Package: guix-patches;
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Thu, 12 Mar 2020 19:25:01 UTC
Severity: normal
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
View this message in rfc822 format
From: help-debbugs <at> gnu.org (GNU bug Tracking System) To: Leo Famulari <leo <at> famulari.name> Cc: tracker <at> debbugs.gnu.org Subject: bug#40044: closed (BlueZ CVE-2020-0556) Date: Fri, 13 Mar 2020 23:26:02 +0000
[Message part 1 (text/plain, inline)]
Your message dated Fri, 13 Mar 2020 19:25:39 -0400 with message-id <20200313232539.GA13273 <at> jasmine.lan> and subject line Re: [PATCH] gnu: BlueZ: Fix CVE-2020-0556. has caused the debbugs.gnu.org bug report #40044, regarding BlueZ CVE-2020-0556 to be marked as done. (If you believe you have received this mail in error, please contact help-debbugs <at> gnu.org.) -- 40044: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=40044 GNU Bug Tracking System Contact help-debbugs <at> gnu.org with problems
[Message part 2 (message/rfc822, inline)]
From: Leo Famulari <leo <at> famulari.name> To: guix-patches <at> gnu.org Subject: BlueZ CVE-2020-0556 Date: Thu, 12 Mar 2020 15:24:14 -0400There's some kind of privilege escalation bug in BlueZ: https://lore.kernel.org/linux-bluetooth/20200310023516.209146-1-alainm <at> chromium.org/ https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html They released 5.53, so here are patches that graft the update or graft just the upstream patches.
[Message part 3 (message/rfc822, inline)]
From: Leo Famulari <leo <at> famulari.name> To: 40044-done <at> debbugs.gnu.org Subject: Re: [PATCH] gnu: BlueZ: Fix CVE-2020-0556. Date: Fri, 13 Mar 2020 19:25:39 -0400On Thu, Mar 12, 2020 at 03:28:59PM -0400, Leo Famulari wrote: > * gnu/packages/patches/bluez-CVE-2020-0556.patch: New file. > * gnu/local.mk (dist_patch_DATA): Add it. > * gnu/packages/linux.scm (bluez)[replacement]: New field. > (bluez/fixed): New variable. Pushed as 364a1374ad5e04a91cdc29203f0c8073eede72d4. Thanks nckx for testing! > --- > gnu/local.mk | 1 + > gnu/packages/linux.scm | 9 + > .../patches/bluez-CVE-2020-0556.patch | 180 ++++++++++++++++++ > 3 files changed, 190 insertions(+) > create mode 100644 gnu/packages/patches/bluez-CVE-2020-0556.patch > > diff --git a/gnu/local.mk b/gnu/local.mk > index 99baddea92..8e312e24e7 100644 > --- a/gnu/local.mk > +++ b/gnu/local.mk > @@ -763,6 +763,7 @@ dist_patch_DATA = \ > %D%/packages/patches/binutils-loongson-workaround.patch \ > %D%/packages/patches/blender-2.79-newer-ffmpeg.patch \ > %D%/packages/patches/blender-2.79-python-3.7-fix.patch \ > + %D%/packages/patches/bluez-CVE-2020-0556.patch \ > %D%/packages/patches/byobu-writable-status.patch \ > %D%/packages/patches/calibre-no-updates-dialog.patch \ > %D%/packages/patches/calibre-remove-test-bs4.patch \ > diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm > index 01986222e8..0e84a1750e 100644 > --- a/gnu/packages/linux.scm > +++ b/gnu/packages/linux.scm > @@ -3994,6 +3994,7 @@ Bluetooth audio output devices like headphones or loudspeakers.") > (define-public bluez > (package > (name "bluez") > + (replacement bluez/fixed) > (version "5.52") > (source (origin > (method url-fetch) > @@ -4059,6 +4060,14 @@ Bluetooth audio output devices like headphones or loudspeakers.") > is flexible, efficient and uses a modular implementation.") > (license license:gpl2+))) > > +(define bluez/fixed > + (package > + (inherit bluez) > + (source (origin > + (inherit (package-source bluez)) > + (patches (append (origin-patches (package-source bluez)) > + (search-patches "bluez-CVE-2020-0556.patch"))))))) > + > (define-public