Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package bluez for openSUSE:Factory checked in at 2022-09-20 19:23:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/bluez (Old) and /work/SRC/openSUSE:Factory/.bluez.new.2083 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "bluez" Tue Sep 20 19:23:04 2022 rev:190 rq:1004575 version:5.65 Changes: -------- --- /work/SRC/openSUSE:Factory/bluez/bluez.changes 2022-08-24 15:10:26.204450922 +0200 +++ /work/SRC/openSUSE:Factory/.bluez.new.2083/bluez.changes 2022-09-20 19:23:06.154391251 +0200 @@ -1,0 +2,35 @@ +Wed Sep 14 07:56:19 UTC 2022 - Joey Lee <j...@suse.com> + +- For pushing bluez 5.65 to 15-SP5 (bluez-5.62), sync the patches and + log: (jsc#PED-1407) + - hcidump-fixed-hci-frame-dump-stack-buffer-overflow.patch patch + be merged to 5.51 mainline. So 5.65 bluez already includes it. + - Add the following patches from the bluez-5.62 of 15-SP5: + - disable_some_obex_tests.patch + - disable tests for bypass boo#1078285 + - hcidump-Add-assoc-dump-function-assoc-date-length-ch.patch + - bsc#1013708 CVE-2016-9797 + - Al Cho has sent it to upstream but it not be merged: + https://lore.kernel.org/all/20181031081508.25927-1-a...@suse.com/T/ + - hcidump-Fix-memory-leak-with-malformed-packet.patch + - bsc#1015171 CVE-2016-9917 + - Al Cho has sent it to upstream but it not be merged: + https://www.spinics.net/lists/linux-bluetooth/msg79852.html + - hcidump-Fixed-malformed-segment-frame-length.patch + - bsc#1013712 CVE-2016-9798 + - Did not send to upstream. + - 0001-rpi3-bcm43xx-The-UART-speed-must-be-reset-after-the-firmw.patch + - Move 43xx firmware path for RPi3 bluetooth support bsc#1140688 bsc#995059 bsc#1094902 + - From https://www.yoctoproject.org/pipermail/yocto/2016-April/029424.html + - Respin the following patches + - bluez-test-2to3.diff + - Removed some parts of patch because those codes be included + in a1939bd51e0faba9a8550eea2590d99cb63a33c1 since 5.65. + - The following patches are the same between SLE15-SP5 with openSUSE TW: + - bluez-5.45-disable-broken-tests.diff in 15-SP5 matchs with + bluez-disable-broken-tests.diff in openSUSE TW. + - 0002-rpi3-Move-the-43xx-firmware-into-lib-firmware.patch in 15-SP5 + matchs with RPi-Move-the-43xx-firmware-into-lib-firmware.patch in + openSUSE TW. + +------------------------------------------------------------------- New: ---- 0001-rpi3-bcm43xx-The-UART-speed-must-be-reset-after-the-firmw.patch bluez-test-2to3.diff disable_some_obex_tests.patch hcidump-Add-assoc-dump-function-assoc-date-length-ch.patch hcidump-Fix-memory-leak-with-malformed-packet.patch hcidump-Fixed-malformed-segment-frame-length.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ bluez.spec ++++++ --- /var/tmp/diff_new_pack.vkDnMX/_old 2022-09-20 19:23:06.970393591 +0200 +++ /var/tmp/diff_new_pack.vkDnMX/_new 2022-09-20 19:23:06.974393603 +0200 @@ -55,11 +55,23 @@ # # PATCH-FIX-UPSTREAM 0001-obex-Use-GLib-helper-function-to-manipulate-paths.patch -- obex: Use GLib helper function to manipulate paths Patch11: https://src.fedoraproject.org/rpms/bluez/raw/rawhide/f/0001-obex-Use-GLib-helper-function-to-manipulate-paths.patch +# disable tests for bypass boo#1078285 +Patch12: disable_some_obex_tests.patch +# get rid of python2. WARNING: this is autogenerated by 2to3 and might not work +Patch13: bluez-test-2to3.diff +# bsc#1013708 CVE-2016-9797 +Patch14: hcidump-Add-assoc-dump-function-assoc-date-length-ch.patch +# bsc#1015171 CVE-2016-9917 +Patch15: hcidump-Fix-memory-leak-with-malformed-packet.patch +# bsc#1013712 CVE-2016-9798 +Patch16: hcidump-Fixed-malformed-segment-frame-length.patch # Upstream suggests to use btmon instead of hcidump and does not want those patches # => PATCH-FIX-OPENSUSE for those two :-) # fix some memory leak with malformed packet (reported upstream but not yet fixed) Patch101: CVE-2016-9800-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch Patch102: CVE-2016-9804-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch +# Move 43xx firmware path for RPi3 bluetooth support bsc#1140688 bsc#995059 bsc#1094902 +Patch201: 0001-rpi3-bcm43xx-The-UART-speed-must-be-reset-after-the-firmw.patch # mesh-cfgtest only compiles with gcc8 or newer, Leap 15 has gcc7.5.0 as default %if 0%{?suse_version} < 1550 BuildRequires: gcc8 ++++++ 0001-rpi3-bcm43xx-The-UART-speed-must-be-reset-after-the-firmw.patch ++++++ >From 4de2871675d3b039b5797e77cc1d6ce4070e86b2 Mon Sep 17 00:00:00 2001 From: Phil Elwell <p...@raspberrypi.org> Date: Tue, 16 Feb 2016 16:39:09 +0000 Subject: [PATCH] bcm43xx: The UART speed must be reset after the firmware download --- tools/hciattach_bcm43xx.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) Index: bluez-5.60/tools/hciattach_bcm43xx.c =================================================================== --- bluez-5.60.orig/tools/hciattach_bcm43xx.c +++ bluez-5.60/tools/hciattach_bcm43xx.c @@ -354,11 +354,8 @@ int bcm43xx_init(int fd, int def_speed, return -1; if (bcm43xx_locate_patch(FIRMWARE_DIR, chip_name, fw_path)) { - fprintf(stderr, "Patch not found, continue anyway\n"); + fprintf(stderr, "Patch not found for %s, continue anyway\n", chip_name); } else { - if (bcm43xx_set_speed(fd, ti, speed)) - return -1; - if (bcm43xx_load_firmware(fd, fw_path)) return -1; @@ -368,6 +365,7 @@ int bcm43xx_init(int fd, int def_speed, return -1; } + sleep(1); if (bcm43xx_reset(fd)) return -1; } ++++++ bluez-test-2to3.diff ++++++ ++++ 602 lines (skipped) ++++++ disable_some_obex_tests.patch ++++++ From: Michel Normand <norm...@linux.vnet.ibm.com> Subject: disable some obex tests Date: Tue, 30 Jan 2018 17:01:45 +0100 disable some obex tests as transient failures reported by bug https://bugzilla.suse.com/show_bug.cgi?id=1078285 Signed-off-by: Michel Normand <norm...@linux.vnet.ibm.com> --- Makefile.am | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Index: bluez-5.65/Makefile.am =================================================================== --- bluez-5.65.orig/Makefile.am +++ bluez-5.65/Makefile.am @@ -502,8 +502,8 @@ unit_test_gdbus_client_LDADD = gdbus/lib src/libshared-glib.la $(GLIB_LIBS) $(DBUS_LIBS) if OBEX -unit_tests += unit/test-gobex-header unit/test-gobex-packet unit/test-gobex \ - unit/test-gobex-transfer unit/test-gobex-apparam +unit_tests += unit/test-gobex-header unit/test-gobex-packet \ + unit/test-gobex-apparam unit_test_gobex_SOURCES = $(gobex_sources) unit/util.c unit/util.h \ unit/test-gobex.c ++++++ hcidump-Add-assoc-dump-function-assoc-date-length-ch.patch ++++++ >From 08a69d36726b6345df6e64892cadd5ab5d5ca2a6 Mon Sep 17 00:00:00 2001 From: "Cho, Yu-Chen" <a...