GNU bug report logs -
#28447
[PATCH] gnu: bluez: Fix CVE-2017-1000250.
Previous Next
Reported by: Marius Bakke <mbakke <at> fastmail.com>
Date: Wed, 13 Sep 2017 15:46:02 UTC
Severity: normal
Tags: patch
Done: Efraim Flashner <efraim <at> flashner.co.il>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 28447 in the body.
You can then email your comments to 28447 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#28447; Package
guix-patches.
(Wed, 13 Sep 2017 15:46:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Marius Bakke <mbakke <at> fastmail.com>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Wed, 13 Sep 2017 15:46:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/linux.scm (%bluez-CVE-2017-1000250.patch): New variable.
(bluez)[replacement]: New field.
(bluez/fixed): New variable.
---
gnu/packages/linux.scm | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index bfa736c1c..9dc68a2b3 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -3009,10 +3009,24 @@ applications.")
Bluetooth audio output devices like headphones or loudspeakers.")
(license license:gpl2+)))
+;; Fix remote information disclosure in bluetoothd.
+;; https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000250
+;; https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000250.html
+(define %bluez-CVE-2017-1000250.patch
+ (origin
+ (method url-fetch)
+ (uri "https://git.kernel.org/pub/scm/bluetooth/bluez.git/patch/?id=\
+9e009647b14e810e06626dde7f1bb9ea3c375d09")
+ (file-name "bluez-CVE-2017-1000250.patch")
+ (sha256
+ (base32
+ "0p6gblj775sv0xx4pvdll39j6spg8ihhshid5z6lgrjh0rmxi3sk"))))
+
(define-public bluez
(package
(name "bluez")
(version "5.45")
+ (replacement bluez/fixed)
(source (origin
(method url-fetch)
(uri (string-append
@@ -3074,6 +3088,13 @@ Bluetooth audio output devices like headphones or loudspeakers.")
is flexible, efficient and uses a modular implementation.")
(license license:gpl2+)))
+(define bluez/fixed
+ (package
+ (inherit bluez)
+ (source (origin
+ (inherit (package-source bluez))
+ (patches (list %bluez-CVE-2017-1000250.patch))))))
+
(define-public fuse-exfat
(package
(name "fuse-exfat")
--
2.14.1
bug closed, send any further explanations to
28447 <at> debbugs.gnu.org and Marius Bakke <mbakke <at> fastmail.com>
Request was from
Efraim Flashner <efraim <at> flashner.co.il>
to
control <at> debbugs.gnu.org.
(Wed, 13 Sep 2017 19:54:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
guix-patches <at> gnu.org:
bug#28447; Package
guix-patches.
(Thu, 14 Sep 2017 08:23:02 GMT)
Full text and
rfc822 format available.
Message #10 received at 28447-done <at> debbugs.gnu.org (full text, mbox):
Hi Marius,
Marius Bakke <mbakke <at> fastmail.com> skribis:
> * gnu/packages/linux.scm (%bluez-CVE-2017-1000250.patch): New variable.
> (bluez)[replacement]: New field.
> (bluez/fixed): New variable.
Mark beat you at it:
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=27236a43486b8fbb9d55d533e558165bab07d020
The only difference I can see is that Mark included the patch in the repo.
Maybe we should coordinate for security fixes via IRC or something. :-)
Thanks to both of you!
Ludo’.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Thu, 12 Oct 2017 11:24:05 GMT)
Full text and
rfc822 format available.
This bug report was last modified 7 years and 303 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.