* [bug#40044] BlueZ CVE-2020-0556
@ 2020-03-12 19:24 Leo Famulari
2020-03-12 19:28 ` [bug#40044] [PATCH] gnu: BlueZ: Fix CVE-2020-0556 Leo Famulari
2020-03-12 19:29 ` [bug#40044] [PATCH] gnu: BlueZ: Update to 5.53 [security fixes] Leo Famulari
0 siblings, 2 replies; 5+ messages in thread
From: Leo Famulari @ 2020-03-12 19:24 UTC (permalink / raw)
To: 40044
There's some kind of privilege escalation bug in BlueZ:
https://lore.kernel.org/linux-bluetooth/20200310023516.209146-1-alainm@chromium.org/
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html
They released 5.53, so here are patches that graft the update or graft
just the upstream patches.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [bug#40044] [PATCH] gnu: BlueZ: Fix CVE-2020-0556.
2020-03-12 19:24 [bug#40044] BlueZ CVE-2020-0556 Leo Famulari
@ 2020-03-12 19:28 ` Leo Famulari
2020-03-13 23:25 ` bug#40044: " Leo Famulari
2020-03-12 19:29 ` [bug#40044] [PATCH] gnu: BlueZ: Update to 5.53 [security fixes] Leo Famulari
1 sibling, 1 reply; 5+ messages in thread
From: Leo Famulari @ 2020-03-12 19:28 UTC (permalink / raw)
To: 40044
* gnu/packages/patches/bluez-CVE-2020-0556.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/linux.scm (bluez)[replacement]: New field.
(bluez/fixed): New variable.
---
gnu/local.mk | 1 +
gnu/packages/linux.scm | 9 +
.../patches/bluez-CVE-2020-0556.patch | 180 ++++++++++++++++++
3 files changed, 190 insertions(+)
create mode 100644 gnu/packages/patches/bluez-CVE-2020-0556.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 99baddea92..8e312e24e7 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -763,6 +763,7 @@ dist_patch_DATA = \
%D%/packages/patches/binutils-loongson-workaround.patch \
%D%/packages/patches/blender-2.79-newer-ffmpeg.patch \
%D%/packages/patches/blender-2.79-python-3.7-fix.patch \
+ %D%/packages/patches/bluez-CVE-2020-0556.patch \
%D%/packages/patches/byobu-writable-status.patch \
%D%/packages/patches/calibre-no-updates-dialog.patch \
%D%/packages/patches/calibre-remove-test-bs4.patch \
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 01986222e8..0e84a1750e 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -3994,6 +3994,7 @@ Bluetooth audio output devices like headphones or loudspeakers.")
(define-public bluez
(package
(name "bluez")
+ (replacement bluez/fixed)
(version "5.52")
(source (origin
(method url-fetch)
@@ -4059,6 +4060,14 @@ Bluetooth audio output devices like headphones or loudspeakers.")
is flexible, efficient and uses a modular implementation.")
(license license:gpl2+)))
+(define bluez/fixed
+ (package
+ (inherit bluez)
+ (source (origin
+ (inherit (package-source bluez))
+ (patches (append (origin-patches (package-source bluez))
+ (search-patches "bluez-CVE-2020-0556.patch")))))))
+
(define-public fuse-exfat
(package
(name "fuse-exfat")
diff --git a/gnu/packages/patches/bluez-CVE-2020-0556.patch b/gnu/packages/patches/bluez-CVE-2020-0556.patch
new file mode 100644
index 0000000000..7c34459a3a
--- /dev/null
+++ b/gnu/packages/patches/bluez-CVE-2020-0556.patch
@@ -0,0 +1,180 @@
+Fix CVE-2020-0556:
+
+https://lore.kernel.org/linux-bluetooth/20200310023516.209146-1-alainm@chromium.org/
+https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0556
+
+Patches copied from upstream source repository:
+
+https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3cccdbab2324086588df4ccf5f892fb3ce1f1787
+https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=8cdbd3b09f29da29374e2f83369df24228da0ad1
+
+From 3cccdbab2324086588df4ccf5f892fb3ce1f1787 Mon Sep 17 00:00:00 2001
+From: Alain Michaud <alainm@chromium.org>
+Date: Tue, 10 Mar 2020 02:35:18 +0000
+Subject: [PATCH] HID accepts bonded device connections only.