@suse.com> Date: Tue, 19 Mar 2019 15:54:09 +0800 Subject: [PATCH BlueZ] hcidump: Add assoc dump function assoc date length check amp_assoc_dump() didn't check the length of amp assoc struct. If there is wrong length size of assoc date, amp_assoc_dump() and amp_dump_chanlist() will read over the size(heap-buffer-overflow). use t_len to save the length avoid use the wrong size of date. --- tools/parser/amp.c | 35 +++++++++++++++++++++++++++-------- tools/parser/hci.c | 4 ++-- tools/parser/l2cap.c | 6 ++++-- tools/parser/parser.h | 2 +- 4 files changed, 34 insertions(+), 13 deletions(-) Index: bluez-5.65/tools/parser/amp.c =================================================================== --- bluez-5.65.orig/tools/parser/amp.c +++ bluez-5.65/tools/parser/amp.c @@ -15,7 +15,8 @@ #include "parser.h" #include "lib/amp.h" -static void amp_dump_chanlist(int level, struct amp_tlv *tlv, char *prefix) +static void amp_dump_chanlist(int level, struct amp_tlv *tlv, + uint16_t t_len, char *prefix) { struct amp_chan_list *chan_list = (void *) tlv->val; struct amp_country_triplet *triplet; @@ -25,6 +26,12 @@ static void amp_dump_chanlist(int level, printf("%s (number of triplets %d)\n", prefix, num); + if (btohs(tlv->len) > t_len) { + p_indent(level+1, 0); + printf("Wrong number of triplets\n"); + num = (t_len - sizeof(*chan_list)) / sizeof(*triplet); + } + p_indent(level+2, 0); printf("Country code: %c%c%c\n", chan_list->country_code[0], @@ -55,7 +62,7 @@ static void amp_dump_chanlist(int level, } } -void amp_assoc_dump(int level, uint8_t *assoc, uint16_t len) +void amp_assoc_dump(int level, uint8_t *assoc, uint16_t len, uint16_t t_len) { struct amp_tlv *tlv = (void *) assoc; @@ -63,6 +70,14 @@ void amp_assoc_dump(int level, uint8_t * printf("Assoc data [len %d]:\n", len); while (len > sizeof(*tlv)) { + if (btohs(tlv->len) > (t_len - sizeof(struct amp_tlv))) { + p_indent(level+1, 0); + printf("Assoc data get error size\n"); + t_len -= sizeof(struct amp_tlv); + } else { + t_len -= sizeof(struct amp_tlv) + btohs(tlv->len); + } + uint16_t tlvlen = btohs(tlv->len); struct amp_pal_ver *ver; @@ -78,11 +93,13 @@ void amp_assoc_dump(int level, uint8_t * break; case A2MP_PREF_CHANLIST_TYPE: - amp_dump_chanlist(level, tlv, "Preferred Chan List"); + amp_dump_chanlist(level, tlv, + t_len, "Preferred Chan List"); break; case A2MP_CONNECTED_CHAN: - amp_dump_chanlist(level, tlv, "Connected Chan List"); + amp_dump_chanlist(level, tlv, + t_len, "Connected Chan List"); break; case A2MP_PAL_CAP_TYPE: @@ -106,9 +123,11 @@ void amp_assoc_dump(int level, uint8_t * printf("Unrecognized type %d\n", tlv->type); break; } - - len -= tlvlen + sizeof(*tlv); - assoc += tlvlen + sizeof(*tlv); - tlv = (struct amp_tlv *) assoc; + if (btohs(tlv->len) <= t_len) { + len -= tlvlen + sizeof(*tlv); + assoc += tlvlen + sizeof(*tlv); + tlv = (struct amp_tlv *) assoc; + } else + len = 0; } } Index: bluez-5.65/tools/parser/hci.c =================================================================== --- bluez-5.65.orig/tools/parser/hci.c +++ bluez-5.65/tools/parser/hci.c @@ -1667,7 +1667,7 @@ static inline void write_remote_amp_asso printf("handle 0x%2.2x len_so_far %d remaining_len %d\n", cp->handle, cp->length_so_far, cp->remaining_length); - amp_assoc_dump(level + 1, cp->fragment, frm->len - 5); + amp_assoc_dump(level + 1, cp->fragment, frm->len - 5, frm->len - 5); } static inline void command_dump(int level, struct frame *frm) @@ -2650,7 +2650,7 @@ static inline void read_local_amp_assoc_ p_indent(level, frm); printf("Error: %s\n", status2str(rp->status)); } else { - amp_assoc_dump(level + 1, rp->fragment, len); + amp_assoc_dump(level + 1, rp->fragment, len, frm->len - 4); } } Index: bluez-5.65/tools/parser/l2cap.c =================================================================== --- bluez-5.65.orig/tools/parser/l2cap.c +++ bluez-5.65/tools/parser/l2cap.c @@ -1159,7 +1159,8 @@ static inline void a2mp_assoc_rsp(int le printf("Get AMP Assoc rsp: id %d status (%d) %s\n", h->id, h->status, a2mpstatus2str(h->status)); - amp_assoc_dump(level + 1, h->assoc_data, len - sizeof(*h)); + amp_assoc_dump(level + 1, h->assoc_data, + len - sizeof(*h), frm->len - sizeof(*h)); } static inline void a2mp_create_req(int level, struct frame *frm, uint16_t len) @@ -1168,7 +1169,8 @@ static inline void a2mp_create_req(int l printf("Create Physical Link req: local id %d remote id %d\n", h->local_id, h->remote_id); - amp_assoc_dump(level + 1, h->assoc_data, len - sizeof(*h)); + amp_assoc_dump(level + 1, h->assoc_data, + len - sizeof(*h), frm->len - sizeof(*h)); } static inline void a2mp_create_rsp(int level, struct frame *frm) Index: bluez-5.65/tools/parser/parser.h =================================================================== --- bluez-5.65.orig/tools/parser/parser.h +++ bluez-5.65/tools/parser/parser.h @@ -236,7 +236,7 @@ void ericsson_dump(int level, struct fra void csr_dump(int level, struct frame *frm); void bpa_dump(int level, struct frame *frm); -void amp_assoc_dump(int level, uint8_t *assoc, uint16_t len); +void amp_assoc_dump(int level, uint8_t *assoc, uint16_t len, uint16_t t_len); static inline void parse(struct frame *frm) { ++++++ hcidump-Fix-memory-leak-with-malformed-packet.patch ++++++ >From 98bee47cca1b8a6b17bb0178f951fe7902abc2f0 Mon Sep 17 00:00:00 2001 From: "Cho, Yu-Chen" <a...@suse.com> Date: Wed, 24 Apr 2019 16:10:56 +0800 Subject: [PATCH BlueZ] tool/hcidump: Fix memory leak with malformed packet Do not allow to read more than allocated data buffer size. Because of the buffer is malloc(HCI_MAX_FRAME_SIZE), so there is heap buffer overflow if read the size more than HCI_MAX_FRAME_SIZE and fd size is larger than HCI_MAX_FRAME_SIZE. --- tools/hcidump.c | 9 +++++++++ 1 file changed, 9 insertions(+) Index: bluez-5.60/tools/hcidump.c =================================================================== --- bluez-5.60.orig/tools/hcidump.c +++ bluez-5.60/tools/hcidump.c @@ -92,6 +92,15 @@ struct pktlog_hdr { static inline int read_n(int fd, char *buf, int len) { int t = 0, w; + off_t fsize, currentpos, startpos; + + currentpos = lseek(fd, 0, SEEK_CUR); + fsize = lseek(fd, 0, SEEK_END); + lseek(fd, currentpos, SEEK_SET); + fsize -= currentpos; + + if (fsize > HCI_MAX_FRAME_SIZE && len > HCI_MAX_FRAME_SIZE) + return -1; while (len > 0) { if ((w = read(fd, buf, len)) < 0) { ++++++ hcidump-Fixed-malformed-segment-frame-length.patch ++++++ >From da04ba5e6b3f151c1644a17ac0fa2317ebc81edd Mon Sep 17 00:00:00 2001 From: "Cho, Yu-Chen" <a...@suse.com> Date: Tue, 15 Oct 2019 15:45:43 +0800 Subject: [PATCH] hcidump: Fixed malformed segment frame length Ensure the L2CAP SDUs whose length field match the actual frame length. --- tools/parser/l2cap.c | 5 +++++ 1 file changed, 5 insertions(+) Index: bluez-5.60/tools/parser/l2cap.c =================================================================== --- bluez-5.60.orig/tools/parser/l2cap.c +++ bluez-5.60/tools/parser/l2cap.c @@ -759,6 +759,11 @@ static inline void conf_rsp(int level, l scid, btohs(h->flags), result, clen); if (clen > 0) { + if (clen != (btohs(frm->len) - L2CAP_CONF_RSP_SIZE)) { + fprintf(stderr, "Not match the actual frame length\n"); + clen = btohs(frm->len) - L2CAP_CONF_RSP_SIZE; + } + if (result) { p_indent(level + 1, frm); printf("%s\n", confresult2str(result));