From 829f32cc2eeb39ea509e5032ddbc123dc1254e4f Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Sep 29 2020 07:03:31 +0000 Subject: import bluez-5.44-7.el7 --- diff --git a/SOURCES/0001-HOGP-must-only-accept-data-from-bonded-devices.patch b/SOURCES/0001-HOGP-must-only-accept-data-from-bonded-devices.patch new file mode 100644 index 0000000..a59b807 --- /dev/null +++ b/SOURCES/0001-HOGP-must-only-accept-data-from-bonded-devices.patch @@ -0,0 +1,37 @@ +From 89fb68570e72a854f10d50bec99112d294597483 Mon Sep 17 00:00:00 2001 +From: Gopal Tiwari +Date: Fri, 24 Apr 2020 16:06:37 +0530 +Subject: [PATCH BlueZ 1/2] HOGP must only accept data from bonded devices. + +commit 8cdbd3b09f29da29374e2f83369df24228da0ad1 +Author: Alain Michaud +Date: Tue Mar 10 02:35:16 2020 +0000 + + HOGP must only accept data from bonded devices. + + HOGP 1.0 Section 6.1 establishes that the HOGP must require bonding. + + Reference: + https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.htm +--- + profiles/input/hog.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/profiles/input/hog.c b/profiles/input/hog.c +index 23c9c1529..f8a82bc20 100644 +--- a/profiles/input/hog.c ++++ b/profiles/input/hog.c +@@ -186,6 +186,10 @@ static int hog_accept(struct btd_service *service) + return -EINVAL; + } + ++ /* HOGP 1.0 Section 6.1 requires bonding */ ++ if (!device_is_bonded(device, btd_device_get_bdaddr_type(device))) ++ return -ECONNREFUSED; ++ + /* TODO: Replace GAttrib with bt_gatt_client */ + bt_hog_attach(dev->hog, attrib); + +-- +2.21.1 + diff --git a/SOURCES/0002-HID-accepts-bonded-device-connections-only.patch b/SOURCES/0002-HID-accepts-bonded-device-connections-only.patch new file mode 100644 index 0000000..76b8a9b --- /dev/null +++ b/SOURCES/0002-HID-accepts-bonded-device-connections-only.patch @@ -0,0 +1,144 @@ +From b84b23845ec9730b783f4e6efcee70c8b2f09f29 Mon Sep 17 00:00:00 2001 +From: Gopal Tiwari +Date: Fri, 24 Apr 2020 16:27:58 +0530 +Subject: [PATCH BlueZ 2/2] HID accepts bonded device connections only. + +commit 3cccdbab2324086588df4ccf5f892fb3ce1f1787 +Author: Alain Michaud +Date: Tue Mar 10 02:35:18 2020 +0000 + + HID accepts bonded device connections only. + + This change adds a configuration for platforms to choose a more secure + posture for the HID profile. While some older mice are known to not + support pairing or encryption, some platform may choose a more secure + posture by requiring the device to be bonded and require the + connection to be encrypted when bonding is required. + + Reference: + https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html +--- + profiles/input/device.c | 23 ++++++++++++++++++++++- + profiles/input/device.h | 1 + + profiles/input/input.conf | 8 ++++++++ + profiles/input/manager.c | 13 ++++++++++++- + 4 files changed, 43 insertions(+), 2 deletions(-) + +diff --git a/profiles/input/device.c b/profiles/input/device.c +index 84614784d..3abd2f592 100644 +--- a/profiles/input/device.c ++++ b/profiles/input/device.c +@@ -91,6 +91,7 @@ struct input_device { + + static int idle_timeout = 0; + static bool uhid_enabled = false; ++static bool classic_bonded_only = false; + + void input_set_idle_timeout(int timeout) + { +@@ -102,6 +103,11 @@ void input_enable_userspace_hid(bool state) + uhid_enabled = state; + } + ++void input_set_classic_bonded_only(bool state) ++{ ++ classic_bonded_only = state; ++} ++ + static void input_device_enter_reconnect_mode(struct input_device *idev); + static int connection_disconnect(struct input_device *idev, uint32_t flags); + +@@ -969,8 +975,18 @@ static int hidp_add_connection(struct input_device *idev) + if (device_name_known(idev->device)) + device_get_name(idev->device, req->name, sizeof(req->name)); + ++ /* Make sure the device is bonded if required */ ++ if (classic_bonded_only && !device_is_bonded(idev->device, ++ btd_device_get_bdaddr_type(idev->device))) { ++ error("Rejected connection from !bonded device %s", dst_addr); ++ goto cleanup; ++ } ++ + /* Encryption is mandatory for keyboards */ +- if (req->subclass & 0x40) { ++ /* Some platforms may choose to require