Accepting request 606365 from home:acho:branches:Base:System

Add patches for bsc#1013721 CVE-2016-9800 bsc#1013877 CVE-2016-9804

OBS-URL: https://build.opensuse.org/request/show/606365
OBS-URL: https://build.opensuse.org/package/show/Base:System/bluez?expand=0&rev=251

CVE-2016-9800-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch

@@ -0,0 +1,33 @@
+From 5ca9510314d15d562e9ef5515a5483be5f28258d Mon Sep 17 00:00:00 2001
+From: "Cho, Yu-Chen" <acho@suse.com>
+Date: Wed, 21 Mar 2018 17:32:45 +0800
+Subject: [PATCH BlueZ] tool/hcidump: Fix memory leak with malformed packet
+
+Do not allow to read more then buffer size.
+---
+ tools/parser/hci.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/tools/parser/hci.c b/tools/parser/hci.c
+index 8c7bd2581..adfd9ab1d 100644
+--- a/tools/parser/hci.c
++++ b/tools/parser/hci.c
+@@ -988,8 +988,14 @@ static inline void pin_code_reply_dump(int level, struct frame *frm)
+ 	memset(pin, 0, sizeof(pin));
+ 	if (parser.flags & DUMP_NOVENDOR)
+ 		memset(pin, '*', cp->pin_len);
+-	else
++	else {
++                 if (cp->pin_len > sizeof(pin)){
++                        perror("Read failed");
++                        exit(1);
++                }
++
+ 		memcpy(pin, cp->pin_code, cp->pin_len);
++	}
+ 	printf("bdaddr %s len %d pin \'%s\'\n", addr, cp->pin_len, pin);
+ }
+ 
+-- 
+2.16.2
+

CVE-2016-9804-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch

@@ -0,0 +1,30 @@
+From 00f50518f232c758855ac9884a841f707f41a301 Mon Sep 17 00:00:00 2001
+From: "Cho, Yu-Chen" <acho@suse.com>
+Date: Thu, 3 May 2018 18:52:19 +0800
+Subject: [PATCH BlueZ] tool/hcidump: Fix memory leak with malformed packet
+
+The Supported Commands is a 64 octet bit field.
+Do not allow to read more then the size.
+---
+ tools/parser/csr.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/tools/parser/csr.c b/tools/parser/csr.c
+index a0a4eb5fe..2d3db878a 100644
+--- a/tools/parser/csr.c
++++ b/tools/parser/csr.c
+@@ -145,6 +145,11 @@ static inline void commands_dump(int level, char *str, struct frame *frm)
+ 	unsigned char commands[64];
+ 	unsigned int i;
+ 
++	if (frm->len > 64) {
++		perror("Read failed");
++		exit(1);
++	}
++
+ 	memcpy(commands, frm->ptr, frm->len);
+ 
+ 	p_indent(level, frm);
+-- 
+2.16.3
+

bluez.changes

@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Fri May 11 07:14:16 UTC 2018 - acho@suse.com
+
+- Add
+  CVE-2016-9800-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch
+  * Fix hcidump memory leak in pin_code_reply_dump().
+  (bsc#1013721)(CVE-2016-9800)
+  CVE-2016-9804-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch
+  * Fix hcidump buffer overflow in commands_dump().
+  (bsc#1013877)(CVE-2016-9804) 
+
 -------------------------------------------------------------------
 Mon Mar 26 06:04:01 UTC 2018 - seife+obs@b1-systems.com
 

bluez.spec

@@ -40,6 +40,9 @@ Patch5:         0001-obexd-use-AM_LDFLAGS-for-linking.patch
 Patch6:         disable_some_obex_tests.patch
 # PATCH-FIX-UPSTREAM: crasher bug, boo#1086731 --seife+obs@b1-systems.com
 Patch7:         0001-Don-t-refresh-adv_manager-for-non-LE-devices.patch
+# fix some memory leak with malformed packet (reported upstream but not yet fixed)
+Patch101:       CVE-2016-9800-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch
+Patch102:       CVE-2016-9804-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch
 BuildRequires:  automake
 BuildRequires:  flex
 BuildRequires:  libtool
@@ -148,6 +151,8 @@ desktop specific applets like blueman or GNOME or KDE applets).
 %patch6 -p1
 %endif
 %patch7 -p1
+%patch101 -p1
+%patch102 -p1
 mkdir dbus-apis
 cp -a doc/*.txt dbus-apis/
 # FIXME: Change the dbus service to be a real service, not systemd launched