+
+This change adds a configuration for platforms to choose a more secure
+posture for the HID profile. While some older mice are known to not
+support pairing or encryption, some platform may choose a more secure
+posture by requiring the device to be bonded and require the
+connection to be encrypted when bonding is required.
+
+Reference:
+https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html
+---
+ profiles/input/device.c | 23 ++++++++++++++++++++++-
+ profiles/input/device.h | 1 +
+ profiles/input/input.conf | 8 ++++++++
+ profiles/input/manager.c | 13 ++++++++++++-
+ 4 files changed, 43 insertions(+), 2 deletions(-)
+
+diff --git a/profiles/input/device.c b/profiles/input/device.c
+index 2cb3811c8..d89da2d7c 100644
+--- a/profiles/input/device.c
++++ b/profiles/input/device.c
+@@ -92,6 +92,7 @@ struct input_device {
+
+ static int idle_timeout = 0;
+ static bool uhid_enabled = false;
++static bool classic_bonded_only = false;
+
+ void input_set_idle_timeout(int timeout)
+ {
+@@ -103,6 +104,11 @@ void input_enable_userspace_hid(bool state)
+ uhid_enabled = state;
+ }
+
++void input_set_classic_bonded_only(bool state)
++{
++ classic_bonded_only = state;
++}
++
+ static void input_device_enter_reconnect_mode(struct input_device *idev);
+ static int connection_disconnect(struct input_device *idev, uint32_t flags);
+
+@@ -970,8 +976,18 @@ static int hidp_add_connection(struct input_device *idev)
+ if (device_name_known(idev->device))
+ device_get_name(idev->device, req->name, sizeof(req->name));
+
++ /* Make sure the device is bonded if required */
++ if (classic_bonded_only && !device_is_bonded(idev->device,
++ btd_device_get_bdaddr_type(idev->device))) {
++ error("Rejected connection from !bonded device %s", dst_addr);
++ goto cleanup;
++ }
++
+ /* Encryption is mandatory for keyboards */
+- if (req->subclass & 0x40) {
++ /* Some platforms may choose to require encryption for all devices */
++ /* Note that this only matters for pre 2.1 devices as otherwise the */
++ /* device is encrypted by default by the lower layers */
++ if (classic_bonded_only || req->subclass & 0x40) {
+ if (!bt_io_set(idev->intr_io, &gerr,
+ BT_IO_OPT_SEC_LEVEL, BT_IO_SEC_MEDIUM,
+ BT_IO_OPT_INVALID)) {
+@@ -1203,6 +1219,11 @@ static void input_device_enter_reconnect_mode(struct input_device *idev)
+ DBG("path=%s reconnect_mode=%s", idev->path,
+ reconnect_mode_to_string(idev->reconnect_mode));
+
++ /* Make sure the device is bonded if required */
++ if (classic_bonded_only && !device_is_bonded(idev->device,
++ btd_device_get_bdaddr_type(idev->device)))
++ return;
++
+ /* Only attempt an auto-reconnect when the device is required to
+ * accept reconnections from the host.
+ */
+diff --git a/profiles/input/device.h b/profiles/input/device.h
+index 51a9aee18..3044db673 100644
+--- a/profiles/input/device.h
++++ b/profiles/input/device.h
+@@ -29,6 +29,7 @@ struct input_conn;
+
+ void input_set_idle_timeout(int timeout);
+ void input_enable_userspace_hid(bool state);
++void input_set_classic_bonded_only(bool state);
+
+ int input_device_register(struct btd_service *service);
+ void input_device_unregister(struct btd_service *service);
+diff --git a/profiles/input/input.conf b/profiles/input/input.conf
+index 3e1d65aae..166aff4a4 100644
+--- a/profiles/input/input.conf
++++ b/profiles/input/input.conf
+@@ -11,3 +11,11 @@
+ # Enable HID protocol handling in userspace input profile
+ # Defaults to false (HIDP handled in HIDP kernel module)
+ #UserspaceHID=true
++
++# Limit HID connections to bonded devices
++# The HID Profile does not specify that devices must be bonded, however some
++# platforms may want to make sure that input connections only come from bonded
++# device connections. Several older mice have been known for not supporting
++# pairing/encryption.
++# Defaults to false to maximize device compatibility.
++#ClassicBondedOnly=true
+diff --git a/profiles/input/manager.c b/profiles/input/manager.c
+index 1d31b0652..5cd27b839 100644
+--- a/profiles/input/manager.c
++++ b/profiles/input/manager.c
+@@ -96,7 +96,7 @@ static int input_init(void)
+ config = load_config_file(CONFIGDIR "/input.conf");
+ if (config) {
+ int idle_timeout;
+- gboolean uhid_enabled;
++ gboolean uhid_enabled, classic_bonded_only;
+
+ idle_timeout = g_key_file_get_integer(config, "General",
+ "IdleTimeout", &err);
+@@ -114,6 +114,17 @@ static int input_init(void)
+ input_enable_userspace_hid(uhid_enabled);
+ } else
+ g_clear_error(&err);
++
++ classic_bonded_only = g_key_file_get_boolean(config, "General",
++ "ClassicBondedOnly", &err);
++
++ if (!err) {
++ DBG("input.conf: ClassicBondedOnly=%s",
++ classic_bonded_only ? "true" : "false");
++ input_set_classic_bonded_only(classic_bonded_only);
++ } else
++ g_clear_error(&err);
++
+ }
+
+ btd_profile_register(&input_profile);
+--
+2.25.1
+
+From 8cdbd3b09f29da29374e2f83369df24228da0ad1 Mon Sep 17 00:00:00 2001
+From: Alain Michaud <alainm@chromium.org>
+Date: Tue, 10 Mar 2020 02:35:16 +0000
+Subject: [PATCH] HOGP must only accept data from bonded devices.
+
+HOGP 1.0 Section 6.1 establishes that the HOGP must require bonding.
+
+Reference:
+https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.htm
+---
+ profiles/input/hog.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/profiles/input/hog.c b/profiles/input/hog.c
+index 83c017dcb..dfac68921 100644
+--- a/profiles/input/hog.c
++++ b/profiles/input/hog.c
+@@ -186,6 +186,10 @@ static int hog_accept(struct btd_service *service)
+ return -EINVAL;
+ }
+
++ /* HOGP 1.0 Section 6.1 requires bonding */
++ if (!device_is_bonded(device, btd_device_get_bdaddr_type(device)))
++ return -ECONNREFUSED;
++
+ /* TODO: Replace GAttrib with bt_gatt_client */
+ bt_hog_attach(dev->hog, attrib);
+
+--
+2.25.1
+
--
2.25.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [bug#40044] [PATCH] gnu: BlueZ: Update to 5.53 [security fixes].
2020-03-12 19:24 [bug#40044] BlueZ CVE-2020-0556 Leo Famulari
2020-03-12 19:28 ` [bug#40044] [PATCH] gnu: BlueZ: Fix CVE-2020-0556 Leo Famulari
@ 2020-03-12 19:29 ` Leo Famulari
2020-03-13 16:26 ` Leo Famulari
1 sibling, 1 reply; 5+ messages in thread
From: Leo Famulari @ 2020-03-12 19:29 UTC (permalink / raw)
To: 40044
Apparently this fixes a privilege escalation bug:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html
* gnu/packages/linux.scm (bluez-5.53): New variable.
(bluez)[replacement]: New field.
---
gnu/packages/linux.scm | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 01986222e8..61b02591a4 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -3995,6 +3995,7 @@ Bluetooth audio output devices like headphones or loudspeakers.")
(package
(name "bluez")
(version "5.52")
+ (replacement bluez-5.53)
(source (origin
(method url-fetch)
(uri (string-append
@@ -4059,6 +4060,19 @@ Bluetooth audio output devices like headphones or loudspeakers.")
is flexible, efficient and uses a modular implementation.")
(license license:gpl2+)))
+(define bluez-5.53
+ (package
+ (inherit bluez)
+ (version "5.53")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append
+ "mirror://kernel.org/linux/bluetooth/bluez-"
+ version ".tar.xz"))
+ (sha256
+ (base32
+ "1g1qg6dz6hl3csrmz75ixr12lwv836hq3ckb259svvrg62l2vaiq"))))))
+
(define-public fuse-exfat
(package
(name "fuse-exfat")
--
2.25.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [bug#40044] [PATCH] gnu: BlueZ: Update to 5.53 [security fixes].