encryption for all devices */ ++ /* Note that this only matters for pre 2.1 devices as otherwise the */ ++ /* device is encrypted by default by the lower layers */ ++ if (classic_bonded_only || req->subclass & 0x40) { + if (!bt_io_set(idev->intr_io, &gerr, + BT_IO_OPT_SEC_LEVEL, BT_IO_SEC_MEDIUM, + BT_IO_OPT_INVALID)) { +@@ -1202,6 +1218,11 @@ static void input_device_enter_reconnect_mode(struct input_device *idev) + DBG("path=%s reconnect_mode=%s", idev->path, + reconnect_mode_to_string(idev->reconnect_mode)); + ++ /* Make sure the device is bonded if required */ ++ if (classic_bonded_only && !device_is_bonded(idev->device, ++ btd_device_get_bdaddr_type(idev->device))) ++ return; ++ + /* Only attempt an auto-reconnect when the device is required to + * accept reconnections from the host. + */ +diff --git a/profiles/input/device.h b/profiles/input/device.h +index 51a9aee18..3044db673 100644 +--- a/profiles/input/device.h ++++ b/profiles/input/device.h +@@ -29,6 +29,7 @@ struct input_conn; + + void input_set_idle_timeout(int timeout); + void input_enable_userspace_hid(bool state); ++void input_set_classic_bonded_only(bool state); + + int input_device_register(struct btd_service *service); + void input_device_unregister(struct btd_service *service); +diff --git a/profiles/input/input.conf b/profiles/input/input.conf +index 3e1d65aae..166aff4a4 100644 +--- a/profiles/input/input.conf ++++ b/profiles/input/input.conf +@@ -11,3 +11,11 @@ + # Enable HID protocol handling in userspace input profile + # Defaults to false (HIDP handled in HIDP kernel module) + #UserspaceHID=true ++ ++# Limit HID connections to bonded devices ++# The HID Profile does not specify that devices must be bonded, however some ++# platforms may want to make sure that input connections only come from bonded ++# device connections. Several older mice have been known for not supporting ++# pairing/encryption. ++# Defaults to false to maximize device compatibility. ++#ClassicBondedOnly=true +diff --git a/profiles/input/manager.c b/profiles/input/manager.c +index 1d31b0652..5cd27b839 100644 +--- a/profiles/input/manager.c ++++ b/profiles/input/manager.c +@@ -96,7 +96,7 @@ static int input_init(void) + config = load_config_file(CONFIGDIR "/input.conf"); + if (config) { + int idle_timeout; +- gboolean uhid_enabled; ++ gboolean uhid_enabled, classic_bonded_only; + + idle_timeout = g_key_file_get_integer(config, "General", + "IdleTimeout", &err); +@@ -114,6 +114,17 @@ static int input_init(void) + input_enable_userspace_hid(uhid_enabled); + } else + g_clear_error(&err); ++ ++ classic_bonded_only = g_key_file_get_boolean(config, "General", ++ "ClassicBondedOnly", &err); ++ ++ if (!err) { ++ DBG("input.conf: ClassicBondedOnly=%s", ++ classic_bonded_only ? "true" : "false"); ++ input_set_classic_bonded_only(classic_bonded_only); ++ } else ++ g_clear_error(&err); ++ + } + + btd_profile_register(&input_profile); +-- +2.21.1 + diff --git a/SPECS/bluez.spec b/SPECS/bluez.spec index 33158b8..0d4ad22 100644 --- a/SPECS/bluez.spec +++ b/SPECS/bluez.spec @@ -1,7 +1,7 @@ Summary: Bluetooth utilities Name: bluez Version: 5.44 -Release: 6%{?dist} +Release: 7%{?dist} License: GPLv2+ Group: Applications/System URL: http://www.bluez.org/ @@ -21,7 +21,10 @@ Patch8: 0001-Out-of-bounds-heap-read-in-service_search_attr_req-f.patch Patch9: 0001-device-Fix-crashing-when-connecting-ATT-over-BR-EDR.patch Patch10: 0002-device-Fix-crash-when-connecting-ATT-with-BR-EDR-onl.patch Patch11: 0001-core-Add-AlwaysPairable-to-main.conf.patch -Patch12: 0002-agent-Make-the-first-agent-to-register-the-default.patch +Patch12: 0002-agent-Make-the-first-agent-to-register-the-default.patch + +Patch13: 0001-HOGP-must-only-accept-data-from-bonded-devices.patch +Patch14: 0002-HID-accepts-bonded-device-connections-only.patch %global _hardened_build 1 @@ -258,6 +261,9 @@ sed -i 's/#\[Policy\]$/\[Policy\]/; s/#AutoEnable=false/AutoEnable=false/' ${RPM %changelog +* Fri Apr 24 2020 Gopal Tiwari 5.44-7 +- fixing CVE-2020-0556 . + * Wed Jul 24 2019 Gopal Tiwari 5.44-6 - fixing CVE-2018-10910. Resolves: #1609340