[bug#28447] [PATCH] gnu: bluez: Fix CVE-2017-1000250.

unofficial mirror of guix-patches@gnu.org 
 help / color / mirror / code / Atom feed

* [bug#28447] [PATCH] gnu: bluez: Fix CVE-2017-1000250.
@ 2017-09-13 15:44 Marius Bakke
  2017-09-14  8:22 ` Ludovic Courtès
  0 siblings, 1 reply; 2+ messages in thread
From: Marius Bakke @ 2017-09-13 15:44 UTC (permalink / raw)
  To: 28447

* gnu/packages/linux.scm (%bluez-CVE-2017-1000250.patch): New variable.
(bluez)[replacement]: New field.
(bluez/fixed): New variable.
---
 gnu/packages/linux.scm | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index bfa736c1c..9dc68a2b3 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -3009,10 +3009,24 @@ applications.")
 Bluetooth audio output devices like headphones or loudspeakers.")
     (license license:gpl2+)))
 
+;; Fix remote information disclosure in bluetoothd.
+;; https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000250
+;; https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000250.html
+(define %bluez-CVE-2017-1000250.patch
+  (origin
+    (method url-fetch)
+    (uri "https://git.kernel.org/pub/scm/bluetooth/bluez.git/patch/?id=\
+9e009647b14e810e06626dde7f1bb9ea3c375d09")
+    (file-name "bluez-CVE-2017-1000250.patch")
+    (sha256
+     (base32
+      "0p6gblj775sv0xx4pvdll39j6spg8ihhshid5z6lgrjh0rmxi3sk"))))
+
 (define-public bluez
   (package
     (name "bluez")
     (version "5.45")
+    (replacement bluez/fixed)
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -3074,6 +3088,13 @@ Bluetooth audio output devices like headphones or loudspeakers.")
 is flexible, efficient and uses a modular implementation.")
     (license license:gpl2+)))
 
+(define bluez/fixed
+  (package
+    (inherit bluez)
+    (source (origin
+              (inherit (package-source bluez))
+              (patches (list %bluez-CVE-2017-1000250.patch))))))
+
 (define-public fuse-exfat
   (package
     (name "fuse-exfat")
-- 
2.14.1

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* [bug#28447] [PATCH] gnu: bluez: Fix CVE-2017-1000250.
  2017-09-13 15:44 [bug#28447] [PATCH] gnu: bluez: Fix CVE-2017-1000250 Marius Bakke
@ 2017-09-14  8:22 ` Ludovic Courtès
  0 siblings, 0 replies; 2+ messages in thread
From: Ludovic Courtès @ 2017-09-14  8:22 UTC (permalink / raw)
  To: Marius Bakke; +Cc: Mark H Weaver, 28447-done

Hi Marius,

Marius Bakke <mbakke@fastmail.com> skribis:

> * gnu/packages/linux.scm (%bluez-CVE-2017-1000250.patch): New variable.
> (bluez)[replacement]: New field.
> (bluez/fixed): New variable.

Mark beat you at it:

  https://git.savannah.gnu.org/cgit/guix.git/commit/?id=27236a43486b8fbb9d55d533e558165bab07d020

The only difference I can see is that Mark included the patch in the repo.

Maybe we should coordinate for security fixes via IRC or something.  :-)

Thanks to both of you!

Ludo’.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2017-09-14  8:23 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-09-13 15:44 [bug#28447] [PATCH] gnu: bluez: Fix CVE-2017-1000250 Marius Bakke
2017-09-14  8:22 ` Ludovic Courtès

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).