Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[19.09] bluez: apply patches for CVE-2020-0556 #82449

Merged
merged 1 commit into from Mar 27, 2020

Conversation

bhipple
Copy link
Contributor

@bhipple bhipple commented Mar 12, 2020

Copy link
Contributor

@jonringer jonringer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this might not be as easy to backport see ofborg, has issue with enableWiimote option

@andir
Copy link
Member

andir commented Mar 13, 2020

I would recommend going this route:

commit 9161f13cf90707cc029c4870e588a43d07723ee1 (HEAD -> release-19.09)
Author: Andreas Rammhold <andreas@rammhold.de>
Date:   Fri Mar 13 12:42:31 2020 +0100

    bluez: apply patches for CVE-2020-0556

diff --git a/pkgs/os-specific/linux/bluez/default.nix b/pkgs/os-specific/linux/bluez/default.nix
index be43d23d611..b56ccd3a01e 100644
--- a/pkgs/os-specific/linux/bluez/default.nix
+++ b/pkgs/os-specific/linux/bluez/default.nix
@@ -35,6 +35,16 @@ stdenv.mkDerivation rec {
       name = "CVE-2018-10910-2.patch";
       sha256 = "0j7klbhym64yhn86dbsmybqmwx47bviyyhx931izl1p29z2mg8hn";
     })
+    (fetchpatch {
+      url = "https://git.kernel.org/pub/scm/bluetooth/bluez.git/patch/?id=8cdbd3b09f29da29374e2f83369df24228da0ad1";
+      name = "CVE-2020-0556-1.patch";
+      sha256 = "1lqbarf0z8bi82fd6b7nviw1ifnfxc08z25bqxqf0i4i87yfiz8x";
+    })
+    (fetchpatch {
+      url = "https://git.kernel.org/pub/scm/bluetooth/bluez.git/patch/?id=3cccdbab2324086588df4ccf5f892fb3ce1f1787";
+      name = "CVE-2020-0556-2.patch";
+      sha256 = "1gm50dzrs2qmzdpsg5f71bygacai5dcvadia6wf9shmjjlxb7l4w";
+    })
   ];
 
   postConfigure = ''

Or just:

commit c60c554c2926fcc2248b98e77d80eb18c2a2f5b8 (HEAD -> release-19.09)
Author: Andreas Rammhold <andreas@rammhold.de>
Date:   Fri Mar 13 12:42:31 2020 +0100

    bluez: 5.50 -> 5.53

diff --git a/pkgs/os-specific/linux/bluez/default.nix b/pkgs/os-specific/linux/bluez/default.nix
index be43d23d611..155517473bd 100644
--- a/pkgs/os-specific/linux/bluez/default.nix
+++ b/pkgs/os-specific/linux/bluez/default.nix
@@ -3,11 +3,11 @@
   enableWiimote ? false, enableMidi ? false, enableSixaxis ? false }:
 
 stdenv.mkDerivation rec {
-  name = "bluez-5.50";
+  name = "bluez-5.53";
 
   src = fetchurl {
     url = "mirror://kernel/linux/bluetooth/${name}.tar.xz";
-    sha256 = "048r91vx9gs5nwwbah2s0xig04nwk14c5s0vb7qmaqdvighsmz2z";
+    sha256 = "1g1qg6dz6hl3csrmz75ixr12lwv836hq3ckb259svvrg62l2vaiq";
   };
 
   pythonPath = with python3.pkgs; [
@@ -23,20 +23,6 @@ stdenv.mkDerivation rec {
 
   outputs = [ "out" "dev" "test" ];
 
-  patches = [
-    ./bluez-5.37-obexd_without_systemd-1.patch
-    (fetchpatch {
-      url = "https://git.kernel.org/pub/scm/bluetooth/bluez.git/patch/?id=1880b299086659844889cdaf687133aca5eaf102";
-      name = "CVE-2018-10910-1.patch";
-      sha256 = "17spsxza27gif8jpxk7360ynvwii1llfdfwg35rwywjjmvww0qj4";
-    })
-    (fetchpatch {
-      url = "https://git.kernel.org/pub/scm/bluetooth/bluez.git/patch/?id=9213ff7642a33aa481e3c61989ad60f7985b9984";
-      name = "CVE-2018-10910-2.patch";
-      sha256 = "0j7klbhym64yhn86dbsmybqmwx47bviyyhx931izl1p29z2mg8hn";
-    })
-  ];
-
   postConfigure = ''
     substituteInPlace tools/hid2hci.rules \
       --replace /sbin/udevadm ${systemd}/bin/udevadm \

Each of these just build. And each approach carries some risks. Someone should probably verify that it is still working after taking either of these routes.

@bhipple bhipple changed the title [19.09][Security] bluez: 5.50 -> 5.53 for CVE-2020-0556 [19.09] bluez: apply patches for CVE-2020-0556 Mar 14, 2020
@bhipple
Copy link
Contributor Author

bhipple commented Mar 14, 2020

@GrahamcOfBorg build bluez bluez-alsa bluzFull bluez-tools

Since we're so close to the 20.03 release and end-of-life for 19.09, I've updated the PR to go with the more conservative approach of backporting the patches to bluez-5.50.

@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-already-reviewed/2617/116

@nh2
Copy link
Contributor

nh2 commented Mar 18, 2020

This is a mass-rebuild, should it target staging-19.09?

@bhipple bhipple changed the base branch from release-19.09 to staging-19.09 March 22, 2020 00:00
@jonringer
Copy link
Contributor

@GrahamcOfBorg build bluez bluez-alsa bluzFull bluez-tools

@jonringer jonringer merged commit 939178c into NixOS:staging-19.09 Mar 27, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

6 participants