2020-03-12 19:29 ` [bug#40044] [PATCH] gnu: BlueZ: Update to 5.53 [security fixes] Leo Famulari
@ 2020-03-13 16:26 ` Leo Famulari
0 siblings, 0 replies; 5+ messages in thread
From: Leo Famulari @ 2020-03-13 16:26 UTC (permalink / raw)
To: 40044
On Thu, Mar 12, 2020 at 03:29:40PM -0400, Leo Famulari wrote:
> Apparently this fixes a privilege escalation bug:
>
> https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html
>
> * gnu/packages/linux.scm (bluez-5.53): New variable.
> (bluez)[replacement]: New field.
Intel and I were mistaken — the bug fix is not included in the 5.53
release. So this patch should be disregarded.
^ permalink raw reply [flat|nested] 5+ messages in thread
* bug#40044: [PATCH] gnu: BlueZ: Fix CVE-2020-0556.
2020-03-12 19:28 ` [bug#40044] [PATCH] gnu: BlueZ: Fix CVE-2020-0556 Leo Famulari
@ 2020-03-13 23:25 ` Leo Famulari
0 siblings, 0 replies; 5+ messages in thread
From: Leo Famulari @ 2020-03-13 23:25 UTC (permalink / raw)
To: 40044-done
On Thu, Mar 12, 2020 at 03:28:59PM -0400, Leo Famulari wrote:
> * gnu/packages/patches/bluez-CVE-2020-0556.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/linux.scm (bluez)[replacement]: New field.
> (bluez/fixed): New variable.
Pushed as 364a1374ad5e04a91cdc29203f0c8073eede72d4. Thanks nckx for
testing!
> ---
> gnu/local.mk | 1 +
> gnu/packages/linux.scm | 9 +
> .../patches/bluez-CVE-2020-0556.patch | 180 ++++++++++++++++++
> 3 files changed, 190 insertions(+)
> create mode 100644 gnu/packages/patches/bluez-CVE-2020-0556.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index 99baddea92..8e312e24e7 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -763,6 +763,7 @@ dist_patch_DATA = \
> %D%/packages/patches/binutils-loongson-workaround.patch \
> %D%/packages/patches/blender-2.79-newer-ffmpeg.patch \
> %D%/packages/patches/blender-2.79-python-3.7-fix.patch \
> + %D%/packages/patches/bluez-CVE-2020-0556.patch \
> %D%/packages/patches/byobu-writable-status.patch \
> %D%/packages/patches/calibre-no-updates-dialog.patch \
> %D%/packages/patches/calibre-remove-test-bs4.patch \
> diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
> index 01986222e8..0e84a1750e 100644
> --- a/gnu/packages/linux.scm
> +++ b/gnu/packages/linux.scm
> @@ -3994,6 +3994,7 @@ Bluetooth audio output devices like headphones or loudspeakers.")
> (define-public bluez
> (package
> (name "bluez")
> + (replacement bluez/fixed)
> (version "5.52")
> (source (origin
> (method url-fetch)
> @@ -4059,6 +4060,14 @@ Bluetooth audio output devices like headphones or loudspeakers.")
> is flexible, efficient and uses a modular implementation.")
> (license license:gpl2+)))
>
> +(define bluez/fixed
> + (package
> + (inherit bluez)
> + (source (origin
> + (inherit (package-source bluez))
> + (patches (append (origin-patches (package-source bluez))
> + (search-patches "bluez-CVE-2020-0556.patch")))))))
> +
> (define-public fuse-exfat
> (package
> (name "fuse-exfat")
> diff --git a/gnu/packages/patches/bluez-CVE-2020-0556.patch b/gnu/packages/patches/bluez-CVE-2020-0556.patch
> new file mode 100644
> index 0000000000..7c34459a3a
> --- /dev/null
> +++ b/gnu/packages/patches/bluez-CVE-2020-0556.patch
> @@ -0,0 +1,180 @@
> +Fix CVE-2020-0556:
> +
> +https://lore.kernel.org/linux-bluetooth/20200310023516.209146-1-alainm@chromium.org/
> +https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html
> +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0556
> +
> +Patches copied from upstream source repository:
> +
> +https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3cccdbab2324086588df4ccf5f892fb3ce1f1787
> +https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=8cdbd3b09f29da29374e2f83369df24228da0ad1
> +
> +From 3cccdbab2324086588df4ccf5f892fb3ce1f1787 Mon Sep 17 00:00:00 2001
> +From: Alain Michaud <alainm@chromium.org>
> +Date: Tue, 10 Mar 2020 02:35:18 +0000
> +Subject: [PATCH] HID accepts bonded device connections only.
