Package: guix-patches;
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Thu, 12 Mar 2020 19:25:01 UTC
Severity: normal
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
View this message in rfc822 format
From: help-debbugs <at> gnu.org (GNU bug Tracking System) To: Leo Famulari <leo <at> famulari.name> Subject: bug#40044: closed (Re: [PATCH] gnu: BlueZ: Fix CVE-2020-0556.) Date: Fri, 13 Mar 2020 23:26:02 +0000
[Message part 1 (text/plain, inline)]
Your bug report #40044: BlueZ CVE-2020-0556 which was filed against the guix-patches package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 40044 <at> debbugs.gnu.org. -- 40044: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=40044 GNU Bug Tracking System Contact help-debbugs <at> gnu.org with problems
[Message part 2 (message/rfc822, inline)]
From: Leo Famulari <leo <at> famulari.name> To: 40044-done <at> debbugs.gnu.org Subject: Re: [PATCH] gnu: BlueZ: Fix CVE-2020-0556. Date: Fri, 13 Mar 2020 19:25:39 -0400On Thu, Mar 12, 2020 at 03:28:59PM -0400, Leo Famulari wrote: > * gnu/packages/patches/bluez-CVE-2020-0556.patch: New file. > * gnu/local.mk (dist_patch_DATA): Add it. > * gnu/packages/linux.scm (bluez)[replacement]: New field. > (bluez/fixed): New variable. Pushed as 364a1374ad5e04a91cdc29203f0c8073eede72d4. Thanks nckx for testing! > --- > gnu/local.mk | 1 + > gnu/packages/linux.scm | 9 + > .../patches/bluez-CVE-2020-0556.patch | 180 ++++++++++++++++++ > 3 files changed, 190 insertions(+) > create mode 100644 gnu/packages/patches/bluez-CVE-2020-0556.patch > > diff --git a/gnu/local.mk b/gnu/local.mk > index 99baddea92..8e312e24e7 100644 > --- a/gnu/local.mk > +++ b/gnu/local.mk > @@ -763,6 +763,7 @@ dist_patch_DATA = \ > %D%/packages/patches/binutils-loongson-workaround.patch \ > %D%/packages/patches/blender-2.79-newer-ffmpeg.patch \ > %D%/packages/patches/blender-2.79-python-3.7-fix.patch \ > + %D%/packages/patches/bluez-CVE-2020-0556.patch \ > %D%/packages/patches/byobu-writable-status.patch \ > %D%/packages/patches/calibre-no-updates-dialog.patch \ > %D%/packages/patches/calibre-remove-test-bs4.patch \ > diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm > index 01986222e8..0e84a1750e 100644 > --- a/gnu/packages/linux.scm > +++ b/gnu/packages/linux.scm > @@ -3994,6 +3994,7 @@ Bluetooth audio output devices like headphones or loudspeakers.") > (define-public bluez > (package > (name "bluez") > + (replacement bluez/fixed) > (version "5.52") > (source (origin > (method url-fetch) > @@ -4059,6 +4060,14 @@ Bluetooth audio output devices like headphones or loudspeakers.") > is flexible, efficient and uses a modular implementation.") > (license license:gpl2+))) > > +(define bluez/fixed > + (package > + (inherit bluez) > + (source (origin > + (inherit (package-source bluez)) > + (patches (append (origin-patches (package-source bluez)) > + (search-patches "bluez-CVE-2020-0556.patch"))))))) > + > (define-public fuse-exfat > (package > (name "fuse-exfat") > diff --git a/gnu/packages/patches/bluez-CVE-2020-0556.patch b/gnu/packages/patches/bluez-CVE-2020-0556.patch > new file mode 100644 > index 0000000000..7c34459a3a > --- /dev/null > +++ b/gnu/packages/patches/bluez-CVE-2020-0556.patch > @@ -0,0 +1,180 @@ > +Fix CVE-2020-0556: > + > +https://lore.kernel.org/linux-bluetooth/20200310023516.209146-1-alainm <at> chromium.org/ > +https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html > +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0556 > + > +Patches copied from upstream source repository: > + > +https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3cccdbab2324086588df4ccf5f892fb3ce1f1787 > +https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=8cdbd3b09f29da29374e2f83369df24228da0ad1 > + > +From 3cccdbab2324086588df4ccf5f892fb3ce1f1787 Mon Sep 17 00:00:00 2001 > +From: Alain Michaud <alainm <at> chromium.org> > +Date: Tue, 10 Mar 2020 02:35:18 +0000 > +Subject: [PATCH] HID accepts bonded device connections only. > + > +This change adds a configuration for platforms to choose a more secure > +posture for the HID profile. While some older mice are known to not > +support pairing or encryption, some platform may choose a more secure > +posture by requiring the device to be bonded and require the > +connection to be encrypted when bonding is required. > + > +Reference: > +https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html > +--- > + profiles/input/device.c | 23 ++++++++++++++++++++++- > + profiles/input/device.h | 1 + > + profiles/input/input.conf | 8 ++++++++ > + profiles/input/manager.c | 13 ++++++++++++- > + 4 files changed, 43 insertions(+), 2 deletions(-) > + > +diff --git a/profiles/input/device.c b/profiles/input/device.c > +index 2cb3811c8..d89da2d7c 100644 > +--- a/profiles/input/device.c > ++++ b/profiles/input/device.c > +@@ -92,6 +92,7 @@ struct input_device { > + > + static int idle_timeout = 0; > + static bool uhid_enabled = false; > ++static bool classic_bonded_only = false; > + > + void input_set_idle_timeout(int timeout) > + { > +@@ -103,6 +104,11 @@ void input_enable_userspace_hid(bool state) > + uhid_enabled = state; > + } > + > ++void input_set_classic_bonded_only(bool state) > ++{ > ++ classic_bonded_only = state; > ++} > ++ > + static void input_device_enter_reconnect_mode(struct input_device *idev); > + static int connection_disconnect(struct input_device *idev, uint32_t flags); > + > +@@ -970,8 +976,18 @@ static int hidp_add_connection(struct input_device *idev) > + if (device_name_known(idev->device)) > + device_get_name(idev->device, req->name, sizeof(req->name)); > + > ++ /* Make sure the device is bonded if required */ > ++ if (classic_bonded_only && !device_is_bonded(idev->device, > ++ btd_device_get_bdaddr_type(idev->device))) { > ++ error("Rejected connection from !bonded device %s", dst_addr); > ++ goto cleanup; > ++ } > ++ > + /* Encryption is mandatory for keyboards */ > +- if (req->subclass & 0x40) { > ++ /* Some platforms may choose to require encryption for all devices */ > ++ /* Note that this only matters for pre 2.1 devices as otherwise the */ > ++ /* device is encrypted by default by the lower layers */ > ++ if (classic_bonded_only || req->subclass & 0x40) { > + if (!bt_io_set(idev->intr_io, &gerr, > + BT_IO_OPT_SEC_LEVEL, BT_IO_SEC_MEDIUM, > + BT_IO_OPT_INVALID)) { > +@@ -1203,6 +1219,11 @@ static void input_device_enter_reconnect_mode(struct input_device *idev) > + DBG("path=%s reconnect_mode=%s", idev->path, > + reconnect_mode_to_string(idev->reconnect_mode)); > + > ++ /* Make sure the device is bonded if required */ > ++ if (classic_bonded_only && !device_is_bonded(idev->device, > ++ btd_device_get_bdaddr_type(idev->device))) > ++ return; > ++ > + /* Only attempt an auto-reconnect when the device is required to > + * accept reconnections from the host. > + */ > +diff --git a/profiles/input/device.h b/profiles/input/device.h > +index 51a9aee18..3044db673 100644 > +--- a/profiles/input/device.h > ++++ b/profiles/input/device.h > +@@ -29,6 +29,7 @@ struct input_conn; > + > + void input_set_idle_timeout(int timeout); > + void input_enable_userspace_hid(bool state); > ++void input_set_classic_bonded_only(bool state); > + > + int input_device_register(struct btd_service *service); > + void input_device_unregister(struct btd_service *service); > +diff --git a/profiles/input/input.conf b/profiles/input/input.conf > +index 3e1d65aae..166aff4a4 100644 > +--- a/profiles/input/input.conf > ++++ b/profiles/input/input.conf > +@@ -11,3 +11,11 @@ > + # Enable HID protocol handling in userspace input profile > + # Defaults to false (HIDP handled in HIDP kernel module) > + #UserspaceHID=true > ++ > ++# Limit HID connections to bonded devices > ++# The HID Profile does not specify that devices must be bonded, however some > ++# platforms may want to make sure that input connections only come from bonded > ++# device connections. Several older mice have been known for not supporting > ++# pairing/encryption. > ++# Defaults to false to maximize device compatibility. > ++#ClassicBondedOnly=true > +diff --git a/profiles/input/manager.c b/profiles/input/manager.c > +index 1d31b0652..5cd27b839 100644 > +--- a/profiles/input/manager.c > ++++ b/profiles/input/manager.c > +@@ -96,7 +96,7 @@ static int input_init(void) > + config = load_config_file(CONFIGDIR "/input.conf"); > + if (config) { > + int idle_timeout; > +- gboolean uhid_enabled; > ++ gboolean uhid_enabled, classic_bonded_only; > + > + idle_timeout = g_key_file_get_integer(config, "General", > + "IdleTimeout", &err); > +@@ -114,6 +114,17 @@ static int input_init(void) > + input_enable_userspace_hid(uhid_enabled); > + } else > + g_clear_error(&err); > ++ > ++ classic_bonded_only = g_key_file_get_boolean(config, "General", > ++ "ClassicBondedOnly", &err); > ++ > ++ if (!err) { > ++ DBG("input.conf: ClassicBondedOnly=%s", > ++ classic_bonded_only ? "true" : "false"); > ++ input_set_classic_bonded_only(classic_bonded_only); > ++ } else > ++ g_clear_error(&err); > ++ > + } > + > + btd_profile_register(&input_profile); > +-- > +2.25.1 > + > +From 8cdbd3b09f29da29374e2f83369df24228da0ad1 Mon Sep 17 00:00:00 2001 > +From: Alain Michaud <alainm <at> chromium.org> > +Date: Tue, 10 Mar 2020 02:35:16 +0000 > +Subject: [PATCH] HOGP must only accept data from bonded devices. > + > +HOGP 1.0 Section 6.1 establishes that the HOGP must require bonding. > + > +Reference: > +https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.htm > +--- > + profiles/input/hog.c | 4 ++++ > + 1 file changed, 4 insertions(+) > + > +diff --git a/profiles/input/hog.c b/profiles/input/hog.c > +index 83c017dcb..dfac68921 100644 > +--- a/profiles/input/hog.c > ++++ b/profiles/input/hog.c > +@@ -186,6 +186,10 @@ static int hog_accept(struct btd_service *service) > + return -EINVAL; > + } > + > ++ /* HOGP 1.0 Section 6.1 requires bonding */ > ++ if (!device_is_bonded(device, btd_device_get_bdaddr_type(device))) > ++ return -ECONNREFUSED; > ++ > + /* TODO: Replace GAttrib with bt_gatt_client */ > + bt_hog_attach(dev->hog, attrib); > + > +-- > +2.25.1 > + > -- > 2.25.1 >
[Message part 3 (message/rfc822, inline)]
From: Leo Famulari <leo <at> famulari.name> To: guix-patches <at> gnu.org Subject: BlueZ CVE-2020-0556 Date: Thu, 12 Mar 2020 15:24:14 -0400There's some kind of privilege escalation bug in BlueZ: https://lore.kernel.org/linux-bluetooth/20200310023516.209146-1-alainm <at> chromium.org/ https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html They released 5.53, so here are patches that graft the update or graft just the upstream patches.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.