ecode) + goto error; + +@@ -1051,9 +1045,8 @@ static void read_multiple_complete_cb(struct gatt_db_attribute *attr, int err, + goto error; + } + +- ecode = check_permissions(data->server, next_attr, BT_ATT_PERM_READ | +- BT_ATT_PERM_READ_AUTHEN | +- BT_ATT_PERM_READ_ENCRYPT); ++ ecode = check_permissions(data->server, next_attr, ++ BT_ATT_PERM_READ_MASK); + if (ecode) + goto error; + +@@ -1129,9 +1122,7 @@ static void read_multiple_cb(struct bt_att_chan *chan, uint8_t opcode, + goto error; + } + +- ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ | +- BT_ATT_PERM_READ_AUTHEN | +- BT_ATT_PERM_READ_ENCRYPT); ++ ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ_MASK); + if (ecode) + goto error; + +@@ -1308,9 +1299,7 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode, + util_debug(server->debug_callback, server->debug_data, + "Prep Write Req - handle: 0x%04x", handle); + +- ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE | +- BT_ATT_PERM_WRITE_AUTHEN | +- BT_ATT_PERM_WRITE_ENCRYPT); ++ ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK); + if (ecode) + goto error; + +-- +cgit 1.2.3-1.el7 + diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch new file mode 100644 index 0000000000..f52ff47a06 --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch @@ -0,0 +1,34 @@ +From 3a40bef49305f8327635b81ac8be52a3ca063d5a Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> +Date: Mon, 4 Jan 2021 10:38:31 -0800 +Subject: [PATCH] gatt: Fix potential buffer out-of-bound + +When client features is read check if the offset is within the cli_feat +bounds. + +Fixes: https://github.com/bluez/bluez/issues/70 + ++Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3a40bef49305f8327635b81ac8be52a3ca063d5a] ++Signed-off-by: Steve Sakoman <steve@sakoman.com> ++CVE: CVE-2021-3588 + +--- + src/gatt-database.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/gatt-database.c b/src/gatt-database.c +index 90cc4bade..f2d7b5821 100644 +--- a/src/gatt-database.c ++++ b/src/gatt-database.c +@@ -1075,6 +1075,11 @@ static void cli_feat_read_cb(struct gatt_db_attribute *attrib, + goto done; + } + ++ if (offset >= sizeof(state->cli_feat)) { ++ ecode = BT_ATT_ERROR_INVALID_OFFSET; ++ goto done; ++ } ++ + len = sizeof(state->cli_feat) - offset; + value = len ? &state->cli_feat[offset] : NULL; + diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3658.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3658.patch new file mode 100644 index 0000000000..1738ca13da --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3658.patch @@ -0,0 +1,95 @@ +From b497b5942a8beb8f89ca1c359c54ad67ec843055 Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> +Date: Thu, 24 Jun 2021 16:32:04 -0700 +Subject: [PATCH] adapter: Fix storing discoverable setting + +discoverable setting shall only be store when changed via Discoverable +property and not when discovery client set it as that be considered +temporary just for the lifetime of the discovery. + +Upstream-Status: Backport [https://github.com/bluez/bluez/commit/b497b5942a8beb8f89ca1c359c54ad67ec843055] +Signed-off-by:Minjae Kim <flowergom@gmail.com> +--- + src/adapter.c | 35 ++++++++++++++++++++++------------- + 1 file changed, 22 insertions(+), 13 deletions(-) + +diff --git a/src/adapter.c b/src/adapter.c +index 12e4ff5c0..663b778e4 100644 +--- a/src/adapter.c ++++ b/src/adapter.c +@@ -560,7 +560,11 @@ static void settings_changed(struct btd_adapter *adapter, uint32_t settings) + if (changed_mask & MGMT_SETTING_DISCOVERABLE) { + g_dbus_emit_property_changed(dbus_conn, adapter->path, + ADAPTER_INTERFACE, "Discoverable"); +- store_adapter_info(adapter); ++ /* Only persist discoverable setting if it was not set ++ * temporarily by discovery. ++ */ ++ if (!adapter->discovery_discoverable) ++ store_adapter_info(adapter); + btd_adv_manager_refresh(adapter->adv_manager); + } + +@@ -2162,8 +2166,6 @@ static bool filters_equal(struct mgmt_cp_start_service_discovery *a, + static int update_discovery_filter(struct btd_adapter *adapter) + { + struct mgmt_cp_start_service_discovery *sd_cp; +- GSList *l; +- + + DBG(""); + +@@ -2173,17 +2175,24 @@ static int update_discovery_filter(struct btd_adapter *adapter) + return -ENOMEM; + } + +- for (l = adapter->discovery_list; l; l = g_slist_next(l)) { +- struct discovery_client *client = l->data; ++ /* Only attempt to overwrite current discoverable setting when not ++ * discoverable. ++ */ ++ if (!