From unknown Tue Aug 19 05:08:48 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#40044] BlueZ CVE-2020-0556 Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 12 Mar 2020 19:25:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 40044 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 40044@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.158404106131870 (code B ref -1); Thu, 12 Mar 2020 19:25:01 +0000 Received: (at submit) by debbugs.gnu.org; 12 Mar 2020 19:24:21 +0000 Received: from localhost ([127.0.0.1]:57820 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jCTRM-0008Hy-WA for submit@debbugs.gnu.org; Thu, 12 Mar 2020 15:24:21 -0400 Received: from lists.gnu.org ([209.51.188.17]:42019) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jCTRL-0008Hq-EU for submit@debbugs.gnu.org; Thu, 12 Mar 2020 15:24:19 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:41122) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jCTRK-0007CR-AA for guix-patches@gnu.org; Thu, 12 Mar 2020 15:24:19 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.7 required=5.0 tests=BAYES_40,RCVD_IN_DNSWL_LOW, URIBL_BLOCKED autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1jCTRJ-0000WI-6n for guix-patches@gnu.org; Thu, 12 Mar 2020 15:24:18 -0400 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:52285) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1jCTRI-0000QG-VW for guix-patches@gnu.org; Thu, 12 Mar 2020 15:24:17 -0400 Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id 6717F21E5B; Thu, 12 Mar 2020 15:24:15 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute2.internal (MEProxy); Thu, 12 Mar 2020 15:24:15 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:subject:message-id:mime-version:content-type; s= mesmtp; bh=9o2c7y6EpmLvBRqR9MxRfmjQW1sdcjdSYhPQA1ujbBA=; b=cyaUz 1HDKPPA/nWfxxXbw5dZ/Iu0xMP4AaRnbRkq/3jn0bRFo4GBLdNaYGXBuC2n7K36b CtVzZFXMl6I6PAW7odAgQkmJiNYgJJXeZzHzsWXO49aY2lKohJISGMvgOLBjqZJt WoNBw9zhA1bU+K1PRn5nzmMCH6rprtN/uSHAQg= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=9o2c7y6EpmLvBRqR9MxRfmjQW1sdc jdSYhPQA1ujbBA=; b=x+d1maazRi2I0scEE6viQ4d5duFm2E4QljpRrbAf4zyng coevGcY0GzcgNCz7stdf3j1BJC+5dVmEnQub9FmIYgdJX2YauD6flEUKHfYk9867 UkZ40BOm8qpngcG6Ad2921r9a5YvAS36t6JF04L/du7OkbKISGTmwXTSHEL70wxO xUj0zHWSLtOg/HuL6ZRKoBwFKUPKeFmAg2DgbRRbonr4zONTaeYCkYpVpqXIq9h/ u6Ot9iYGIIZHX6Vlyy2WfdQtxKnesLOBCOW0HoiGc/zpCvEgI/nRnOBdNzUw+Mpq 6E5r3sengv3UtwYrRZrobtYynMjXtpH/L3Mh7bFXA== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedugedruddvhedguddvjecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfggtggusehttdertd dttddvnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghr ihdrnhgrmhgvqeenucffohhmrghinhepkhgvrhhnvghlrdhorhhgpdhinhhtvghlrdgtoh hmnecukfhppeejiedruddvgedrudefkedrieefnecuvehluhhsthgvrhfuihiivgeptden ucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: Received: from localhost (c-76-124-138-63.hsd1.pa.comcast.net [76.124.138.63]) by mail.messagingengine.com (Postfix) with ESMTPA id 1641D30611FB for ; Thu, 12 Mar 2020 15:24:15 -0400 (EDT) Date: Thu, 12 Mar 2020 15:24:14 -0400 From: Leo Famulari Message-ID: <20200312192414.GA28117@jasmine.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 66.111.4.28 X-Spam-Score: 0.2 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.8 (/) There's some kind of privilege escalation bug in BlueZ: https://lore.kernel.org/linux-bluetooth/20200310023516.209146-1-alainm@chromium.org/ https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html They released 5.53, so here are patches that graft the update or graft just the upstream patches. From unknown Tue Aug 19 05:08:48 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#40044] [PATCH] gnu: BlueZ: Fix CVE-2020-0556. References: <20200312192414.GA28117@jasmine.lan> In-Reply-To: <20200312192414.GA28117@jasmine.lan> Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 12 Mar 2020 19:30:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 40044 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 40044@debbugs.gnu.org Received: via spool by 40044-submit@debbugs.gnu.org id=B40044.158404137032406 (code B ref 40044); Thu, 12 Mar 2020 19:30:02 +0000 Received: (at 40044) by debbugs.gnu.org; 12 Mar 2020 19:29:30 +0000 Received: from localhost ([127.0.0.1]:57827 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jCTWH-0008QX-Il for submit@debbugs.gnu.org; Thu, 12 Mar 2020 15:29:30 -0400 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:40893) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jCTWD-0008QJ-4c for 40044@debbugs.gnu.org; Thu, 12 Mar 2020 15:29:24 -0400 Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id 076D622302; Thu, 12 Mar 2020 15:29:16 