SOURCES/0001-Change-default-of-ClassicBondedOnly.patch

@@ -1,54 +0,0 @@
-From: David Marlin <dmarlin@redhat.com>
-
-Subject: input.conf: Change default of ClassicBondedOnly
-
-Resolves: RHEL-18429
-
-CVE: CVE-2023-45866
-
-commit 25a471a83e02e1effb15d5a488b3f0085eaeb675
-Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
-Date:   Tue Oct 10 13:03:12 2023 -0700
-
-    input.conf: Change default of ClassicBondedOnly
-    
-    This changes the default of ClassicBondedOnly since defaulting to false
-    is not inline with HID specification which mandates the of Security Mode
-    4:
-    
-    BLUETOOTH SPECIFICATION Page 84 of 123
-    Human Interface Device (HID) Profile:
-    
-      5.4.3.4.2 Security Modes
-      Bluetooth HID Hosts shall use Security Mode 4 when interoperating with
-      Bluetooth HID devices that are compliant to the Bluetooth Core
-      Specification v2.1+EDR[6].
-
-Signed-off-by: David Marlin <dmarlin@redhat.com>
-
-diff --git a/profiles/input/device.c b/profiles/input/device.c
-index 4a50ea9921a97751a94547c0e73177d58184a75d..4310dd192e113f9875c07117d523167655cef954 100644
---- a/profiles/input/device.c
-+++ b/profiles/input/device.c
-@@ -81,7 +81,7 @@ struct input_device {
- 
- static int idle_timeout = 0;
- static bool uhid_enabled = false;
--static bool classic_bonded_only = false;
-+static bool classic_bonded_only = true;
- 
- void input_set_idle_timeout(int timeout)
- {
-diff --git a/profiles/input/input.conf b/profiles/input/input.conf
-index 4c70bc561f05429442c6fe0a183584ad1536fa4b..d8645f3dd664e2d671791878462f8a0dc74e04a5 100644
---- a/profiles/input/input.conf
-+++ b/profiles/input/input.conf
-@@ -17,7 +17,7 @@
- # platforms may want to make sure that input connections only come from bonded
- # device connections. Several older mice have been known for not supporting
- # pairing/encryption.
--# Defaults to false to maximize device compatibility.
-+# Defaults to true for security.
- #ClassicBondedOnly=true
- 
- # LE upgrade security

SOURCES/0001-avrcp-Fix-crash-while-handling-unsupported-events.patch

@@ -1,54 +0,0 @@
-From: David Marlin <dmarlin@redhat.com>
-
-Subject: avrcp: Fix crash while handling unsupported events
-
-Resolves: RHEL-35371
-Resolves: RHEL-35492
-
-Fixes CVE-2023-27349
-Fixes CVE-2023-51589
-
-commit f54299a850676d92c3dafd83e9174fcfe420ccc9
-Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
-Date:   Wed Mar 22 11:34:24 2023 -0700
-
-    avrcp: Fix crash while handling unsupported events
-    
-    The following crash can be observed if the remote peer send and
-    unsupported event:
-    
-    ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000148f11
-     at pc 0x559644552088 bp 0x7ffe28b3c7b0 sp 0x7ffe28b3c7a0
-     WRITE of size 1 at 0x60b000148f11 thread T0
-         #0 0x559644552087 in avrcp_handle_event profiles/audio/avrcp.c:3907
-         #1 0x559644536c22 in control_response profiles/audio/avctp.c:939
-         #2 0x5596445379ab in session_cb profiles/audio/avctp.c:1108
-         #3 0x7fbcb3e51c43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43)
-         #4 0x7fbcb3ea66c7  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xaa6c7)
-         #5 0x7fbcb3e512b2 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2)
-         #6 0x559644754ab6 in mainloop_run src/shared/mainloop-glib.c:66
-         #7 0x559644755606 in mainloop_run_with_signal src/shared/mainloop-notify.c:188
-         #8 0x5596445bb963 in main src/main.c:1289
-         #9 0x7fbcb3bafd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
-         #10 0x7fbcb3bafe3f in __libc_start_main_impl ../csu/libc-start.c:392
-         #11 0x5596444e8224 in _start (/usr/local/libexec/bluetooth/bluetoothd+0xf0224)
-
-Signed-off-by: David Marlin <dmarlin@redhat.com>
-
-diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
-index 80f34c7a77a17ddad89abe62e8a7a028c6fecf3c..dda9a303fb711ca009258ba671dc47b7fdd15f94 100644
---- a/profiles/audio/avrcp.c
-+++ b/profiles/audio/avrcp.c
-@@ -3901,6 +3901,12 @@ static gboolean avrcp_handle_event(struct avctp *conn, uint8_t code,
- 	case AVRCP_EVENT_UIDS_CHANGED:
- 		avrcp_uids_changed(session, pdu);
- 		break;
-+	default:
-+		if (event > AVRCP_EVENT_LAST) {
-+			warn("Unsupported event: %u", event);
-+			return FALSE;
-+		}
-+		break;
- 	}
- 
- 	session->registered_events |= (1 << event);

