Branch: refs/heads/master Home: https://github.com/bluez/bluez Commit: bf5ec167b66fc40f7c5f3abca58752fee0d4153b https://github.com/bluez/bluez/commit/bf5ec167b66fc40f7c5f3abca58752fee0d4153b Author: Pauli Virtanen <pav@xxxxxx> Date: 2025-08-11 (Mon, 11 Aug 2025) Changed paths: M profiles/audio/bap.c Log Message: ----------- bap: remove bap_update_cigs callback properly whan data is freed setup_free() may re-enable the CIG update callback. If this occurs in bap_data_free(), the callback crashes with UAF. Fix by moving clearing the callback after all setups are freed. Commit: 013b3431c58d81e9e01dac7e8a5d088e357326a3 https://github.com/bluez/bluez/commit/013b3431c58d81e9e01dac7e8a5d088e357326a3 Author: Oliver Chang <ochang@xxxxxxxxxx> Date: 2025-08-11 (Mon, 11 Aug 2025) Changed paths: M src/sdp-xml.c Log Message: ----------- Fix buffer overflow in sdp_xml_parse_uuid128 This was found by OSS-Fuzz. This can be reproduced by running this input: `<uuid value="111111111111111111111111111111111111">` against the harness in https://github.com/google/oss-fuzz/blob/master/projects/bluez/fuzz_xml.c which just calls `sdp_xml_parse_record`. `sdp_xml_parse_uuid` checks that the length of the string is 36 (32 digits + 4 '-' characters) prior to calling `sdp_xml_parse_uuid128`. There's no check preventing this data from being 36 digits (with no "-"), which leads to a buffer overflow in sdp_xml_parse_uuid128. https://issues.oss-fuzz.com/issues/42534847 https://oss-fuzz.com/testcase-detail/5070205940531200 Compare: https://github.com/bluez/bluez/compare/5ccbff0898fa...013b3431c58d To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications