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute2.internal (MEProxy); Thu, 12 Mar 2020 15:29:16 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=from:to:subject:date:message-id:mime-version :content-transfer-encoding; s=mesmtp; bh=bmGBVAuoYe+snQo+U1BNUmg m3g+sccRricJSt2CEgFw=; b=uB/mH/W93BudG521QVcKMB+1I++9E7ETflHnEd7 md+R7hHSIVj8E2xBxR/EQg2/ErfF3wxTb4uIj1vSdkXi8d7yQjU7j0rCCl5t9oz0 Rp65BvrLRGWaMyyRMAzgP9oBNz1miFZucdzFff0IFgrOVL/YLIC0YxMcbBXcFNhK cio0= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:date:from :message-id:mime-version:subject:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=bmGBVAuoYe+snQo+U 1BNUmgm3g+sccRricJSt2CEgFw=; b=chhbUEVTGx9Xg6VrtECehYw5yf2lWWB+l DH+M5x20oWKayfFxz6x0H+BYX/wikcsNfzUfRQb/ugPPTp/xWfeedSsBij21WrfG 5tbpOOAa3gsN6b8DvVJtQX9zABGhGgtKlxOdKyoO11oSZ4ZIm2/kGl1cstnop/y3 bN9z4y4vHDiln4nqg8KWrdYjNS8i1DHPcS438Cw3Ywoq+AbodD24s01unVp8kEb9 r2Y7BQ3HOPvv9uVJ0qMpZtMq1J/wU0UvIOaIP6LyRhDutMUqgkIFIm8/HNWJLf9L ereCulK/Me4y5vZFSXPJKD+bUIjVHfL3ONuDee4IflF5lsKl5RrNQ== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedugedruddvhedguddvkecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhephffvufffkffoggfgsedtkeertd ertddtnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghr ihdrnhgrmhgvqeenucffohhmrghinhepkhgvrhhnvghlrdhorhhgpdhinhhtvghlrdgtoh hmpdhmihhtrhgvrdhorhhgnecukfhppeejiedruddvgedrudefkedrieefnecuvehluhhs thgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulh grrhhirdhnrghmvg X-ME-Proxy: Received: from jasmine.lan (c-76-124-138-63.hsd1.pa.comcast.net [76.124.138.63]) by mail.messagingengine.com (Postfix) with ESMTPA id 3E94230612AF for <40044@debbugs.gnu.org>; Thu, 12 Mar 2020 15:29:15 -0400 (EDT) From: Leo Famulari Date: Thu, 12 Mar 2020 15:28:59 -0400 Message-Id: X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) * gnu/packages/patches/bluez-CVE-2020-0556.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/linux.scm (bluez)[replacement]: New field. (bluez/fixed): New variable. --- gnu/local.mk | 1 + gnu/packages/linux.scm | 9 + .../patches/bluez-CVE-2020-0556.patch | 180 ++++++++++++++++++ 3 files changed, 190 insertions(+) create mode 100644 gnu/packages/patches/bluez-CVE-2020-0556.patch diff --git a/gnu/local.mk b/gnu/local.mk index 99baddea92..8e312e24e7 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -763,6 +763,7 @@ dist_patch_DATA = \ %D%/packages/patches/binutils-loongson-workaround.patch \ %D%/packages/patches/blender-2.79-newer-ffmpeg.patch \ %D%/packages/patches/blender-2.79-python-3.7-fix.patch \ + %D%/packages/patches/bluez-CVE-2020-0556.patch \ %D%/packages/patches/byobu-writable-status.patch \ %D%/packages/patches/calibre-no-updates-dialog.patch \ %D%/packages/patches/calibre-remove-test-bs4.patch \ diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index 01986222e8..0e84a1750e 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -3994,6 +3994,7 @@ Bluetooth audio output devices like headphones or loudspeakers.") (define-public bluez (package (name "bluez") + (replacement bluez/fixed) (version "5.52") (source (origin (method url-fetch) @@ -4059,6 +4060,14 @@ Bluetooth audio output devices like headphones or loudspeakers.") is flexible, efficient and uses a modular implementation.") (license license:gpl2+))) +(define bluez/fixed + (package + (inherit bluez) + (source (origin + (inherit (package-source bluez)) + (patches (append (origin-patches (package-source bluez)) + (search-patches "bluez-CVE-2020-0556.patch"))))))) + (define-public fuse-exfat (package (name "fuse-exfat") diff --git a/gnu/packages/patches/bluez-CVE-2020-0556.patch b/gnu/packages/patches/bluez-CVE-2020-0556.patch new file mode 100644 index 0000000000..7c34459a3a --- /dev/null +++ b/gnu/packages/patches/bluez-CVE-2020-0556.patch @@ -0,0 +1,180 @@ +Fix CVE-2020-0556: + +https://lore.kernel.org/linux-bluetooth/20200310023516.209146-1-alainm@chromium.org/ +https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0556 + +Patches copied from upstream source repository: + +https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3cccdbab2324086588df4ccf5f892fb3ce1f1787 +https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=8cdbd3b09f29da29374e2f83369df24228da0ad1 + +From 3cccdbab2324086588df4ccf5f892fb3ce1f1787 Mon Sep 17 00:00:00 2001 +From: Alain Michaud +Date: Tue, 10 Mar 2020 02:35:18 +0000 +Subject: [PATCH] HID accepts bonded device connections only. + +This change adds a configuration for platforms to choose a more secure +posture for the HID profile. While some older mice are known to not +support pairing or encryption, some platform may choose a more secure +posture by requiring the device to be bonded and require the +connection to be encrypted when bonding is