> +
> +This change adds a configuration for platforms to choose a more secure
> +posture for the HID profile. While some older mice are known to not
> +support pairing or encryption, some platform may choose a more secure
> +posture by requiring the device to be bonded and require the
> +connection to be encrypted when bonding is required.
> +
> +Reference:
> +https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html
> +---
> + profiles/input/device.c | 23 ++++++++++++++++++++++-
> + profiles/input/device.h | 1 +
> + profiles/input/input.conf | 8 ++++++++
> + profiles/input/manager.c | 13 ++++++++++++-
> + 4 files changed, 43 insertions(+), 2 deletions(-)
> +
> +diff --git a/profiles/input/device.c b/profiles/input/device.c
> +index 2cb3811c8..d89da2d7c 100644
> +--- a/profiles/input/device.c
> ++++ b/profiles/input/device.c
> +@@ -92,6 +92,7 @@ struct input_device {
> +
> + static int idle_timeout = 0;
> + static bool uhid_enabled = false;
> ++static bool classic_bonded_only = false;
> +
> + void input_set_idle_timeout(int timeout)
> + {
> +@@ -103,6 +104,11 @@ void input_enable_userspace_hid(bool state)
> + uhid_enabled = state;
> + }
> +
> ++void input_set_classic_bonded_only(bool state)
> ++{
> ++ classic_bonded_only = state;
> ++}
> ++
> + static void input_device_enter_reconnect_mode(struct input_device *idev);
> + static int connection_disconnect(struct input_device *idev, uint32_t flags);
> +
> +@@ -970,8 +976,18 @@ static int hidp_add_connection(struct input_device *idev)
> + if (device_name_known(idev->device))
> + device_get_name(idev->device, req->name, sizeof(req->name));
> +
> ++ /* Make sure the device is bonded if required */
> ++ if (classic_bonded_only && !device_is_bonded(idev->device,
> ++ btd_device_get_bdaddr_type(idev->device))) {
> ++ error("Rejected connection from !bonded device %s", dst_addr);
> ++ goto cleanup;
> ++ }
> ++
> + /* Encryption is mandatory for keyboards */
> +- if (req->subclass & 0x40) {
> ++ /* Some platforms may choose to require encryption for all devices */
> ++ /* Note that this only matters for pre 2.1 devices as otherwise the */
> ++ /* device is encrypted by default by the lower layers */
> ++ if (classic_bonded_only || req->subclass & 0x40) {
> + if (!bt_io_set(idev->intr_io, &gerr,
> + BT_IO_OPT_SEC_LEVEL, BT_IO_SEC_MEDIUM,
> + BT_IO_OPT_INVALID)) {
> +@@ -1203,6 +1219,11 @@ static void input_device_enter_reconnect_mode(struct input_device *idev)
> + DBG("path=%s reconnect_mode=%s", idev->path,
> + reconnect_mode_to_string(idev->reconnect_mode));
> +
> ++ /* Make sure the device is bonded if required */
> ++ if (classic_bonded_only && !device_is_bonded(idev->device,
> ++ btd_device_get_bdaddr_type(idev->device)))
> ++ return;
> ++
> + /* Only attempt an auto-reconnect when the device is required to
> + * accept reconnections from the host.
