GNU bug report logs - #28447
[PATCH] gnu: bluez: Fix CVE-2017-1000250.

Previous Next

Package: guix-patches;

Reported by: Marius Bakke <mbakke <at> fastmail.com>

Date: Wed, 13 Sep 2017 15:46:02 UTC

Severity: normal

Tags: patch

Done: Efraim Flashner <efraim <at> flashner.co.il>

Bug is archived. No further changes may be made.

Full log

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <mbakke <at> fastmail.com>
To: guix-patches <at> gnu.org
Cc: Marius Bakke <mbakke <at> fastmail.com>
Subject: [PATCH] gnu: bluez: Fix CVE-2017-1000250.
Date: Wed, 13 Sep 2017 17:44:25 +0200

* gnu/packages/linux.scm (%bluez-CVE-2017-1000250.patch): New variable.
(bluez)[replacement]: New field.
(bluez/fixed): New variable.
---
 gnu/packages/linux.scm | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index bfa736c1c..9dc68a2b3 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -3009,10 +3009,24 @@ applications.")
 Bluetooth audio output devices like headphones or loudspeakers.")
     (license license:gpl2+)))
 
+;; Fix remote information disclosure in bluetoothd.
+;; https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000250
+;; https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000250.html
+(define %bluez-CVE-2017-1000250.patch
+  (origin
+    (method url-fetch)
+    (uri "https://git.kernel.org/pub/scm/bluetooth/bluez.git/patch/?id=\
+9e009647b14e810e06626dde7f1bb9ea3c375d09")
+    (file-name "bluez-CVE-2017-1000250.patch")
+    (sha256
+     (base32
+      "0p6gblj775sv0xx4pvdll39j6spg8ihhshid5z6lgrjh0rmxi3sk"))))
+
 (define-public bluez
   (package
     (name "bluez")
     (version "5.45")
+    (replacement bluez/fixed)
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -3074,6 +3088,13 @@ Bluetooth audio output devices like headphones or loudspeakers.")
 is flexible, efficient and uses a modular implementation.")
     (license license:gpl2+)))
 
+(define bluez/fixed
+  (package
+    (inherit bluez)
+    (source (origin
+              (inherit (package-source bluez))
+              (patches (list %bluez-CVE-2017-1000250.patch))))))
+
 (define-public fuse-exfat
   (package
     (name "fuse-exfat")
-- 
2.14.1
This bug report was last modified 7 years and 308 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.