required. + +Reference: +https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html +--- + profiles/input/device.c | 23 ++++++++++++++++++++++- + profiles/input/device.h | 1 + + profiles/input/input.conf | 8 ++++++++ + profiles/input/manager.c | 13 ++++++++++++- + 4 files changed, 43 insertions(+), 2 deletions(-) + +diff --git a/profiles/input/device.c b/profiles/input/device.c +index 2cb3811c8..d89da2d7c 100644 +--- a/profiles/input/device.c ++++ b/profiles/input/device.c +@@ -92,6 +92,7 @@ struct input_device { + + static int idle_timeout = 0; + static bool uhid_enabled = false; ++static bool classic_bonded_only = false; + + void input_set_idle_timeout(int timeout) + { +@@ -103,6 +104,11 @@ void input_enable_userspace_hid(bool state) + uhid_enabled = state; + } + ++void input_set_classic_bonded_only(bool state) ++{ ++ classic_bonded_only = state; ++} ++ + static void input_device_enter_reconnect_mode(struct input_device *idev); + static int connection_disconnect(struct input_device *idev, uint32_t flags); + +@@ -970,8 +976,18 @@ static int hidp_add_connection(struct input_device *idev) + if (device_name_known(idev->device)) + device_get_name(idev->device, req->name, sizeof(req->name)); + ++ /* Make sure the device is bonded if required */ ++ if (classic_bonded_only && !device_is_bonded(idev->device, ++ btd_device_get_bdaddr_type(idev->device))) { ++ error("Rejected connection from !bonded device %s", dst_addr); ++ goto cleanup; ++ } ++ + /* Encryption is mandatory for keyboards */ +- if (req->subclass & 0x40) { ++ /* Some platforms may choose to require encryption for all devices */ ++ /* Note that this only matters for pre 2.1 devices as otherwise the */ ++ /* device is encrypted by default by the lower layers */ ++ if (classic_bonded_only || req->subclass & 0x40) { + if (!bt_io_set(idev->intr_io, &gerr, + BT_IO_OPT_SEC_LEVEL, BT_IO_SEC_MEDIUM, + BT_IO_OPT_INVALID)) { +@@ -1203,6 +1219,11 @@ static void input_device_enter_reconnect_mode(struct input_device *idev) + DBG("path=%s reconnect_mode=%s", idev->path, + reconnect_mode_to_string(idev->reconnect_mode)); + ++ /* Make sure the device is bonded if required */ ++ if (classic_bonded_only && !device_is_bonded(idev->device, ++ btd_device_get_bdaddr_type(idev->device))) ++ return; ++ + /* Only attempt an auto-reconnect when the device is required to + * accept reconnections from the host. + */ +diff --git a/profiles/input/device.h b/profiles/input/device.h +index 51a9aee18..3044db673 100644 +--- a/profiles/input/device.h ++++ b/profiles/input/device.h +@@ -29,6 +29,7 @@ struct input_conn; + + void input_set_idle_timeout(int timeout); + void input_enable_userspace_hid(bool state); ++void input_set_classic_bonded_only(bool state); + + int input_device_register(struct btd_service *service); + void input_device_unregister(struct btd_service *service); +diff --git a/profiles/input/input.conf b/profiles/input/input.conf +index 3e1d65aae..166aff4a4 100644 +--- a/profiles/input/input.conf ++++ b/profiles/input/input.conf +@@ -11,3 +11,11 @@ + # Enable HID protocol handling in userspace input profile + # Defaults to false (HIDP handled in HIDP kernel module) + #UserspaceHID=true ++ ++# Limit HID connections to bonded devices ++# The HID Profile does not specify that devices must be bonded, however some ++# platforms may want to make sure that input connections only come from bonded ++# device connections. Several older mice have been known for not supporting ++# pairing/encryption. ++# Defaults to false to maximize device compatibility. ++#ClassicBondedOnly=true +diff --git a/profiles/input/manager.c b/profiles/input/manager.c +index 1d31b0652..5cd27b839 100644 +--- a/profiles/input/manager.c ++++ b/profiles/input/manager.c +@@ -96,7 +96,7 @@ static int input_init(void) + config = load_config_file(CONFIGDIR "/input.conf"); + if (config) { + int idle_timeout; +- gboolean uhid_enabled; ++ gboolean uhid_enabled, classic_bonded_only; + + idle_timeout = g_key_file_get_integer(config, "General", + "IdleTimeout", &err); +@@ -114,6 +114,17 @@ static int input_init(void) + input_enable_userspace_hid(uhid_enabled); + } else + g_clear_error(&err); ++ ++ classic_bonded_only = g_key_file_get_boolean(config, "General", ++ "ClassicBondedOnly", &err); ++ ++ if (!err) { ++ DBG("input.conf: ClassicBondedOnly=%s", ++ classic_bonded_only ? "true" : "false"); ++ input_set_classic_bonded_only(classic_bonded_only); ++ } else ++ g_clear_error(&err); ++ + } + + btd_profile_register(&input_profile); +-- +2.25.1 + +From 8cdbd3b09f29da29374e2f83369df24228da0ad1 Mon Sep 17 00:00:00 2001 +From: Alain Michaud +Date: Tue, 10 Mar 2020 02:35:16 +0000 +Subject: [PATCH] HOGP must only accept data from bonded devices. + +HOGP 1.0 Section 6.1 establishes that the HOGP must require bonding. + +Reference: +https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.htm +--- + profiles/input/hog.