(adapter->current_settings & MGMT_OP_SET_DISCOVERABLE)) { ++ GSList *l; + +- if (!client->discovery_filter) +- continue; ++ for (l = adapter->discovery_list; l; l = g_slist_next(l)) { ++ struct discovery_client *client = l->data; + +- if (client->discovery_filter->discoverable) +- break; +- } ++ if (!client->discovery_filter) ++ continue; + +- set_discovery_discoverable(adapter, l ? true : false); ++ if (client->discovery_filter->discoverable) { ++ set_discovery_discoverable(adapter, true); ++ break; ++ } ++ } ++ } + + /* + * If filters are equal, then don't update scan, except for when +@@ -2216,8 +2225,7 @@ static int discovery_stop(struct discovery_client *client) + return 0; + } + +- if (adapter->discovery_discoverable) +- set_discovery_discoverable(adapter, false); ++ set_discovery_discoverable(adapter, false); + + /* + * In the idle phase of a discovery, there is no need to stop it +@@ -6913,6 +6921,7 @@ static void adapter_stop(struct btd_adapter *adapter) + g_free(adapter->current_discovery_filter); + adapter->current_discovery_filter = NULL; + ++ set_discovery_discoverable(adapter, false); + adapter->discovering = false; + + while (adapter->connections) { +-- +2.25.1 + diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch new file mode 100644 index 0000000000..646b5ddfc8 --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch @@ -0,0 +1,66 @@ +From 0d328fdf6564b67fc2ec3533e3da201ebabcc9e3 Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> +Date: Tue, 8 Jun 2021 16:46:49 -0700 +Subject: [PATCH] shared/gatt-server: Fix heap overflow when appending prepare + writes + +The code shall check if the prepare writes would append more the +allowed maximum attribute length. + +Fixes https://github.com/bluez/bluez/security/advisories/GHSA-479m-xcq5-9g2q + +Upstream-Status: Backport [https://github.com/bluez/bluez/commit/591c546c536b42bef696d027f64aa22434f8c3f0] +Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> +CVE: CVE-2022-0204 + +--- + src/shared/gatt-server.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c +index 0c25a97..20e14bc 100644 +--- a/src/shared/gatt-server.c ++++ b/src/shared/gatt-server.c +@@ -816,6 +816,20 @@ static uint8_t authorize_req(struct bt_gatt_server *server, + server->authorize_data); + } + ++static uint8_t check_length(uint16_t length, uint16_t offset) ++{ ++ if (length > BT_ATT_MAX_VALUE_LEN) ++ return BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN; ++ ++ if (offset > BT_ATT_MAX_VALUE_LEN) ++ return BT_ATT_ERROR_INVALID_OFFSET; ++ ++ if (length + offset > BT_ATT_MAX_VALUE_LEN) ++ return BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN; ++ ++ return 0; ++} ++ + static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu, + uint16_t length, void *user_data) + { +@@ -846,6 +860,10 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu, + (opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd", + handle); + ++ ecode = check_length(length, 0); ++ if (ecode) ++ goto error; ++ + ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK); + if (ecode) + goto error; +@@ -1353,6 +1371,10 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode, + util_debug(server->debug_callback, server->debug_data, + "Prep Write Req - handle: 0x%04x", handle); + ++ ecode = check_length(length, offset); ++ if (ecode) ++ goto error; ++ + ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK); + if (ecode) + goto error; diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-3637.