fuse-exfat > (package > (name "fuse-exfat") > diff --git a/gnu/packages/patches/bluez-CVE-2020-0556.patch b/gnu/packages/patches/bluez-CVE-2020-0556.patch > new file mode 100644 > index 0000000000..7c34459a3a > --- /dev/null > +++ b/gnu/packages/patches/bluez-CVE-2020-0556.patch > @@ -0,0 +1,180 @@ > +Fix CVE-2020-0556: > + > +https://lore.kernel.org/linux-bluetooth/20200310023516.209146-1-alainm <at> chromium.org/ > +https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html > +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0556 > + > +Patches copied from upstream source repository: > + > +https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3cccdbab2324086588df4ccf5f892fb3ce1f1787 > +https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=8cdbd3b09f29da29374e2f83369df24228da0ad1 > + > +From 3cccdbab2324086588df4ccf5f892fb3ce1f1787 Mon Sep 17 00:00:00 2001 > +From: Alain Michaud <alainm <at> chromium.org> > +Date: Tue, 10 Mar 2020 02:35:18 +0000 > +Subject: [PATCH] HID accepts bonded device connections only. > + > +This change adds a configuration for platforms to choose a more secure > +posture for the HID profile. While some older mice are known to not > +support pairing or encryption, some platform may choose a more secure > +posture by requiring the device to be bonded and require the > +connection to be encrypted when bonding is required. > + > +Reference: > +https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html > +--- > + profiles/input/device.c | 23 ++++++++++++++++++++++- > + profiles/input/device.h | 1 + > + profiles/input/input.conf | 8 ++++++++ > + profiles/input/manager.c | 13 ++++++++++++- > + 4 files changed, 43 insertions(+), 2 deletions(-) > + > +diff --git a/profiles/input/device.c b/profiles/input/device.c > +index 2cb3811c8..d89da2d7c 100644 > +--- a/profiles/input/device.c > ++++ b/profiles/input/device.c > +@@ -92,6 +92,7 @@ struct input_device { > + > + static int idle_timeout = 0; > + static bool uhid_enabled = false; > ++static bool classic_bonded_only = false; > + > + void input_set_idle_timeout(int timeout) > + { > +@@ -103,6 +104,11 @@ void input_enable_userspace_hid(bool state) > + uhid_enabled = state; > + } > + > ++void input_set_classic_bonded_only(bool state) > ++{ > ++ classic_bonded_only = state; > ++} > ++ > + static void input_device_enter_reconnect_mode(struct input_device *idev); > + static int connection_disconnect(struct input_device *idev, uint32_t flags); > + > +@@ -970,8 +976,18 @@ static int hidp_add_connection(struct input_device *idev) > + if (device_name_known(idev->device)) > + device_get_name(idev->device, req->name, sizeof(req->name)); > + > ++ /* Make sure the device is bonded if required */ > ++ if (classic_bonded_only && !device_is_bonded(idev->device, > ++ btd_device_get_bdaddr_type(idev->device))) { > ++ error("Rejected connection from !bonded device %s", dst_addr); > ++ goto cleanup; > ++ } > ++ > + /* Encryption is mandatory for keyboards */ > +- if (req->subclass & 0x40) { > ++ /* Some platforms may choose to require encryption for all devices */ > ++ /* Note that this only matters for pre 2.1 devices as otherwise the */ > ++ /* device is encrypted by default by the lower layers */ > ++ if (classic_bonded_only || req->subclass & 0x40) { > + if (!bt_io_set(idev->intr_io, &gerr, > + BT_IO_OPT_SEC_LEVEL, BT_IO_SEC_MEDIUM, > + BT_IO_OPT_INVALID)) { > +@@ -1203,6 +1219,11 @@ static void input_device_enter_reconnect_mode(struct input_device *idev) > + DBG("path=%s reconnect_mode=%s", idev->path, > + reconnect_mode_to_string(idev->reconnect_mode)); > + > ++ /* Make