SOURCES/0001-pbap-Fix-not-checking-Primary_Secundary-Counter-lengt.patch

@@ -1,73 +0,0 @@
-From: David Marlin <dmarlin@redhat.com>
-
-Subject: pbap: Fix not checking Primary/Secundary Counter length
-
-Resolves: RHEL-35501
-Resolves: RHEL-35504
-
-CVE: CVE-2023-50230
-CVE: CVE-2023-50229
-
-commit 5ab5352531a9cc7058cce569607f3a6831464443
-Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
-Date:   Tue Sep 19 12:14:01 2023 -0700
-
-    pbap: Fix not checking Primary/Secundary Counter length
-    
-    Primary/Secundary Counters are supposed to be 16 bytes values, if the
-    server has implemented them incorrectly it may lead to the following
-    crash:
-    
-    =================================================================
-    ==31860==ERROR: AddressSanitizer: heap-buffer-overflow on address
-    0x607000001878 at pc 0x7f95a1575638 bp 0x7fff58c6bb80 sp 0x7fff58c6b328
-    
-     READ of size 48 at 0x607000001878 thread T0
-         #0 0x7f95a1575637 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:860
-         #1 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:892
-         #2 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:887
-         #3 0x564df69c77a0 in read_version obexd/client/pbap.c:288
-         #4 0x564df69c77a0 in read_return_apparam obexd/client/pbap.c:352
-         #5 0x564df69c77a0 in phonebook_size_callback obexd/client/pbap.c:374
-         #6 0x564df69bea3c in session_terminate_transfer obexd/client/session.c:921
-         #7 0x564df69d56b0 in get_xfer_progress_first obexd/client/transfer.c:729
-         #8 0x564df698b9ee in handle_response gobex/gobex.c:1140
-         #9 0x564df698cdea in incoming_data gobex/gobex.c:1385
-         #10 0x7f95a12fdc43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43)
-         #11 0x7f95a13526c7  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xaa6c7)
-         #12 0x7f95a12fd2b2 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2)
-         #13 0x564df6977d41 in main obexd/src/main.c:307
-         #14 0x7f95a10a7d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
-         #15 0x7f95a10a7e3f in __libc_start_main_impl ../csu/libc-start.c:392
-         #16 0x564df6978704 in _start (/usr/local/libexec/bluetooth/obexd+0x8b704)
-     0x607000001878 is located 0 bytes to the right of 72-byte region [0x607000001830,0x607000001878)
-    
-     allocated by thread T0 here:
-         #0 0x7f95a1595a37 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
-         #1 0x564df69c8b6a in pbap_probe obexd/client/pbap.c:1259
-
-Signed-off-by: David Marlin <dmarlin@redhat.com>
-
-diff --git a/obexd/client/pbap.c b/obexd/client/pbap.c
-index 1ed8c68eccd00097a8539aaa9ede9feed9b6d060..2d2aa950898c38984d544e7708610d4c2af43b59 100644
---- a/obexd/client/pbap.c
-+++ b/obexd/client/pbap.c
-@@ -285,7 +285,7 @@ static void read_version(struct pbap_data *pbap, GObexApparam *apparam)
- 		data = value;
- 	}
- 
--	if (memcmp(pbap->primary, data, len)) {
-+	if (len == sizeof(pbap->primary) && memcmp(pbap->primary, data, len)) {
- 		memcpy(pbap->primary, data, len);
- 		g_dbus_emit_property_changed(conn,
- 					obc_session_get_path(pbap->session),
-@@ -299,7 +299,8 @@ static void read_version(struct pbap_data *pbap, GObexApparam *apparam)
- 		data = value;
- 	}
- 
--	if (memcmp(pbap->secondary, data, len)) {
-+	if (len == sizeof(pbap->secondary) &&
-+			memcmp(pbap->secondary, data, len)) {
- 		memcpy(pbap->secondary, data, len);
- 		g_dbus_emit_property_changed(conn,
- 					obc_session_get_path(pbap->session),

SPECS/bluez.spec

@@ -1,7 +1,7 @@
 Name:    bluez
 Summary: Bluetooth utilities
 Version: 5.63
-Release: 5%{?dist}
+Release: 1%{?dist}
 License: GPLv2+
 URL:     http://www.bluez.org/
 
@@ -49,11 +49,6 @@ Patch25: 0001-gdbus-Emit-InterfacesAdded-of-parents-objects-first.patch
 
 #Patch32: 0001-sdpd-Fix-leaking-buffers-stored-in-cstates-cache.patch
 
-Patch40: 0001-Change-default-of-ClassicBondedOnly.patch
-
-Patch50: 0001-pbap-Fix-not-checking-Primary_Secundary-Counter-lengt.patch
-Patch51: 0001-avrcp-Fix-crash-while-handling-unsupported-events.patch
-
 BuildRequires: git-core
 BuildRequires: dbus-devel >= 1.6
 BuildRequires: glib2-devel
@@ -288,30 +283,6 @@ make check
 %{_userunitdir}/obex.service
 
 %changelog
-* Mon Dec 09 2024 David Marlin <dmarlin@redhat.com> - 5.63-5
-+ bluez-5.63-5
-- Resolves: RHEL-35371
-- Fixing CVE-2023-27349
-- Resolves: RHEL-35492
-- Fixing CVE-2023-51589
-
-* Mon Aug 05 2024 David Marlin <dmarlin@redhat.com> - 5.63-4
-+ bluez-5.63-4
-- Resolves: RHEL-35501
-- Fixing CVE-2023-50230
-- Resolves: RHEL-35504
-- Fixing CVE-2023-50229
-
-* Thu Jun 06 2024 David Marlin <dmarlin@redhat.com> - 5.63-3
-+ bluez-5.63-3
-- Add back the tests for OSCI.
-
-* Wed May 29 2024 David Marlin <dmarlin@redhat.com> - 5.63-2
-+ bluez-5.63-2
-- Change default of ClassicBondedOnly to true to align with HID specification.
-- Resolves: RHEL-18429
-- Fixing CVE-2021-41229
-
 * Tue May 17 2022 Gopal Tiwari <gtiwari@redhat.com> - 5.63-1
 + bluez-5.63-1
 - Fixing (#)