From 46c6c426d4515f4b8bd5b97878bf041b0bf4144ea1a6001a32d56da601fc20a8 Mon Sep 17 00:00:00 2001 From: Stefan Seyfried Date: Mon, 21 Oct 2019 12:23:56 +0000 Subject: [PATCH] Accepting request 741493 from home:seife:testing add 0001-mesh-Fix-segmentation-fault-on-Join-call.patch (boo#1152672) OBS-URL: https://build.opensuse.org/request/show/741493 OBS-URL: https://build.opensuse.org/package/show/Base:System/bluez?expand=0&rev=277 --- ...-Fix-segmentation-fault-on-Join-call.patch | 54 +++++++++++++++++++ ...ix-memory-leak-with-malformed-packet.patch | 37 +++++++++++++ ...ix-memory-leak-with-malformed-packet.patch | 34 ++++++++++++ README.md | 8 +++ ...-the-43xx-firmware-into-lib-firmware.patch | 25 +++++++++ _service | 10 +--- bluez-5.11-logitech-hid2hci.patch | 25 +++++++++ bluez-cups-libexec.patch | 26 +++++++++ bluez-disable-broken-tests.diff | 24 +++++++++ bluez-patches.tar.xz | 3 -- bluez-sdp-unix-path.patch | 11 ++++ bluez.changes | 11 ++-- bluez.spec | 30 +++++++++-- 13 files changed, 279 insertions(+), 19 deletions(-) create mode 100644 0001-mesh-Fix-segmentation-fault-on-Join-call.patch create mode 100644 CVE-2016-9800-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch create mode 100644 CVE-2016-9804-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch create mode 100644 README.md create mode 100644 RPi-Move-the-43xx-firmware-into-lib-firmware.patch create mode 100644 bluez-5.11-logitech-hid2hci.patch create mode 100644 bluez-cups-libexec.patch create mode 100644 bluez-disable-broken-tests.diff delete mode 100644 bluez-patches.tar.xz create mode 100644 bluez-sdp-unix-path.patch diff --git a/0001-mesh-Fix-segmentation-fault-on-Join-call.patch b/0001-mesh-Fix-segmentation-fault-on-Join-call.patch new file mode 100644 index 0000000..26e12d9 --- /dev/null +++ b/0001-mesh-Fix-segmentation-fault-on-Join-call.patch @@ -0,0 +1,54 @@ +From d6a0539d1ddf9f115e889d2bdd27f038408eaf31 Mon Sep 17 00:00:00 2001 +From: Inga Stotland +Date: Tue, 1 Oct 2019 11:51:08 -0700 +Subject: [PATCH] mesh: Fix segmentation fault on Join() call + +This fixes the following segfault: + +node_init_cb (node=0x0, agent=0x0) at mesh/mesh.c:359 + reply = dbus_error(join_pending->msg, MESH_ERROR_FAILED, + + user_data=0x5555555be170) at mesh/node.c:1760 + dbus=) at ell/dbus.c:216 + user_data=0x5555555a6e00) at ell/dbus.c:279 + user_data=0x5555555a7ef0) at ell/io.c:126 + at ell/main.c:642 + at mesh/main.c:205 + +The fault was caused by the premature deletion of preserved state. + +This moves setup of disconnect watch for the application calling the Join() +method into the node_init_cb(), after a temporary node has been +successfully created. +--- + mesh/mesh.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/mesh/mesh.c b/mesh/mesh.c +index b660a7ef2..9b2b2073b 100644 +--- a/mesh/mesh.c ++++ b/mesh/mesh.c +@@ -377,6 +377,11 @@ static void node_init_cb(struct mesh_node *node, struct mesh_agent *agent) + l_dbus_send(dbus_get_bus(), reply); + join_pending->msg = NULL; + ++ /* Setup disconnect watch */ ++ join_pending->disc_watch = l_dbus_add_disconnect_watch(dbus_get_bus(), ++ join_pending->sender, ++ prov_disc_cb, NULL, NULL); ++ + return; + + fail: +@@ -423,8 +428,6 @@ static struct l_dbus_message *join_network_call(struct l_dbus *dbus, + sender = l_dbus_message_get_sender(msg); + + join_pending->sender = l_strdup(sender); +- join_pending->disc_watch = l_dbus_add_disconnect_watch(dbus, sender, +- prov_disc_cb, NULL, NULL); + join_pending->msg = l_dbus_message_ref(msg); + join_pending->app_path = app_path; + +-- +2.23.0 + diff --git a/CVE-2016-9800-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch b/CVE-2016-9800-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch new file mode 100644 index 0000000..3048af9 --- /dev/null +++ b/CVE-2016-9800-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch @@ -0,0 +1,37 @@ +# Upstream suggests to use btmon instead of hcidump and does not want those patches +# => PATCH-FIX-OPENSUSE for those two :-) +# fix some memory leak with malformed packet (reported upstream but not yet fixed) + +From 5ca9510314d15d562e9ef5515a5483be5f28258d Mon Sep 17 00:00:00 2001 +From: "Cho, Yu-Chen" +Date: Wed, 21 Mar 2018 17:32:45 +0800 +Subject: [PATCH BlueZ] tool/hcidump: Fix memory leak with malformed packet + +Do not allow to read more then buffer size. +--- + tools/parser/hci.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/tools/parser/hci.c b/tools/parser/hci.c +index 8c7bd2581..adfd9ab1d 100644 +--- a/tools/parser/hci.c ++++ b/tools/parser/hci.c +@@ -988,8 +988,14 @@ static inline void pin_code_reply_dump(int level, struct frame *frm) + memset(pin, 0, sizeof(pin)); + if (parser.flags & DUMP_NOVENDOR) + memset(pin, '*', cp->pin_len); +- else ++ else { ++ if (cp->pin_len > sizeof(pin)){ ++ perror("Read failed"); ++ exit(1); ++ } ++ + memcpy(pin, cp->pin_code, cp->pin_len); ++ } + printf("bdaddr %s len %d pin \'%s\'\n", addr, cp->pin_len, pin); + } + +-- +2.16.2 + diff --git a/CVE-2016-9804-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch b/CVE-2016-9804-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch new file mode 100644 index 0000000..9efe07f --- /dev/null +++ b/CVE-2016-9804-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch @@ -0,0 +1,34 @@ +# Upstream suggests to use btmon instead of hcidump and does not want those patches +# => PATCH-FIX-OPENSUSE for those two :-) +# fix some memory leak with malformed packet (reported upstream but not yet fixed) + +From 00f50518f232c758855ac9884a841f707f41a301 Mon Sep 17 00:00:00 2001 +From: "Cho, Yu-Chen" +Date: Thu, 3 May 2018 18:52:19 +0800 +Subject: [PATCH BlueZ] tool/hcidump: Fix memory leak with malformed packet + +The Supported Commands is a 64 octet bit field. +Do not allow to read more then the size. +--- + tools/parser/csr.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/tools/parser/csr.c b/tools/parser/csr.c +index a0a4eb5fe..2d3db878a 100644 +--- a/tools/parser/csr.c ++++ b/tools/parser/csr.c +@@ -145,6 +145,11 @@ static inline void commands_dump(int level, char *str, struct frame *frm) + unsigned char commands[64]; + unsigned int i; + ++ if (frm->len > 64) { ++ perror("Read failed"); ++ exit(1); ++ } ++ + memcpy(commands, frm->ptr, frm->len); + + p_indent(level, frm); +-- +2.16.3 + diff --git a/README.md b/README.md new file mode 100644 index 0000000..6d6ab53 --- /dev/null +++ b/README.md @@ -0,0 +1,8 @@ +# Build the openSUSE bluez package + + * copy the `_service` into your new OBS project directory + * `osc service disabledrun` + * `osc build` + +That's it. + diff --git a/RPi-Move-the-43xx-firmware-into-lib-firmware.patch b/RPi-Move-the-43xx-firmware-into-lib-firmware.patch new file mode 100644 index 0000000..984daf2 --- /dev/null +++ b/RPi-Move-the-43xx-firmware-into-lib-firmware.patch @@ -0,0 +1,25 @@ +From 72a2a6a6fd0e623c4048d105b34d221bde87eb74 Mon Sep 17 00:00:00 2001 +From: Phil Elwell +Date: Tue, 23 Feb 2016 17:52:29 +0000 +Subject: [PATCH] Move the 43xx firmware into /lib/firmware + +--- + tools/hciattach_bcm43xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/hciattach_bcm43xx.c b/tools/hciattach_bcm43xx.c +index f3231ec..21450ac 100644 +--- a/tools/hciattach_bcm43xx.c ++++ b/tools/hciattach_bcm43xx.c +@@ -43,7 +43,7 @@ + #include "hciattach.h" + + #ifndef FIRMWARE_DIR +-#define FIRMWARE_DIR "/etc/firmware" ++#define FIRMWARE_DIR "/lib/firmware" + #endif + + #define FW_EXT ".hcd" +-- +2.9.3 + diff --git a/_service b/_service index d333d26..652b3de 100644 --- a/_service +++ b/_service @@ -1,15 +1,9 @@ - + https://github.com/seifes-opensuse-packages/bluez.git git - dist/* - dist - bluez-patches + *.