Fix crash while handling unsupported events

Resolves: RHEL-35371
Resolves: RHEL-35492

Fixes CVE-2023-27349
Fixes CVE-2023-51589

commit f54299a850676d92c3dafd83e9174fcfe420ccc9
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date:   Wed Mar 22 11:34:24 2023 -0700

    avrcp: Fix crash while handling unsupported events

Signed-off-by: David Marlin <dmarlin@redhat.com>

0001-avrcp-Fix-crash-while-handling-unsupported-events.patch

@@ -0,0 +1,54 @@
+From: David Marlin <dmarlin@redhat.com>
+
+Subject: avrcp: Fix crash while handling unsupported events
+
+Resolves: RHEL-35371
+Resolves: RHEL-35492
+
+Fixes CVE-2023-27349
+Fixes CVE-2023-51589
+
+commit f54299a850676d92c3dafd83e9174fcfe420ccc9
+Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date:   Wed Mar 22 11:34:24 2023 -0700
+
+    avrcp: Fix crash while handling unsupported events
+    
+    The following crash can be observed if the remote peer send and
+    unsupported event:
+    
+    ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000148f11
+     at pc 0x559644552088 bp 0x7ffe28b3c7b0 sp 0x7ffe28b3c7a0
+     WRITE of size 1 at 0x60b000148f11 thread T0
+         #0 0x559644552087 in avrcp_handle_event profiles/audio/avrcp.c:3907
+         #1 0x559644536c22 in control_response profiles/audio/avctp.c:939
+         #2 0x5596445379ab in session_cb profiles/audio/avctp.c:1108
+         #3 0x7fbcb3e51c43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43)
+         #4 0x7fbcb3ea66c7  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xaa6c7)
+         #5 0x7fbcb3e512b2 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2)
+         #6 0x559644754ab6 in mainloop_run src/shared/mainloop-glib.c:66
+         #7 0x559644755606 in mainloop_run_with_signal src/shared/mainloop-notify.c:188
+         #8 0x5596445bb963 in main src/main.c:1289
+         #9 0x7fbcb3bafd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
+         #10 0x7fbcb3bafe3f in __libc_start_main_impl ../csu/libc-start.c:392
+         #11 0x5596444e8224 in _start (/usr/local/libexec/bluetooth/bluetoothd+0xf0224)
+
+Signed-off-by: David Marlin <dmarlin@redhat.com>
+
+diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
+index 80f34c7a77a17ddad89abe62e8a7a028c6fecf3c..dda9a303fb711ca009258ba671dc47b7fdd15f94 100644
+--- a/profiles/audio/avrcp.c
++++ b/profiles/audio/avrcp.c
+@@ -3901,6 +3901,12 @@ static gboolean avrcp_handle_event(struct avctp *conn, uint8_t code,
+ 	case AVRCP_EVENT_UIDS_CHANGED:
+ 		avrcp_uids_changed(session, pdu);
+ 		break;
++	default:
++		if (event > AVRCP_EVENT_LAST) {
++			warn("Unsupported event: %u", event);
++			return FALSE;
++		}
++		break;
+ 	}
+ 
+ 	session->registered_events |= (1 << event);

bluez.spec

@@ -1,7 +1,7 @@
 Name:    bluez
 Summary: Bluetooth utilities
 Version: 5.63
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: GPLv2+
 URL:     http://www.bluez.org/
 
@@ -52,6 +52,7 @@ Patch25: 0001-gdbus-Emit-InterfacesAdded-of-parents-objects-first.patch
 Patch40: 0001-Change-default-of-ClassicBondedOnly.patch
 
 Patch50: 0001-pbap-Fix-not-checking-Primary_Secundary-Counter-lengt.patch
+Patch51: 0001-avrcp-Fix-crash-while-handling-unsupported-events.patch
 
 BuildRequires: git-core
 BuildRequires: dbus-devel >= 1.6
@@ -287,6 +288,13 @@ make check
 %{_userunitdir}/obex.service
 
 %changelog
+* Mon Dec 09 2024 David Marlin <dmarlin@redhat.com> - 5.63-5
++ bluez-5.63-5
+- Resolves: RHEL-35371
+- Fixing CVE-2023-27349
+- Resolves: RHEL-35492
+- Fixing CVE-2023-51589
+
 * Mon Aug 05 2024 David Marlin <dmarlin@redhat.com> - 5.63-4
 + bluez-5.63-4
 - Resolves: RHEL-35501