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/profiles/input/hog.c b/profiles/input/hog.c +index 83c017dcb..dfac68921 100644 +--- a/profiles/input/hog.c ++++ b/profiles/input/hog.c +@@ -186,6 +186,10 @@ static int hog_accept(struct btd_service *service) + return -EINVAL; + } + ++ /* HOGP 1.0 Section 6.1 requires bonding */ ++ if (!device_is_bonded(device, btd_device_get_bdaddr_type(device))) ++ return -ECONNREFUSED; ++ + /* TODO: Replace GAttrib with bt_gatt_client */ + bt_hog_attach(dev->hog, attrib); + +-- +2.25.1 + -- 2.25.1 From unknown Tue Aug 19 05:08:48 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#40044] [PATCH] gnu: BlueZ: Update to 5.53 [security fixes]. References: <20200312192414.GA28117@jasmine.lan> In-Reply-To: <20200312192414.GA28117@jasmine.lan> Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 12 Mar 2020 19:30:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 40044 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 40044@debbugs.gnu.org Received: via spool by 40044-submit@debbugs.gnu.org id=B40044.158404139732452 (code B ref 40044); Thu, 12 Mar 2020 19:30:03 +0000 Received: (at 40044) by debbugs.gnu.org; 12 Mar 2020 19:29:57 +0000 Received: from localhost ([127.0.0.1]:57831 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jCTWm-0008RM-Rc for submit@debbugs.gnu.org; Thu, 12 Mar 2020 15:29:57 -0400 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:55051) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jCTWl-0008R3-MP for 40044@debbugs.gnu.org; Thu, 12 Mar 2020 15:29:55 -0400 Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id 937AD222F3; Thu, 12 Mar 2020 15:29:49 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute2.internal (MEProxy); Thu, 12 Mar 2020 15:29:49 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=from:to:subject:date:message-id:mime-version :content-transfer-encoding; s=mesmtp; bh=0VleaajHLPws4Bxvuiu8oQh Sz3zAUpGqlz1dc/WS1PM=; b=icB0Wqs+EiPBNHo869mLcHTcKhVXBwSb11PmhPB m1KmiC0tLO57fs+34/zeE5xSOjB0zTOTZnR3SXFB6m+C34ApuUJ1wV1WrsYITgoO dA67Eg67wX1tMZyYb8EvPq9JnoXBNl6L6iq3dXY82ZGpvdw4UZRIx6Q0YZqw8hv8 DQvo= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:date:from :message-id:mime-version:subject:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=0VleaajHLPws4Bxvu iu8oQhSz3zAUpGqlz1dc/WS1PM=; b=rCOCHdOITT/WtJuknB0S/25GApIY7tAEF jOiNmaIbu2lZQsPP5hx3CMlmhUesLV8jggjWTBMUKcj8JxNqCstBzBpxJmb7BrMS TxURClQUGsUwa4q24RPHW1zog6NlfNP4Ojj2TVLdO9cKDAWQ5MCF7unswJEK7Am0 a+OY7Mm/6Vw6HQPVEXP8bCqGuLbDHXZp2IhBmCiLBx/wyqqjV1Y84NF9OoRR1uMM WntpuEeAnZpSlLe7F3e3z0ckZltSTOpFVDe4eYC8oA2q6N0bp0z+umCXaJmIJrzN jcK2zfoMFdWdKHoAj1YzfrEHy8HAMF+bnaLfJ3/u2NBesm0jlg+/Q== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedugedruddvhedguddvkecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhephffvufffkffoggfgsedtkeertd ertddtnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghr ihdrnhgrmhgvqeenucffohhmrghinhepihhnthgvlhdrtghomhdpkhgvrhhnvghlrdhorh hgnecukfhppeejiedruddvgedrudefkedrieefnecuvehluhhsthgvrhfuihiivgeptden ucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: Received: from jasmine.lan (c-76-124-138-63.hsd1.pa.comcast.net [76.124.138.63]) by mail.messagingengine.com (Postfix) with ESMTPA id 401783280067 for <40044@debbugs.gnu.org>; Thu, 12 Mar 2020 15:29:49 -0400 (EDT) From: Leo Famulari Date: Thu, 12 Mar 2020 15:29:40 -0400 Message-Id: X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Apparently this fixes a privilege escalation bug: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html * gnu/packages/linux.scm (bluez-5.53): New variable. (bluez)[replacement]: New field. --- gnu/packages/linux.scm | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index 01986222e8..61b02591a4 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -3995,6 +3995,7 @@ Bluetooth audio output devices like headphones or loudspeakers.") (package (name "bluez") (version "5.52") + (replacement bluez-5.53) (source (origin (method url-fetch) (uri (string-append @@ -4059,6 +4060,19 @@ Bluetooth audio output devices like headphones or loudspeakers.") is flexible, efficient and uses a modular implementation.") (license license:gpl2+))) +(define bluez-5.53 + (package + (inherit bluez) + (version "5.53") + (source (origin + (method url-fetch) + (uri (string-append + "mirror://kernel.org/linux/bluetooth/bluez-" + version ".tar.xz")) + (sha256 + (base32 + "1g1qg6dz6hl3csrmz75ixr12lwv836hq3ckb259svvrg62l2vaiq")))))) + (define-public fuse-exfat (package (name "fuse-exfat") -- 2.25.1 From unknown Tue Aug 19 05:08:48 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#40044] [PATCH] gnu: BlueZ: Update to 5.53 [security fixes]. Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 13 Mar 2020 16:27:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 40044 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 40044@debbugs.gnu.org Received: via spool by 40044-submit@debbugs.gnu.org id=B40044.158411678831043 (code B ref 40044); Fri, 13 Mar 2020 16:27:01 +0000 Received: (at 40044) by debbugs.gnu.org; 13 Mar 2020 16:26:28 +0000 Received: from localhost ([127.0.0.1]:60174 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jCn8m-00084d-6J for submit@debbugs.gnu.org; Fri, 13 Mar 2020 12:26:28 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:37931) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jCn8j-00084M-LD for 40044@debbugs.gnu.org; Fri, 13 Mar 2020 12:26:26 -0400 Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id 69C2B22274; Fri, 13 Mar 2020 12:26:20 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute2.internal (MEProxy); Fri, 13 Mar 2020 12:26:20 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:subject:message-id:references:mime-version :content-type:content-transfer-encoding:in-reply-to; s=mesmtp; bh=aC6bTU79tVDgMo6KWtDQOOPtA4SORIDjmakXlsTVYsI=; b=PSM/BMqtf9Nd oNUW+wpDgETZNZfWrdakuVYs2xg2lA0L2K0XoG2J85STKkIBf0dwOYfLqCv9av+k hTuK5sHFXpfkifw7hhvC9c6auVjHxf6V2VtEfS5x1rFbMSt9OkW3dX4DNZW2X9u4 NSWoFPHIfmgFbxJJob0YyKtB9AL4C3I= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=aC6bTU79tVDgMo6KWtDQOOPtA4SORIDjmakXlsTVY sI=; b=uj5qXUKGar6ukulyw55njrY0uqVTH/uKSfwNyhk3G/OsM3ZjetGchxseG htcBacPO3p0wqePZJAqUwmrDcGQNYOsRJLVplXWPdYhJnjKwksFIxts9g8UCrfiL UUeiOMfTmee1BeyEBWXY/DBhsSQ9POTskUA+elxfuJHPOzTyRiFyrjcqlRZ3INOg nViZ3rJRS3ZFd/IHPS0W548+kG3v5ope7pYpP646vO6lCCslyZJwyb1U0IatkM++ g1hAZuhtyNcOG4BnB3fKWas2b1AO5YoML0MwAKmigrbmLd3WWXg4JAEcSp1Bc506 IaejHVv43/KaVHQWD/Zto6svSyaig== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedugedruddvjedgkeejucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkfhggtggugfgjsehtke ertddttdejnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhl rghrihdrnhgrmhgvqeenucffohhmrghinhepihhnthgvlhdrtghomhenucfkphepjeeird duvdegrddufeekrdeifeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgr ihhlfhhrohhmpehlvghosehfrghmuhhlrghrihdrnhgrmhgv X-ME-Proxy: Received: from localhost (c-76-124-138-63.hsd1.pa.comcast.net [76.124.138.63]) by mail.messagingengine.com (Postfix) with ESMTPA id DC400306130A for <40044@debbugs.gnu.org>; Fri, 13 Mar 2020 12:26:19 -0400 (EDT) Date: Fri, 13 Mar 2020 12:26:18 -0400 From: Leo Famulari Message-ID: <20200313162618.GA28634@jasmine.lan> References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) On Thu, Mar 12, 2020 at 03:29:40PM -0400, Leo Famulari wrote: > Apparently this fixes a privilege escalation bug: > > https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html > > * gnu/packages/linux.scm (bluez-5.53): New variable. > (bluez)[replacement]: New field. Intel and I were mistaken — the bug fix is not included in the 5.53 release. So this patch should be disregarded. From unknown Tue Aug 19 05:08:48 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Leo Famulari Subject: bug#40044: closed (Re: [PATCH] gnu: BlueZ: Fix CVE-2020-0556.) Message-ID: References: <20200313232539.GA13273@jasmine.lan> <20200312192414.GA28117@jasmine.lan> X-Gnu-PR-Message: they-closed 40044 X-Gnu-PR-Package: guix-patches Reply-To: 40044@debbugs.gnu.org Date: Fri, 13 Mar 2020 23:26:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1584141962-6754-1" This is a multi-part message in MIME format... ------------=_1584141962-6754-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #40044: BlueZ CVE-2020-0556 which was filed against the guix-patches package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 40044@debbugs.gnu.org. --=20 40044: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D40044 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1584141962-6754-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 40044-done) by debbugs.gnu.org; 13 Mar 2020 23:25:56 +0000 Received: from localhost ([127.0.0.1]:60366 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jCtgd-0001kY-IY for submit@debbugs.gnu.org; Fri, 13 Mar 2020 19:25:56 -0400 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:42089) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jCtgZ-0001kJ-5B for 40044-done@debbugs.gnu.org; Fri, 13 Mar 2020 19:25:49 -0400 Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id AF2B822308; Fri, 13 Mar 2020 19:25:41 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute2.internal (MEProxy); Fri, 13 Mar 