sure the device is bonded if required */ > ++ if (classic_bonded_only && !device_is_bonded(idev->device, > ++ btd_device_get_bdaddr_type(idev->device))) > ++ return; > ++ > + /* Only attempt an auto-reconnect when the device is required to > + * accept reconnections from the host. > + */ > +diff --git a/profiles/input/device.h b/profiles/input/device.h > +index 51a9aee18..3044db673 100644 > +--- a/profiles/input/device.h > ++++ b/profiles/input/device.h > +@@ -29,6 +29,7 @@ struct input_conn; > + > + void input_set_idle_timeout(int timeout); > + void input_enable_userspace_hid(bool state); > ++void input_set_classic_bonded_only(bool state); > + > + int input_device_register(struct btd_service *service); > + void input_device_unregister(struct btd_service *service); > +diff --git a/profiles/input/input.conf b/profiles/input/input.conf > +index 3e1d65aae..166aff4a4 100644 > +--- a/profiles/input/input.conf > ++++ b/profiles/input/input.conf > +@@ -11,3 +11,11 @@ > + # Enable HID protocol handling in userspace input profile > + # Defaults to false (HIDP handled in HIDP kernel module) > + #UserspaceHID=true > ++ > ++# Limit HID connections to bonded devices > ++# The HID Profile does not specify that devices must be bonded, however some > ++# platforms may want to make sure that input connections only come from bonded > ++# device connections. Several older mice have been known for not supporting > ++# pairing/encryption. > ++# Defaults to false to maximize device compatibility. > ++#ClassicBondedOnly=true > +diff --git a/profiles/input/manager.c b/profiles/input/manager.c > +index 1d31b0652..5cd27b839 100644 > +--- a/profiles/input/manager.c > ++++ b/profiles/input/manager.c > +@@ -96,7 +96,7 @@ static int input_init(void) > + config = load_config_file(CONFIGDIR "/input.conf"); > + if (config) { > + int idle_timeout; > +- gboolean uhid_enabled; > ++ gboolean uhid_enabled, classic_bonded_only; > + > + idle_timeout = g_key_file_get_integer(config, "General", > + "IdleTimeout", &err); > +@@ -114,6 +114,17 @@ static int input_init(void) > + input_enable_userspace_hid(uhid_enabled); > + } else > + g_clear_error(&err); > ++ > ++ classic_bonded_only = g_key_file_get_boolean(config, "General", > ++ "ClassicBondedOnly", &err); > ++ > ++ if (!err) { > ++ DBG("input.conf: ClassicBondedOnly=%s", > ++ classic_bonded_only ? "true" : "false"); > ++ input_set_classic_bonded_only(classic_bonded_only); > ++ } else > ++ g_clear_error(&err); > ++ > + } > + > + btd_profile_register(&input_profile); > +-- > +2.25.1 > + > +From 8cdbd3b09f29da29374e2f83369df24228da0ad1 Mon Sep 17 00:00:00 2001 > +From: Alain Michaud <alainm <at> chromium.org> > +Date: Tue, 10 Mar 2020 02:35:16 +0000 > +Subject: [PATCH] HOGP must only accept data from bonded devices. > + > +HOGP 1.0 Section 6.1 establishes that the HOGP must require bonding. > + > +Reference: > +https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.htm > +--- > + profiles/input/hog.c | 4 ++++ > + 1 file changed, 4 insertions(+) > + > +diff --git a/profiles/input/hog.c b/profiles/input/hog.c > +index 83c017dcb..dfac68921 100644 > +--- a/profiles/input/hog.c > ++++ b/profiles/input/hog.c > +@@ -186,6 +186,10 @@ static int hog_accept(struct btd_service *service) > + return -EINVAL; > + } > + > ++ /* HOGP 1.0 Section 6.1 requires bonding */ > ++ if (!device_is_bonded(device, btd_device_get_bdaddr_type(device))) > ++ return -ECONNREFUSED; > ++ > + /* TODO: Replace GAttrib with bt_gatt_client */ > + bt_hog_attach(dev->hog, attrib); > + > +-- > +2.25.1 > + > -- > 2.25.1 >
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.