New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[19.09] bluez: apply patches for CVE-2020-0556 #82449
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this might not be as easy to backport see ofborg, has issue with enableWiimote
option
I would recommend going this route: commit 9161f13cf90707cc029c4870e588a43d07723ee1 (HEAD -> release-19.09)
Author: Andreas Rammhold <andreas@rammhold.de>
Date: Fri Mar 13 12:42:31 2020 +0100
bluez: apply patches for CVE-2020-0556
diff --git a/pkgs/os-specific/linux/bluez/default.nix b/pkgs/os-specific/linux/bluez/default.nix
index be43d23d611..b56ccd3a01e 100644
--- a/pkgs/os-specific/linux/bluez/default.nix
+++ b/pkgs/os-specific/linux/bluez/default.nix
@@ -35,6 +35,16 @@ stdenv.mkDerivation rec {
name = "CVE-2018-10910-2.patch";
sha256 = "0j7klbhym64yhn86dbsmybqmwx47bviyyhx931izl1p29z2mg8hn";
})
+ (fetchpatch {
+ url = "https://git.kernel.org/pub/scm/bluetooth/bluez.git/patch/?id=8cdbd3b09f29da29374e2f83369df24228da0ad1";
+ name = "CVE-2020-0556-1.patch";
+ sha256 = "1lqbarf0z8bi82fd6b7nviw1ifnfxc08z25bqxqf0i4i87yfiz8x";
+ })
+ (fetchpatch {
+ url = "https://git.kernel.org/pub/scm/bluetooth/bluez.git/patch/?id=3cccdbab2324086588df4ccf5f892fb3ce1f1787";
+ name = "CVE-2020-0556-2.patch";
+ sha256 = "1gm50dzrs2qmzdpsg5f71bygacai5dcvadia6wf9shmjjlxb7l4w";
+ })
];
postConfigure = '' Or just: commit c60c554c2926fcc2248b98e77d80eb18c2a2f5b8 (HEAD -> release-19.09)
Author: Andreas Rammhold <andreas@rammhold.de>
Date: Fri Mar 13 12:42:31 2020 +0100
bluez: 5.50 -> 5.53
diff --git a/pkgs/os-specific/linux/bluez/default.nix b/pkgs/os-specific/linux/bluez/default.nix
index be43d23d611..155517473bd 100644
--- a/pkgs/os-specific/linux/bluez/default.nix
+++ b/pkgs/os-specific/linux/bluez/default.nix
@@ -3,11 +3,11 @@
enableWiimote ? false, enableMidi ? false, enableSixaxis ? false }:
stdenv.mkDerivation rec {
- name = "bluez-5.50";
+ name = "bluez-5.53";
src = fetchurl {
url = "mirror://kernel/linux/bluetooth/${name}.tar.xz";
- sha256 = "048r91vx9gs5nwwbah2s0xig04nwk14c5s0vb7qmaqdvighsmz2z";
+ sha256 = "1g1qg6dz6hl3csrmz75ixr12lwv836hq3ckb259svvrg62l2vaiq";
};
pythonPath = with python3.pkgs; [
@@ -23,20 +23,6 @@ stdenv.mkDerivation rec {
outputs = [ "out" "dev" "test" ];
- patches = [
- ./bluez-5.37-obexd_without_systemd-1.patch
- (fetchpatch {
- url = "https://git.kernel.org/pub/scm/bluetooth/bluez.git/patch/?id=1880b299086659844889cdaf687133aca5eaf102";
- name = "CVE-2018-10910-1.patch";
- sha256 = "17spsxza27gif8jpxk7360ynvwii1llfdfwg35rwywjjmvww0qj4";
- })
- (fetchpatch {
- url = "https://git.kernel.org/pub/scm/bluetooth/bluez.git/patch/?id=9213ff7642a33aa481e3c61989ad60f7985b9984";
- name = "CVE-2018-10910-2.patch";
- sha256 = "0j7klbhym64yhn86dbsmybqmwx47bviyyhx931izl1p29z2mg8hn";
- })
- ];
-
postConfigure = ''
substituteInPlace tools/hid2hci.rules \
--replace /sbin/udevadm ${systemd}/bin/udevadm \ Each of these just build. And each approach carries some risks. Someone should probably verify that it is still working after taking either of these routes. |
@GrahamcOfBorg build bluez bluez-alsa bluzFull bluez-tools Since we're so close to the 20.03 release and end-of-life for 19.09, I've updated the PR to go with the more conservative approach of backporting the patches to bluez-5.50. |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
This is a mass-rebuild, should it target |
@GrahamcOfBorg build bluez bluez-alsa bluzFull bluez-tools |
See here for details:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html
(cherry picked from commit 8f8b645)