From unknown Thu Aug 14 22:23:31 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#28447] [PATCH] gnu: bluez: Fix CVE-2017-1000250. Resent-From: Marius Bakke Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 13 Sep 2017 15:46:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 28447 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 28447@debbugs.gnu.org Cc: Marius Bakke X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.15053175201692 (code B ref -1); Wed, 13 Sep 2017 15:46:02 +0000 Received: (at submit) by debbugs.gnu.org; 13 Sep 2017 15:45:20 +0000 Received: from localhost ([127.0.0.1]:38527 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ds9qp-0000RE-Ly for submit@debbugs.gnu.org; Wed, 13 Sep 2017 11:45:19 -0400 Received: from eggs.gnu.org ([208.118.235.92]:47795) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ds9qo-0000R1-Jc for submit@debbugs.gnu.org; Wed, 13 Sep 2017 11:45:18 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ds9qe-0006vP-Gk for submit@debbugs.gnu.org; Wed, 13 Sep 2017 11:45:13 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_05,FREEMAIL_FROM, T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:38935) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ds9qe-0006vB-Dh for submit@debbugs.gnu.org; Wed, 13 Sep 2017 11:45:08 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:38731) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ds9qZ-0005EZ-VM for guix-patches@gnu.org; Wed, 13 Sep 2017 11:45:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ds9qW-0006oQ-1V for guix-patches@gnu.org; Wed, 13 Sep 2017 11:45:03 -0400 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:45843) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ds9qV-0006n6-TS for guix-patches@gnu.org; Wed, 13 Sep 2017 11:44:59 -0400 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id ACE9B20A8B; Wed, 13 Sep 2017 11:44:57 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute5.internal (MEProxy); Wed, 13 Sep 2017 11:44:57 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= cc:date:from:message-id:subject:to:x-me-sender:x-me-sender :x-sasl-enc:x-sasl-enc; s=fm1; bh=DS1lWCoC8W2j5olYz1GIhyCFl/l4RY clYXaQd0y1NVQ=; b=MXlSFhEtWPPZPlQvmeT+tbFBMlg0P225K72bYYtIZIgqd/ 9TkkGEGFyZY8aO8RUkhvgBee3mXnTQmqrWTAQqproNflRf3TajFhxZLNIhXtBFkU 3RlU5a52zD7rCsLVbte+sqrL0trdY24vIHTtrxWuwtqlhGoTQm6M0efyJYSQpgEj 6kcWufqgSwEEK1g8Pi5wckiYRNX/ySjehWidbWGVOXo/qhxiyid/1MJ0OwGDGL4q F1CbTXoG9+1KjGLRGKmYJQ10qfLZl3W2DuSAtnGDWFks1MHxhYksvSTz63FDiu+8 R41WQ+K8KJvGmpSoA32eXJQUObTJ4jR3x4e3s3jw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:date:from:message-id:subject:to :x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=DS1lWC oC8W2j5olYz1GIhyCFl/l4RYclYXaQd0y1NVQ=; b=cIpncVb03KGDUuEHFNF+Jo DBX1/1kDLjtVt+cvBu8xVJlPNpCLd4HayIGc1YPYsEI4EUwH2UJNVW4n80U5R6J0 1L2zaFD5mnQqmsWe39vNj6HSpGpTp1v+4e/WkETd5vQFfRlZe8aE7qQtejYSb4UP 5bYAJjGvNXKAwdYlnJx0rCulifPHqb8jXyM4Q8DGYycPCfMSdXg3LynVc/lXSE3M VTvtY7leqvBQMc4ltKMkPNVzJyYQsID+O07g37m3+cs+CNA8nkF6ffTDSnFg/P5d Jnlm22jh+D3K0abM3XD854ZMiySc6NEYVyImuFfqmrFqIuF+3WOu7UCeKS1Ar/iQ == X-ME-Sender: X-Sasl-enc: lXmHqplnnGPK4jgSOGbQy8Pp3BDgdiZanB3MRsy6nWXQ 1505317497 Received: from localhost (unknown [188.113.81.93]) by mail.messagingengine.com (Postfix) with ESMTPA id 40B1A24A5D; Wed, 13 Sep 2017 11:44:57 -0400 (EDT) From: Marius Bakke Date: Wed, 13 Sep 2017 17:44:25 +0200 Message-Id: <20170913154425.3647-1-mbakke@fastmail.com> X-Mailer: git-send-email 2.14.1 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.4 (----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.4 (----) * gnu/packages/linux.scm (%bluez-CVE-2017-1000250.patch): New variable. (bluez)[replacement]: New field. (bluez/fixed): New variable. --- gnu/packages/linux.scm | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index bfa736c1c..9dc68a2b3 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -3009,10 +3009,24 @@ applications.") Bluetooth audio output devices like headphones or loudspeakers.") (license license:gpl2+))) +;; Fix remote information disclosure in bluetoothd. +;; https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000250 +;; https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000250.html +(define %bluez-CVE-2017-1000250.patch + (origin + (method url-fetch) + (uri "https://git.kernel.org/pub/scm/bluetooth/bluez.git/patch/?id=\ +9e009647b14e810e06626dde7f1bb9ea3c375d09") + (file-name "bluez-CVE-2017-1000250.patch") + (sha256 + (base32 + "0p6gblj775sv0xx4pvdll39j6spg8ihhshid5z6lgrjh0rmxi3sk")))) + (define-public bluez (package (name "bluez") (version "5.45") + (replacement bluez/fixed) (source (origin (method url-fetch) (uri (string-append @@ -3074,6 +3088,13 @@ Bluetooth audio output devices like headphones or loudspeakers.") is flexible, efficient and uses a modular implementation.") (license license:gpl2+))) +(define bluez/fixed + (package + (inherit bluez) + (source (origin + (inherit (package-source bluez)) + (patches (list %bluez-CVE-2017-1000250.patch)))))) + (define-public fuse-exfat (package (name "fuse-exfat") -- 2.14.1 From unknown Thu Aug 14 22:23:31 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#28447] [PATCH] gnu: bluez: Fix CVE-2017-1000250. Resent-From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 14 Sep 2017 08:23:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28447 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Marius Bakke Cc: Mark H Weaver , 28447-done@debbugs.gnu.org Received: via spool by 28447-done@debbugs.gnu.org id=D28447.150537734822989 (code D ref 28447); Thu, 14 Sep 2017 08:23:02 +0000 Received: (at 28447-done) by debbugs.gnu.org; 14 Sep 2017 08:22:28 +0000 Received: from localhost ([127.0.0.1]:39581 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dsPPo-0005yj-Gv for submit@debbugs.gnu.org; Thu, 14 Sep 2017 04:22:28 -0400 Received: from eggs.gnu.org ([208.118.235.92]:51246) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dsPPn-0005yX-Ol for 28447-done@debbugs.gnu.org; Thu, 14 Sep 2017 04:22:28 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dsPPd-00050u-RJ for 28447-done@debbugs.gnu.org; Thu, 14 Sep 2017 04:22:22 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD, URIBL_BLOCKED autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:41079) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dsPPO-0004kz-Hm; Thu, 14 Sep 2017 04:22:02 -0400 Received: from [193.50.110.249] (port=36550 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1dsPPO-0006NZ-1T; Thu, 14 Sep 2017 04:22:02 -0400 From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) References: <20170913154425.3647-1-mbakke@fastmail.com> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 28 Fructidor an 225 de la =?UTF-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-unknown-linux-gnu Date: Thu, 14 Sep 2017 10:22:00 +0200 In-Reply-To: <20170913154425.3647-1-mbakke@fastmail.com> (Marius Bakke's message of "Wed, 13 Sep 2017 17:44:25 +0200") Message-ID: <87zi9xbsgn.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Hi Marius, Marius Bakke skribis: > * gnu/packages/linux.scm (%bluez-CVE-2017-1000250.patch): New variable. > (bluez)[replacement]: New field. > (bluez/fixed): New variable. Mark beat you at it: https://git.savannah.gnu.org/cgit/guix.git/commit/?id=3D27236a43486b8fbb9= d55d533e558165bab07d020 The only difference I can see is that Mark included the patch in the repo. Maybe we should coordinate for security fixes via IRC or something. :-) Thanks to both of you! Ludo=E2=80=99.