* _none_ - - *.tar - xz - diff --git a/bluez-5.11-logitech-hid2hci.patch b/bluez-5.11-logitech-hid2hci.patch new file mode 100644 index 0000000..e3edc6d --- /dev/null +++ b/bluez-5.11-logitech-hid2hci.patch @@ -0,0 +1,25 @@ +# fix some logitech HID devices, bnc#681049, bnc#850478 --seife+obs@b1-systems.com + +Apparently some Logitech devices need different rules. +https://bugzilla.novell.com/show_bug.cgi?id=681049 +https://bugzilla.novell.com/show_bug.cgi?id=850478 + +Index: b/tools/hid2hci.rules +=================================================================== +--- a/tools/hid2hci.rules ++++ b/tools/hid2hci.rules +@@ -9,11 +9,13 @@ SUBSYSTEM!="usb*", GOTO="hid2hci_end" + ATTR{bInterfaceClass}=="03", ATTR{bInterfaceSubClass}=="01", ATTR{bInterfaceProtocol}=="02", \ + ATTRS{bDeviceClass}=="00", ATTRS{idVendor}=="413c", ATTRS{bmAttributes}=="e0", \ + RUN+="hid2hci --method=dell --devpath=%p", ENV{HID2HCI_SWITCH}="1" + + # Logitech devices +-KERNEL=="hiddev*", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c70[345abce]|c71[34bc]", \ ++KERNEL=="hiddev*", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c70[5e]", \ ++ RUN+="hid2hci --method=logitech-hid --devpath=%p" ++KERNEL=="hidraw*", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c70[34abc]|c71[34bc]", \ + RUN+="hid2hci --method=logitech-hid --devpath=%p" + + ENV{DEVTYPE}!="usb_device", GOTO="hid2hci_end" + + # When a Dell device recovers from S3, the mouse child needs to be repoked diff --git a/bluez-cups-libexec.patch b/bluez-cups-libexec.patch new file mode 100644 index 0000000..686fe83 --- /dev/null +++ b/bluez-cups-libexec.patch @@ -0,0 +1,26 @@ +Index: b/Makefile.in +=================================================================== +--- a/Makefile.in ++++ b/Makefile.in +@@ -3439,7 +3439,7 @@ unit_tests = $(am__append_54) unit/test- + @DEPRECATED_TRUE@@READLINE_TRUE@attrib_gatttool_LDADD = lib/libbluetooth-internal.la \ + @DEPRECATED_TRUE@@READLINE_TRUE@ src/libshared-glib.la $(GLIB_LIBS) -lreadline + +-@CUPS_TRUE@cupsdir = $(libdir)/cups/backend ++@CUPS_TRUE@cupsdir = $(libexecdir)/cups/backend + @CUPS_TRUE@profiles_cups_bluetooth_SOURCES = profiles/cups/main.c \ + @CUPS_TRUE@ profiles/cups/cups.h \ + @CUPS_TRUE@ profiles/cups/sdp.c \ +Index: b/Makefile.tools +=================================================================== +--- a/Makefile.tools ++++ b/Makefile.tools +@@ -441,7 +441,7 @@ endif + endif + + if CUPS +-cupsdir = $(libdir)/cups/backend ++cupsdir = $(libexecdir)/cups/backend + + cups_PROGRAMS = profiles/cups/bluetooth + diff --git a/bluez-disable-broken-tests.diff b/bluez-disable-broken-tests.diff new file mode 100644 index 0000000..b84059d --- /dev/null +++ b/bluez-disable-broken-tests.diff @@ -0,0 +1,24 @@ +Index: b/Makefile.am +=================================================================== +--- a/Makefile.am ++++ b/Makefile.am +@@ -474,7 +474,8 @@ unit_test_lib_SOURCES = unit/test-lib.c + unit_test_lib_LDADD = src/libshared-glib.la \ + lib/libbluetooth-internal.la $(GLIB_LIBS) + +-unit_tests += unit/test-gatt ++# hangs forever in OBS where AF_ALG is not supported. ++#unit_tests += unit/test-gatt + + unit_test_gatt_SOURCES = unit/test-gatt.c + unit_test_gatt_LDADD = src/libshared-glib.la \ +@@ -504,7 +505,8 @@ unit_test_gattrib_LDADD = lib/libbluetoo + $(GLIB_LIBS) $(DBUS_LIBS) -ldl -lrt + + if MIDI +-unit_tests += unit/test-midi ++# fails on i386??? or just random? ++#unit_tests += unit/test-midi + unit_test_midi_CPPFLAGS = $(AM_CPPFLAGS) $(ALSA_CFLAGS) -DMIDI_TEST + unit_test_midi_SOURCES = unit/test-midi.c \ + profiles/midi/libmidi.h \ diff --git a/bluez-patches.tar.xz b/bluez-patches.tar.xz deleted file mode 100644 index 9e4d6ef..0000000 --- a/bluez-patches.