From 205bf4a19b9ebcedb9f03e76011515baa42739ab3b3148607463f2fbff619322 Mon Sep 17 00:00:00 2001
From: Stefan Seyfried <seife@novell.slipkontur.de>
Date: Mon, 14 May 2018 17:33:44 +0000
Subject: [PATCH] Accepting request 606365 from home:acho:branches:Base:System

Add patches for bsc#1013721 CVE-2016-9800 bsc#1013877 CVE-2016-9804

OBS-URL: https://build.opensuse.org/request/show/606365
OBS-URL: https://build.opensuse.org/package/show/Base:System/bluez?expand=0&rev=251
---
 ...ix-memory-leak-with-malformed-packet.patch | 33 +++++++++++++++++++
 ...ix-memory-leak-with-malformed-packet.patch | 30 +++++++++++++++++
 bluez.changes                                 | 11 +++++++
 bluez.spec                                    |  5 +++
 4 files changed, 79 insertions(+)
 create mode 100644 CVE-2016-9800-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch
 create mode 100644 CVE-2016-9804-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch

diff --git a/CVE-2016-9800-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch b/CVE-2016-9800-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch
new file mode 100644
index 0000000..bea5617
--- /dev/null
+++ b/CVE-2016-9800-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch
@@ -0,0 +1,33 @@
+From 5ca9510314d15d562e9ef5515a5483be5f28258d Mon Sep 17 00:00:00 2001
+From: "Cho, Yu-Chen" <acho@suse.com>
+Date: Wed, 21 Mar 2018 17:32:45 +0800
+Subject: [PATCH BlueZ] tool/hcidump: Fix memory leak with malformed packet
+
+Do not allow to read more then buffer size.
+---
+ tools/parser/hci.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/tools/parser/hci.c b/tools/parser/hci.c
+index 8c7bd2581..adfd9ab1d 100644
+--- a/tools/parser/hci.c
++++ b/tools/parser/hci.c
+@@ -988,8 +988,14 @@ static inline void pin_code_reply_dump(int level, struct frame *frm)
+ 	memset(pin, 0, sizeof(pin));
+ 	if (parser.flags & DUMP_NOVENDOR)
+ 		memset(pin, '*', cp->pin_len);
+-	else
++	else {
++                 if (cp->pin_len > sizeof(pin)){
++                        perror("Read failed");
++                        exit(1);
++                }
++
+ 		memcpy(pin, cp->pin_code, cp->pin_len);
++	}
+ 	printf("bdaddr %s len %d pin \'%s\'\n", addr, cp->pin_len, pin);
+ }
+ 
+-- 
+2.16.2
+
diff --git a/CVE-2016-9804-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch b/CVE-2016-9804-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch
new file mode 100644
index 0000000..dd9d79d
--- /dev/null
+++ b/CVE-2016-9804-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch
@@ -0,0 +1,30 @@
+From 00f50518f232c758855ac9884a841f707f41a301 Mon Sep 17 00:00:00 2001
+From: "Cho, Yu-Chen" <acho@suse.com>
+Date: Thu, 3 May 2018 18:52:19 +0800
+Subject: [PATCH BlueZ] tool/hcidump: Fix memory leak with malformed packet
+
+The Supported Commands is a 64 octet bit field.
+Do not allow to read more then the size.
+---
+ tools/parser/csr.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/tools/parser/csr.c b/tools/parser/csr.c
+index a0a4eb5fe..2d3db878a 100644
+--- a/tools/parser/csr.c
++++ b/tools/parser/csr.c
+@@ -145,6 +145,11 @@ static inline void commands_dump(int level, char *str, struct frame *frm)
+ 	unsigned char commands[64];
+ 	unsigned int i;
+ 
++	if (frm->len > 64) {
++		perror("Read failed");
++		exit(1);
++	}
++
+ 	memcpy(commands, frm->ptr, frm->len);
+ 
+ 	p_indent(level, frm);
+-- 
+2.16.3
+
diff --git a/bluez.changes b/bluez.changes
index 1eac523..42108df 100644
--- a/bluez.changes
+++ b/bluez.changes
@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Fri May 11 07:14:16 UTC 2018 - acho@suse.com
+
+- Add
+  CVE-2016-9800-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch
+  * Fix hcidump memory leak in pin_code_reply_dump().
+  (bsc#1013721)(CVE-2016-9800)
+  CVE-2016-9804-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch
+  * Fix hcidump buffer overflow in commands_dump().
+  (bsc#1013877)(CVE-2016-9804) 
+
 -------------------------------------------------------------------
 Mon Mar 26 06:04:01 UTC 2018 - seife+obs@b1-systems.com
 
diff --git a/bluez.spec b/bluez.spec
index 3c2f993..07792c6 100644
--- a/bluez.spec
+++ b/bluez.spec
@@ -40,6 +40,9 @@ Patch5:         0001-obexd-use-AM_LDFLAGS-for-linking.patch
 Patch6:         disable_some_obex_tests.patch
 # PATCH-FIX-UPSTREAM: crasher bug, boo#1086731 --seife+obs@b1-systems.com
 Patch7:         0001-Don-t-refresh-adv_manager-for-non-LE-devices.patch
+# fix some memory leak with malformed packet (reported upstream but not yet fixed)
+Patch101:       CVE-2016-9800-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch
+Patch102:       CVE-2016-9804-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch
 BuildRequires:  automake
 BuildRequires:  flex
 BuildRequires:  libtool
@@ -148,6 +151,8 @@ desktop specific applets like blueman or GNOME or KDE applets).
 %patch6 -p1
 %endif
 %patch7 -p1
+%patch101 -p1
+%patch102 -p1
 mkdir dbus-apis
 cp -a doc/*.txt dbus-apis/
 # FIXME: Change the dbus service to be a real service, not systemd launched