CVE-2022-0204 (https://bugzilla.redhat.com/show_bug.cgi?id=2039807): A heap overflow vulnerability was found in bluez in versions prior to 5.63. An attacker with local network access could pass specially crafted files causing an application to halt or crash, leading to a denial of service. The GitHub advisory claims this can result in remote code execution, but RedHat's closed the bug as NOTABUG without explanation, but gave this a CVE anyway, but with a different impact than the advisory.
This is the patch: https://github.com/bluez/bluez/commit/591c546c536b42bef696d027f64aa22434f8c3f0 So, please cleanup.
Sorry, right, we need stabilization here
Now please cleanup :)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ce2e1c7de43ea080fbf8e1dea2af821993d8d6d6 commit ce2e1c7de43ea080fbf8e1dea2af821993d8d6d6 Author: Pacho Ramos <pacho@gentoo.org> AuthorDate: 2022-04-18 16:23:31 +0000 Commit: Pacho Ramos <pacho@gentoo.org> CommitDate: 2022-04-18 16:23:31 +0000 net-wireless/bluez: drop 5.62-r2, 5.62-r3, 5.63-r1 Bug: https://bugs.gentoo.org/835077 Signed-off-by: Pacho Ramos <pacho@gentoo.org> net-wireless/bluez/Manifest | 2 - net-wireless/bluez/bluez-5.62-r2.ebuild | 285 ----------- net-wireless/bluez/bluez-5.62-r3.ebuild | 295 ----------- net-wireless/bluez/bluez-5.63-r1.ebuild | 295 ----------- ...1-Revert-attrib-Make-use-of-bt_att_resend.patch | 188 ------- ...hog-Fix-read-order-of-attributes-rediffed.patch | 542 --------------------- ...while-uhid-device-has-not-been-c-rediffed.patch | 90 ---- .../bluez/files/bluez-5.62-fix-disconnecting.patch | 54 -- 8 files changed, 1751 deletions(-)