> + */
> +diff --git a/profiles/input/device.h b/profiles/input/device.h
> +index 51a9aee18..3044db673 100644
> +--- a/profiles/input/device.h
> ++++ b/profiles/input/device.h
> +@@ -29,6 +29,7 @@ struct input_conn;
> +
> + void input_set_idle_timeout(int timeout);
> + void input_enable_userspace_hid(bool state);
> ++void input_set_classic_bonded_only(bool state);
> +
> + int input_device_register(struct btd_service *service);
> + void input_device_unregister(struct btd_service *service);
> +diff --git a/profiles/input/input.conf b/profiles/input/input.conf
> +index 3e1d65aae..166aff4a4 100644
> +--- a/profiles/input/input.conf
> ++++ b/profiles/input/input.conf
> +@@ -11,3 +11,11 @@
> + # Enable HID protocol handling in userspace input profile
> + # Defaults to false (HIDP handled in HIDP kernel module)
> + #UserspaceHID=true
> ++
> ++# Limit HID connections to bonded devices
> ++# The HID Profile does not specify that devices must be bonded, however some
> ++# platforms may want to make sure that input connections only come from bonded
> ++# device connections. Several older mice have been known for not supporting
> ++# pairing/encryption.
> ++# Defaults to false to maximize device compatibility.
> ++#ClassicBondedOnly=true
> +diff --git a/profiles/input/manager.c b/profiles/input/manager.c
> +index 1d31b0652..5cd27b839 100644
> +--- a/profiles/input/manager.c
> ++++ b/profiles/input/manager.c
> +@@ -96,7 +96,7 @@ static int input_init(void)
> + config = load_config_file(CONFIGDIR "/input.conf");
> + if (config) {
> + int idle_timeout;
> +- gboolean uhid_enabled;
> ++ gboolean uhid_enabled, classic_bonded_only;
> +
> + idle_timeout = g_key_file_get_integer(config, "General",
> + "IdleTimeout", &err);
> +@@ -114,6 +114,17 @@ static int input_init(void)
> + input_enable_userspace_hid(uhid_enabled);
> + } else
> + g_clear_error(&err);
> ++
> ++ classic_bonded_only = g_key_file_get_boolean(config, "General",
> ++ "ClassicBondedOnly", &err);
> ++
> ++ if (!err) {
> ++ DBG("input.conf: ClassicBondedOnly=%s",
> ++ classic_bonded_only ? "true" : "false");
> ++ input_set_classic_bonded_only(classic_bonded_only);
> ++ } else
> ++ g_clear_error(&err);
> ++
> + }
> +
> + btd_profile_register(&input_profile);
> +--
> +2.25.1
> +
> +From 8cdbd3b09f29da29374e2f83369df24228da0ad1 Mon Sep 17 00:00:00 2001
> +From: Alain Michaud <alainm@chromium.org>
> +Date: Tue, 10 Mar 2020 02:35:16 +0000
> +Subject: [PATCH] HOGP must only accept data from bonded devices.
> +
> +HOGP 1.0 Section 6.1 establishes that the HOGP must require bonding.
> +
> +Reference:
> +https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.htm
> +---
> + profiles/input/hog.c | 4 ++++
> + 1 file changed, 4 insertions(+)
> +
> +diff --git a/profiles/input/hog.c b/profiles/input/hog.c
> +index 83c017dcb..dfac68921 100644
> +--- a/profiles/input/hog.c
> ++++ b/profiles/input/hog.c
> +@@ -186,6 +186,10 @@ static int hog_accept(struct btd_service *service)
> + return -EINVAL;
> + }
> +
> ++ /* HOGP 1.0 Section 6.1 requires bonding */
> ++ if (!device_is_bonded(device, btd_device_get_bdaddr_type(device)))
> ++ return -ECONNREFUSED;
> ++
> + /* TODO: Replace GAttrib with bt_gatt_client */
> + bt_hog_attach(dev->hog, attrib);
> +
> +--
> +2.25.1
> +
> --
> 2.25.1
>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-03-13 23:26 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-12 19:24 [bug#40044] BlueZ CVE-2020-0556 Leo Famulari
2020-03-12 19:28 ` [bug#40044] [PATCH] gnu: BlueZ: Fix CVE-2020-0556 Leo Famulari
2020-03-13 23:25 ` bug#40044: " Leo Famulari
2020-03-12 19:29 ` [bug#40044] [PATCH] gnu: BlueZ: Update to 5.53 [security fixes] Leo Famulari
2020-03-13 16:26 ` Leo Famulari
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).