2020 19:25:41 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=f5RXkdmr/SB1LALFNULLO9QL ngp7DkWCzwvSqMNe0UM=; b=tQfQ7dQtjjjtUd6WNQau/3/S/YrVjrHufSkYe80B l1mk3dsVuOo1ASOdmH8KXfxmuQdOq3MHLZAnfLPV+dymkfBO+/0TlSps4JUgMGOc oKIjJAPtWY9+AZjfk9rpQWtu8uAxjVzfLPmqi5yLbsb/zxP6i8F+wzYUqWdhf2Uy SRM= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=f5RXkd mr/SB1LALFNULLO9QLngp7DkWCzwvSqMNe0UM=; b=RVZgwcawzRKBu0m6AdGVXM GvB4isCLdmBRINXoYULvUhtUliTK+B8aWLP7w1VqFypAEiMW4RtkRiwMF6/lKkv9 P09qRah8wQYK3YctZ4oXZObi9QE+M3cLcmRI9rz7D1B+mM/ugNUxNae2JsliBkZ2 QCrbIxR7MEV17b9i9bZIjnE6CqMBCdZB9goAe/lrQxJEovIbMDdkqCphnS71TPKO o6tgV7mZJBCcw6ivDLMwW2aG3bjZrV9jSxBRxLjgvzNYLCn/HQ+PjvR4RCzA+pSY XtM983mcn581PxG/qymIlVYeizSUSRGOuE9Wa8zCwmR+ki5xOVo7i5ZRJS8zqaWQ == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedugedruddvkedguddtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkfhggtggujgesthdtre dttddtvdenucfhrhhomhepnfgvohcuhfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgr rhhirdhnrghmvgeqnecuffhomhgrihhnpehkvghrnhgvlhdrohhrghdpihhnthgvlhdrtg homhdpmhhithhrvgdrohhrghenucfkphepjeeirdduvdegrddufeekrdeifeenucevlhhu shhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehlvghosehfrghmuh hlrghrihdrnhgrmhgv X-ME-Proxy: Received: from localhost (c-76-124-138-63.hsd1.pa.comcast.net [76.124.138.63]) by mail.messagingengine.com (Postfix) with ESMTPA id 684713280060 for <40044-done@debbugs.gnu.org>; Fri, 13 Mar 2020 19:25:41 -0400 (EDT) Date: Fri, 13 Mar 2020 19:25:39 -0400 From: Leo Famulari To: 40044-done@debbugs.gnu.org Subject: Re: [PATCH] gnu: BlueZ: Fix CVE-2020-0556. Message-ID: <20200313232539.GA13273@jasmine.lan> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 40044-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) On Thu, Mar 12, 2020 at 03:28:59PM -0400, Leo Famulari wrote: > * gnu/packages/patches/bluez-CVE-2020-0556.patch: New file. > * gnu/local.mk (dist_patch_DATA): Add it. > * gnu/packages/linux.scm (bluez)[replacement]: New field. > (bluez/fixed): New variable. Pushed as 364a1374ad5e04a91cdc29203f0c8073eede72d4. Thanks nckx for testing! > --- > gnu/local.mk | 1 + > gnu/packages/linux.scm | 9 + > .../patches/bluez-CVE-2020-0556.patch | 180 ++++++++++++++++++ > 3 files changed, 190 insertions(+) > create mode 100644 gnu/packages/patches/bluez-CVE-2020-0556.patch > > diff --git a/gnu/local.mk b/gnu/local.mk > index 99baddea92..8e312e24e7 100644 > --- a/gnu/local.mk > +++ b/gnu/local.mk > @@ -763,6 +763,7 @@ dist_patch_DATA = \ > %D%/packages/patches/binutils-loongson-workaround.patch \ > %D%/packages/patches/blender-2.79-newer-ffmpeg.patch \ > %D%/packages/patches/blender-2.79-python-3.7-fix.patch \ > + %D%/packages/patches/bluez-CVE-2020-0556.patch \ > %D%/packages/patches/byobu-writable-status.patch \ > %D%/packages/patches/calibre-no-updates-dialog.patch \ > %D%/packages/patches/calibre-remove-test-bs4.patch \ > diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm > index 01986222e8..0e84a1750e 100644 > --- a/gnu/packages/linux.scm > +++ b/gnu/packages/linux.scm > @@ -3994,6 +3994,7 @@ Bluetooth audio output devices like headphones or loudspeakers.") > (define-public bluez > (package > (name "bluez") > + (replacement bluez/fixed) > (version "5.52") > (source (origin > (method url-fetch) > @@ -4059,6 +4060,14 @@ Bluetooth audio output devices like headphones or loudspeakers.") > is flexible, efficient and uses a modular implementation.") > (license license:gpl2+))) > > +(define bluez/fixed > + (package > + (inherit bluez) > + (source (origin > + (inherit (package-source bluez)) > + (patches (append (origin-patches (package-source bluez)) > + (search-patches "bluez-CVE-2020-0556.patch"))))))) > + > (define-public fuse-exfat > (package > (name "fuse-exfat") > diff --git a/gnu/packages/patches/bluez-CVE-2020-0556.patch b/gnu/packages/patches/bluez-CVE-2020-0556.patch > new file mode 100644 > index 0000000000..7c34459a3a > --- /dev/null > +++ b/gnu/packages/patches/bluez-CVE-2020-0556.patch > @@ -0,0 +1,180 @@ > +Fix CVE-2020-0556: > + > +https://lore.kernel.org/linux-bluetooth/20200310023516.209146-1-alainm@chromium.org/ > +https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html > +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0556 > + > +Patches copied from upstream source repository: > + > +https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3cccdbab2324086588df4ccf5f892fb3ce1f1787 > +https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=8cdbd3b09f29da29374e2f83369df24228da0ad1 > + > +From 3cccdbab2324086588df4ccf5f892fb3ce1f1787 Mon Sep 17 00:00:00 2001 > +From: Alain Michaud > +Date: Tue, 10 Mar 2020 02:35:18 +0000 > +Subject: [PATCH] HID accepts bonded device connections