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:ab8dc3a4bc77b1dadc8e29e033c9b8590bbe1720ba9e5f1cff3b91b09746c078 -size 2924 diff --git a/bluez-sdp-unix-path.patch b/bluez-sdp-unix-path.patch new file mode 100644 index 0000000..821e6bf --- /dev/null +++ b/bluez-sdp-unix-path.patch @@ -0,0 +1,11 @@ +--- bluez-5.8.orig/lib/sdp.h ++++ bluez-5.8/lib/sdp.h +@@ -34,7 +34,7 @@ extern "C" { + #include + #include + +-#define SDP_UNIX_PATH "/var/run/sdp" ++#define SDP_UNIX_PATH "/run/sdp" + #define SDP_RESPONSE_TIMEOUT 20 + #define SDP_REQ_BUFFER_SIZE 2048 + #define SDP_RSP_BUFFER_SIZE 65535 diff --git a/bluez.changes b/bluez.changes index 025d07e..f1afeed 100644 --- a/bluez.changes +++ b/bluez.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon Oct 7 14:56:28 UTC 2019 - Stefan Seyfried + +- add 0001-mesh-Fix-segmentation-fault-on-Join-call.patch + (boo#1152672) + ------------------------------------------------------------------- Sun Oct 6 13:24:51 UTC 2019 - Stefan Seyfried @@ -53,9 +59,8 @@ Fri Sep 20 19:32:43 UTC 2019 - Stefan Seyfried * bluez-5.50-a2dp-backports.patch * bluez-5.50-gcc9.patch * disable_some_obex_tests.patch -- refreshed bluez-cups-libexec.patch -- rebased bluez-5.45-disable-broken-tests.diff to bluez-5.51- - disable-broken-tests.diff + * bluez-5.45-disable-broken-tests.diff +- add bluez-disable-broken-tests.diff - add temporary rpmlintrc until security team approves ------------------------------------------------------------------- diff --git a/bluez.spec b/bluez.spec index 7492660..dc43955 100644 --- a/bluez.spec +++ b/bluez.spec @@ -28,9 +28,24 @@ License: GPL-2.0-or-later Group: Hardware/Mobile Url: http://www.bluez.org Source: http://www.kernel.org/pub/linux/bluetooth/bluez-%{version}.tar.xz -Source1: bluez-patches.tar.xz Source5: baselibs.conf Source7: bluetooth.modprobe +# fix some logitech HID devices, bnc#681049, bnc#850478 --seife+obs@b1-systems.com +Patch1: bluez-5.11-logitech-hid2hci.patch +Patch2: bluez-sdp-unix-path.patch +# PATCH-FIX-UPSTREAM: find the cups dir in libexec not in libdir +Patch3: bluez-cups-libexec.patch +# workaround for broken tests (reported upstream but not yet fixed) +Patch4: bluez-disable-broken-tests.diff +# boo#1152672, upstream fix +Patch5: 0001-mesh-Fix-segmentation-fault-on-Join-call.patch +# Move 43xx firmware path for RPi3 bluetooth support bsc#1140688 +Patch10: RPi-Move-the-43xx-firmware-into-lib-firmware.patch +# Upstream suggests to use btmon instead of hcidump and does not want those patches +# => PATCH-FIX-OPENSUSE for those two :-) +# fix some memory leak with malformed packet (reported upstream but not yet fixed) +Patch101: CVE-2016-9800-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch +Patch102: CVE-2016-9804-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch BuildRequires: automake BuildRequires: flex @@ -133,10 +148,15 @@ desktop specific applets like blueman or GNOME or KDE applets). { systemctl status -n0 bluetooth.service > /dev/null && systemctl restart bluetooth.service ; } ||: %prep -%setup -q -a 1 -for i in $(cat bluez-patches/series); do - patch -p1 -i bluez-patches/$i --fuzz=%{_default_patch_fuzz} %{_default_patch_flags} || exit 1 -done +%setup -q +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch10 -p1 +%patch101 -p1 +%patch102 -p1 mkdir dbus-apis cp -a doc/*.txt dbus-apis/ # FIXME: Change the dbus service to be a real service, not systemd launched