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-3637.patch new file mode 100644 index 0000000000..4ca60f99d5 --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-3637.patch @@ -0,0 +1,39 @@ +From b808b2852a0b48c6f9dbb038f932613cea3126c2 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Thu, 27 Oct 2022 09:51:27 +0530 +Subject: [PATCH] CVE-2022-3637 + +Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/monitor/jlink.c?id=1d6cfb8e625a944010956714c1802bc1e1fc6c4f] +CVE: CVE-2022-3637 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> + +monitor: Fix crash when using RTT backend + +This fix regression introduced by "monitor: Fix memory leaks". +J-Link shared library is in use if jlink_init() returns 0 and thus +handle shall not be closed. +--- + monitor/jlink.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/monitor/jlink.c b/monitor/jlink.c +index afa9d93..5bd4aed 100644 +--- a/monitor/jlink.c ++++ b/monitor/jlink.c +@@ -120,9 +120,12 @@ int jlink_init(void) + !jlink.tif_select || !jlink.setspeed || + !jlink.connect || !jlink.getsn || + !jlink.emu_getproductname || +- !jlink.rtterminal_control || !jlink.rtterminal_read) ++ !jlink.rtterminal_control || !jlink.rtterminal_read) { ++ dlclose(so); + return -EIO; ++ } + ++ /* don't dlclose(so) here cause symbols from it are in use now */ + return 0; + } + +-- +2.25.1 + diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-39176.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-39176.patch new file mode 100644 index 0000000000..7bd1f5f80f --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-39176.patch @@ -0,0 +1,126 @@ +From 752c7f707c3cc1eb12eadc13bc336a5c484d4bdf Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Wed, 28 Sep 2022 10:45:53 +0530 +Subject: [PATCH] CVE-2022-39176 + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+source/bluez/5.53-0ubuntu3.6] +CVE: CVE-2022-39176 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + profiles/audio/avdtp.c | 56 +++++++++++++++++++++++++++--------------- + profiles/audio/avrcp.c | 8 ++++++ + 2 files changed, 44 insertions(+), 20 deletions(-) + +diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c +index 782268c..0adf413 100644 +--- a/profiles/audio/avdtp.c ++++ b/profiles/audio/avdtp.c +@@ -1261,43 +1261,53 @@ struct avdtp_remote_sep *avdtp_find_remote_sep(struct avdtp *session, + return NULL; + } + +-static GSList *caps_to_list(uint8_t *data, int size, ++static GSList *caps_to_list(uint8_t *data, size_t size, + struct avdtp_service_capability **codec, + gboolean *delay_reporting) + { ++ struct avdtp_service_capability *cap; + GSList *caps; +- int processed; + + if (delay_reporting) + *delay_reporting = FALSE; + +- for (processed = 0, caps = NULL; processed + 2 <= size;) { +- struct avdtp_service_capability *cap; +- uint8_t length, category; ++ if (size < sizeof(*cap)) ++ return NULL; ++ ++ for (caps = NULL; size >= sizeof(*cap);) { ++ struct avdtp_service_capability *cpy; + +- category = data[0]; +- length = data[1]; ++ cap = (struct avdtp_service_capability *)data; + +- if (processed + 2 + length > size) { ++ if (sizeof(*cap) + cap->length > size) { + error("Invalid capability data in getcap resp"); + break; + } + +- cap = g_malloc(sizeof(struct avdtp_service_capability) + +- length); +- memcpy(cap, data, 2 + length); ++ if (cap->category == AVDTP_MEDIA_CODEC && ++ cap->length < sizeof(**codec)) { ++ error("Invalid codec data in getcap resp"); ++ break; ++ } ++ ++ cpy = btd_malloc(sizeof(*cpy) + cap->length); ++ memcpy(cpy, cap, sizeof(*cap) + cap->length); + +- processed += 2 + length; +- data += 2 + length; ++ size -= sizeof(*cap) + cap->length; ++ data += sizeof(*cap) + cap->length; + +- caps = g_slist_append(caps, cap); ++ caps = g_slist_append(caps, cpy); + +- if (category == AVDTP_MEDIA_CODEC && +- length >= +- sizeof(struct avdtp_media_codec_capability)) +- *codec = cap; +- else if (category == AVDTP_DELAY_REPORTING && delay_reporting) +- *delay_reporting = TRUE; ++ switch (cap->category) { ++ case AVDTP_MEDIA_CODEC: ++ if (codec) ++ *codec = cpy; ++ break; ++ case AVDTP_DELAY_REPORTING: ++ if (delay_reporting) ++ *delay_reporting = TRUE; ++ break; ++ } + } + + return caps; +@@ -1494,6 +1504,12 @@ static gboolean avdtp_setconf_cmd(struct avdtp *session, uint8_t transaction, + &stream->codec, + &stream->delay_reporting); + ++ if (!stream->caps || !stream->codec) { ++ err = AVDTP_UNSUPPORTED_CONFIGURATION; ++ category = 0x00; ++ goto failed_stream; ++ } ++ + /* Verify that the Media Transport capability's length = 0. Reject otherwise */ + for (l = stream->caps; l != NULL; l = g_slist_next(l)) { + struct avdtp_service_capability *cap = l->data; +diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c +index d9471c0..0233d53 100644 +--- a/profiles/audio/avrcp.c ++++ b/profiles/audio/avrcp.c +@@ -1916,6 +1916,14 @@ static size_t handle_vendordep_pdu(struct avctp *conn, uint8_t transaction, + goto err_metadata; + } + ++ operands += sizeof(*pdu); ++ operand_count -= sizeof(*pdu); ++ ++ if (pdu->params_len != operand_count) { ++ DBG("AVRCP PDU parameters length don't match"); ++ pdu->params_len = operand_count; ++ } ++ + for (handler = session->control_handlers; handler->pdu_id; handler++) { + if (handler->pdu_id == pdu->pdu_id) + break; +-- +2.25.1 + diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2023-45866.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2023-45866.patch new file mode 100644 index 0000000000..43670ab2b3 --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2023-45866.patch @@ -0,0 +1,54 @@ +From 25a471a83e02e1effb15d5a488b3f0085eaeb675 Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> +Date: Tue, 10 Oct 2023 13:03:12 -0700 +Subject: input.conf: Change default of ClassicBondedOnly + +This changes the default of ClassicBondedOnly since defaulting to false +is not inline with HID specification which mandates the of Security Mode +4: + +BLUETOOTH SPECIFICATION Page 84 of 123 +Human Interface Device (HID) Profile: + +5.4.3.4.2 Security Modes +Bluetooth HID Hosts shall use Security Mode 4 when interoperating with +Bluetooth HID devices that are compliant to the Bluetooth Core +Specification v2.1+EDR[6]. + +Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=25a471a83e02e1effb15d5a488b3f0085eaeb675] +CVE: CVE-2023-45866 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + profiles/input/device.c | 2 +- + profiles/input/input.conf | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/profiles/input/device.c b/profiles/input/device.c +index 375314e..0236488 100644 +--- a/profiles/input/device.c ++++ b/profiles/input/device.c +@@ -93,7 +93,7 @@ struct input_device { + + static int idle_timeout = 0; + static bool uhid_enabled = false; +-static bool classic_bonded_only = false; ++static bool classic_bonded_only = true; + + void input_set_idle_timeout(int timeout) + { +diff --git a/profiles/input/input.conf b/profiles/input/input.conf +index 4c70bc5..d8645f3 100644 +--- a/profiles/input/input.conf ++++ b/profiles/input/input.conf +@@ -17,7 +17,7 @@ + # platforms may want to make sure that input connections only come from bonded + # device connections. Several older mice have been known for not supporting + # pairing/encryption. +-# Defaults to false to maximize device compatibility. ++# Defaults to true for security. + #ClassicBondedOnly=true + + # LE upgrade security +-- +2.25.1 + diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.54.bb b/meta/recipes-connectivity/bluez5/bluez5_5.55.bb index 260eee1402..be74a35e0a 100644 --- a/meta/recipes-connectivity/bluez5/bluez5_5.54.bb +++ b/meta/recipes-connectivity/bluez5/bluez5_5.55.bb @@ -1,7 +1,17 @@ require bluez5.inc -SRC_URI[md5sum] = "e637feb2dbb7582bbbff1708367a847c" -SRC_URI[sha256sum] = "68cdab9e63e8832b130d5979dc8c96fdb087b31278f342874d992af3e56656dc" +SRC_URI[md5sum] = "94972b8bc7ade60c72b0ffa6ccff2c0a" +SRC_URI[sha256sum] = "8863717113c4897e2ad3271fc808ea245319e6fd95eed2e934fae8e0894e9b88" + +# These issues have kernel fixes rather than bluez fixes so exclude here +CVE_CHECK_WHITELIST += "CVE-2020-12352 CVE-2020-24490" + +# Commit 7a80d2096f1b7125085e21448112aa02f49f5e9a, e2b0f0d8d63e1223bb714a9efb37e2257818268b +# and 0388794dc5fdb73a4ea88bcf148de0a12b4364d4 to fix CVE-2022-39177 +# already backport in CVE-2022-39176.patch +# https://bugs.launchpad.net/ubuntu/+source/bluez/+bug/1977968 + +CVE_CHECK_WHITELIST += "CVE-2022-39177" # noinst programs in Makefile.tools that are conditional on READLINE # support |