only. > + > +This change adds a configuration for platforms to choose a more secure > +posture for the HID profile. While some older mice are known to not > +support pairing or encryption, some platform may choose a more secure > +posture by requiring the device to be bonded and require the > +connection to be encrypted when bonding is required. > + > +Reference: > +https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html > +--- > + profiles/input/device.c | 23 ++++++++++++++++++++++- > + profiles/input/device.h | 1 + > + profiles/input/input.conf | 8 ++++++++ > + profiles/input/manager.c | 13 ++++++++++++- > + 4 files changed, 43 insertions(+), 2 deletions(-) > + > +diff --git a/profiles/input/device.c b/profiles/input/device.c > +index 2cb3811c8..d89da2d7c 100644 > +--- a/profiles/input/device.c > ++++ b/profiles/input/device.c > +@@ -92,6 +92,7 @@ struct input_device { > + > + static int idle_timeout = 0; > + static bool uhid_enabled = false; > ++static bool classic_bonded_only = false; > + > + void input_set_idle_timeout(int timeout) > + { > +@@ -103,6 +104,11 @@ void input_enable_userspace_hid(bool state) > + uhid_enabled = state; > + } > + > ++void input_set_classic_bonded_only(bool state) > ++{ > ++ classic_bonded_only = state; > ++} > ++ > + static void input_device_enter_reconnect_mode(struct input_device *idev); > + static int connection_disconnect(struct input_device *idev, uint32_t flags); > + > +@@ -970,8 +976,18 @@ static int hidp_add_connection(struct input_device *idev) > + if (device_name_known(idev->device)) > + device_get_name(idev->device, req->name, sizeof(req->name)); > + > ++ /* Make sure the device is bonded if required */ > ++ if (classic_bonded_only && !device_is_bonded(idev->device, > ++ btd_device_get_bdaddr_type(idev->device))) { > ++ error("Rejected connection from !bonded device %s", dst_addr); > ++ goto cleanup; > ++ } > ++ > + /* Encryption is mandatory for keyboards */ > +- if (req->subclass & 0x40) { > ++ /* Some platforms may choose to require encryption for all devices */ > ++ /* Note that this only matters for pre 2.1 devices as otherwise the */ > ++ /* device is encrypted by default by the lower layers */ > ++ if (classic_bonded_only || req->subclass & 0x40) { > + if (!bt_io_set(idev->intr_io, &gerr, > + BT_IO_OPT_SEC_LEVEL, BT_IO_SEC_MEDIUM, > + BT_IO_OPT_INVALID)) { > +@@ -1203,6 +1219,11 @@ static void input_device_enter_reconnect_mode(struct input_device *idev) > + DBG("path=%s reconnect_mode=%s", idev->path, > + reconnect_mode_to_string(idev->reconnect_mode)); > + > ++ /* Make sure the device is bonded if required */ > ++ if (classic_bonded_only && !device_is_bonded(idev->device, > ++ btd_device_get_bdaddr_type(idev->device))) > ++ return; > ++ > + /* Only attempt an auto-reconnect when the device is required to > + * accept reconnections from the host. > + */ > +diff --git a/profiles/input/device.h b/profiles/input/device.h > +index 51a9aee18..3044db673 100644 > +--- a/profiles/input/device.h > ++++ b/profiles/input/device.h > +@@ -29,6 +29,7 @@ struct input_conn; > + > + void input_set_idle_timeout(int timeout); > + void input_enable_userspace_hid(bool state); > ++void input_set_classic_bonded_only(bool state); > + > + int input_device_register(struct btd_service *service); > + void input_device_unregister(struct btd_service *service); > +diff --git a/profiles/input/input.conf b/profiles/input/input.conf > +index 3e1d65aae..166aff4a4 100644 > +--- a/profiles/input/input.conf > ++++ b/profiles/input/input.conf > +@@ -11,3 +11,11 @@ > + # Enable HID protocol handling in userspace input profile > + # Defaults to false (HIDP handled in HIDP kernel module) > + #UserspaceHID=true > ++ > ++# Limit HID connections to bonded devices > ++# The HID Profile does not specify that devices must be bonded, however some > ++# platforms may want to make sure that input connections only come from bonded > ++# device connections. Several older mice have been known for not supporting > ++# pairing/encryption. > ++# Defaults to false to maximize device compatibility. > ++#ClassicBondedOnly=true > +diff --git a/profiles/input/manager.c b/profiles/input/manager.c > +index 1d31b0652..5cd27b839 100644 > +--- a/profiles/input/manager.c > ++++ b/profiles/input/manager.c > +@@ -96,7 +96,7 @@ static int input_init(void) > + config = load_config_file(CONFIGDIR "/input.conf"); > + if (config) { > + int idle_timeout; > +- gboolean uhid_enabled; > ++ gboolean uhid_enabled, classic_bonded_only; > + > + idle_timeout = g_key_file_get_integer(config, "General", > + "IdleTimeout", &err); > +@@ -114,6 +114,17 @@ static int input_init(void) > + input_enable_userspace_hid(uhid_enabled); > + } else > + g_clear_error(&err); > ++ > ++ classic_bonded_only = g_key_file_get_boolean(config, "General", > ++ "ClassicBondedOnly", &err); > ++ > ++ if (!err) { > ++ DBG("input.conf: ClassicBondedOnly=%s", > ++ classic_bonded_only ? "true" : "false"); > ++ input_set_classic_bonded_only(classic_bonded_only); > ++ } else > ++ g_clear_error(&err); > ++ > + } > + > + btd_profile_register(&input_profile); > +-- > +2.25.1 > + > +From 8cdbd3b09f29da29374e2f83369df24228da0ad1 Mon Sep 17 00:00:00 2001 > +From: Alain Michaud > +Date: Tue, 10 Mar 2020 02:35:16 +0000 > +Subject: [PATCH] HOGP must only accept data from bonded devices. > + > +HOGP 1.0 Section 6.1 establishes that the HOGP must require bonding. > + > +Reference: > +https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.htm > +--- > + profiles/input/hog.c | 4 ++++ > + 1 file changed, 4 insertions(+) > + > +diff --git a/profiles/input/hog.c b/profiles/input/hog.c > +index 83c017dcb..dfac68921 100644 > +--- a/profiles/input/hog.c > ++++ b/profiles/input/hog.c > +@@ -186,6 +186,10 @@ static int hog_accept(struct btd_service *service) > + return -EINVAL; > + } > + > ++ /* HOGP 1.0 Section 6.1 requires bonding */ > ++ if (!device_is_bonded(device, btd_device_get_bdaddr_type(device))) > ++ return -ECONNREFUSED; > ++ > + /* TODO: Replace GAttrib with bt_gatt_client */ > + bt_hog_attach(dev->hog, attrib); > + > +-- > +2.25.1 > + > -- > 2.25.1 > ------------=_1584141962-6754-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 12 Mar 2020 19:24:21 +0000 Received: from localhost ([127.0.0.1]:57820 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jCTRM-0008Hy-WA for submit@debbugs.gnu.org; Thu, 12 Mar 2020 15:24:21 -0400 Received: from lists.gnu.org ([209.51.188.17]:42019) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jCTRL-0008Hq-EU for submit@debbugs.gnu.org; Thu, 12 Mar 2020 15:24:19 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:41122) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jCTRK-0007CR-AA for guix-patches@gnu.org; Thu, 12 Mar 2020 15:24:19 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.7 required=5.0 tests=BAYES_40,RCVD_IN_DNSWL_LOW, URIBL_BLOCKED autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1jCTRJ-0000WI-6n for guix-patches@gnu.org; Thu, 12 Mar 2020 15:24:18 -0400 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:52285) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1jCTRI-0000QG-VW for guix-patches@gnu.org; Thu, 12 Mar 2020 15:24:17 -0400 Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id 6717F21E5B; Thu, 12 Mar 2020 15:24:15 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute2.internal (MEProxy); Thu, 12 Mar 2020 15:24:15 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:subject:message-id:mime-version:content-type; s= mesmtp; bh=9o2c7y6EpmLvBRqR9MxRfmjQW1sdcjdSYhPQA1ujbBA=; b=cyaUz 1HDKPPA/nWfxxXbw5dZ/Iu0xMP4AaRnbRkq/3jn0bRFo4GBLdNaYGXBuC2n7K36b CtVzZFXMl6I6PAW7odAgQkmJiNYgJJXeZzHzsWXO49aY2lKohJISGMvgOLBjqZJt WoNBw9zhA1bU+K1PRn5nzmMCH6rprtN/uSHAQg= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=9o2c7y6EpmLvBRqR9MxRfmjQW1sdc jdSYhPQA1ujbBA=; b=x+d1maazRi2I0scEE6viQ4d5duFm2E4QljpRrbAf4zyng coevGcY0GzcgNCz7stdf3j1BJC+5dVmEnQub9FmIYgdJX2YauD6flEUKHfYk9867 UkZ40BOm8qpngcG6Ad2921r9a5YvAS36t6JF04L/du7OkbKISGTmwXTSHEL70wxO xUj0zHWSLtOg/HuL6ZRKoBwFKUPKeFmAg2DgbRRbonr4zONTaeYCkYpVpqXIq9h/ u6Ot9iYGIIZHX6Vlyy2WfdQtxKnesLOBCOW0HoiGc/zpCvEgI/nRnOBdNzUw+Mpq 6E5r3sengv3UtwYrRZrobtYynMjXtpH/L3Mh7bFXA== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedugedruddvhedguddvjecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfggtggusehttdertd dttddvnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghr ihdrnhgrmhgvqeenucffohhmrghinhepkhgvrhhnvghlrdhorhhgpdhinhhtvghlrdgtoh hmnecukfhppeejiedruddvgedrudefkedrieefnecuvehluhhsthgvrhfuihiivgeptden ucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: Received: from localhost (c-76-124-138-63.hsd1.pa.comcast.net [76.124.138.63]) by mail.messagingengine.com (Postfix) with ESMTPA id 1641D30611FB for ; Thu, 12 Mar 2020 15:24:15 -0400 (EDT) Date: Thu, 12 Mar 2020 15:24:14 -0400 From: Leo Famulari To: guix-patches@gnu.org Subject: BlueZ CVE-2020-0556 Message-ID: <20200312192414.GA28117@jasmine.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 66.111.4.28 X-Spam-Score: 0.2 (/) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.8 (/) There's some kind of privilege escalation bug in BlueZ: https://lore.kernel.org/linux-bluetooth/20200310023516.209146-1-alainm@chromium.org/ https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html They released 5.53, so here are patches that graft the update or graft just the upstream patches. ------------=_1584141962-6754-1--