Commit e61670a8 authored by Leo's avatar Leo

main/bluez: fix CVE-2020-0556

see #11328
parent 506fdf8e
Pipeline #10722 failed with stages
in 127 minutes and 35 seconds
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=bluez
pkgver=5.49
pkgrel=2
pkgrel=3
pkgdesc="Tools for the Bluetooth protocol stack"
url="http://www.bluez.org/"
arch="all"
......@@ -24,9 +24,14 @@ source="http://www.kernel.org/pub/linux/bluetooth/bluez-$pkgver.tar.xz
bluez-5.40-obexd_without_systemd-1.patch
disable-lock-test.patch
fix-endianness.patch
CVE-2020-0556.patch
"
builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
# 5.49-r3:
# - CVE-2020-0556
build() {
cd "$builddir"
./configure \
......@@ -110,7 +115,6 @@ obexd() {
mkdir -p "$subpkgdir"/usr/lib/bluetooth
mv "$pkgdir"/usr/lib/bluetooth/obexd "$subpkgdir"/usr/lib/bluetooth
}
sha512sums="bc2988649420232b92e2c6836857027369f05ace005972f575ed0601c02cc97a07a3b7a0707a8bad72be73df7e8096c8bf023530443556e87c2ccb667981b37d bluez-5.49.tar.xz
fc43c78ed248ea412529eed5ae8bb47bacca9bf5b3b10de121ddd4e792c85893561a88be4aa2c6318106e5d2146a721445152d44fa60ca257ca0b4eb87318c1e bluetooth.initd
8d7b7c8938a2316ce0a855e9bdf1ef8fcdf33d23f4011df828270a088b88b140a19c432e83fef15355d0829e3c86be05b63e7718fef88563254ea239b8dc12ac rfcomm.initd
......@@ -121,4 +125,5 @@ d5fd1c962bd846eaa6fff879bab85f753eb367d514f82d133b5d3242e1da989af5eddd942c60a87d
42ac04044a8c66e07487598b3a75ef52efc32999ebce4e7c63f6198e2f603f4a1442e74600e43a0938cb4f52d4db0298aa99050b18144b84990cda71748e9de5 004-Move-the-43xx-firmware-into-lib-firmware.patch
41ce7ccf78cca97563f0ef31e01dac6eb4484c24fe57be360b5e8de8c5bff5845e9d395766f891bd3f123788344456c88c9fc00cd1bb7c6a1dca89d09f19172b bluez-5.40-obexd_without_systemd-1.patch
04c4889372c8e790bb338dde7ffa76dc32fcf7370025c71b9184fcf17fd01ade4a6613d84d648303af3bbc54043ad489f29fc0cd4679ec8c9029dcb846d7e026 disable-lock-test.patch
118d55183860f395fc4bdc93efffb13902ebf7388cad722b9061cd2860d404333e500af521741c3d92c0f8a161f6810348fbeb6682e49c372383f417aed8c76a fix-endianness.patch"
118d55183860f395fc4bdc93efffb13902ebf7388cad722b9061cd2860d404333e500af521741c3d92c0f8a161f6810348fbeb6682e49c372383f417aed8c76a fix-endianness.patch
1f7c41399e746942e091db22c1b42a0bd87dafd83c5074a34c24f51efd88ed4d2957308f9b4da0fdcd6cd99ea5b9e1885d628ae01ddde56cf31140ccc895be61 CVE-2020-0556.patch"
This is the result of applying the following 4 commits in the order presented:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=8cdbd3b09f29da29374e2f83369df24228da0ad1
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3cccdbab2324086588df4ccf5f892fb3ce1f1787
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=35d8d895cd0b724e58129374beb0bb4a2edf9519
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=f2778f5877d20696d68a452b26e4accb91bfb19e
diff --git a/profiles/input/device.c b/profiles/input/device.c
index a711ef5..075b139 100644
--- a/profiles/input/device.c
+++ b/profiles/input/device.c
@@ -92,6 +92,7 @@ struct input_device {
static int idle_timeout = 0;
static bool uhid_enabled = false;
+static bool classic_bonded_only = false;
void input_set_idle_timeout(int timeout)
{
@@ -103,6 +104,11 @@ void input_enable_userspace_hid(bool state)
uhid_enabled = state;
}
+void input_set_classic_bonded_only(bool state)
+{
+ classic_bonded_only = state;
+}
+
static void input_device_enter_reconnect_mode(struct input_device *idev);
static int connection_disconnect(struct input_device *idev, uint32_t flags);
@@ -970,8 +976,18 @@ static int hidp_add_connection(struct input_device *idev)
if (device_name_known(idev->device))
device_get_name(idev->device, req->name, sizeof(req->name));
+ /* Make sure the device is bonded if required */
+ if (classic_bonded_only && !device_is_bonded(idev->device,
+ btd_device_get_bdaddr_type(idev->device))) {
+ error("Rejected connection from !bonded device %s", dst_addr);
+ goto cleanup;
+ }
+
/* Encryption is mandatory for keyboards */
- if (req->subclass & 0x40) {
+ /* Some platforms may choose to require encryption for all devices */
+ /* Note that this only matters for pre 2.1 devices as otherwise the */
+ /* device is encrypted by default by the lower layers */
+ if (classic_bonded_only || req->subclass & 0x40) {
if (!bt_io_set(idev->intr_io, &gerr,
BT_IO_OPT_SEC_LEVEL, BT_IO_SEC_MEDIUM,
BT_IO_OPT_INVALID)) {
@@ -1203,6 +1219,11 @@ static void input_device_enter_reconnect_mode(struct input_device *idev)
DBG("path=%s reconnect_mode=%s", idev->path,
reconnect_mode_to_string(idev->reconnect_mode));
+ /* Make sure the device is bonded if required */
+ if (classic_bonded_only && !device_is_bonded(idev->device,
+ btd_device_get_bdaddr_type(idev->device)))
+ return;
+
/* Only attempt an auto-reconnect when the device is required to
* accept reconnections from the host.
*/
diff --git a/profiles/input/device.h b/profiles/input/device.h
index 51a9aee..5a077f9 100644
--- a/profiles/input/device.h
+++ b/profiles/input/device.h
@@ -29,6 +29,8 @@ struct input_conn;
void input_set_idle_timeout(int timeout);
void input_enable_userspace_hid(bool state);
+void input_set_classic_bonded_only(bool state);
+void input_set_auto_sec(bool state);
int input_device_register(struct btd_service *service);
void input_device_unregister(struct btd_service *service);
diff --git a/profiles/input/hog.c b/profiles/input/hog.c
index 83c017d..327a1d1 100644
--- a/profiles/input/hog.c
+++ b/profiles/input/hog.c
@@ -49,8 +49,11 @@
#include "src/shared/util.h"
#include "src/shared/uhid.h"
#include "src/shared/queue.h"
+#include "src/shared/att.h"
+#include "src/shared/gatt-client.h"
#include "src/plugin.h"
+#include "device.h"
#include "suspend.h"
#include "attrib/att.h"
#include "attrib/gattrib.h"
@@ -65,8 +68,14 @@ struct hog_device {
};
static gboolean suspend_supported = FALSE;
+static bool auto_sec = true;
static struct queue *devices = NULL;
+void input_set_auto_sec(bool state)
+{
+ auto_sec = state;
+}
+
static void hog_device_accept(struct hog_device *dev, struct gatt_db *db)
{
char name[248];
@@ -186,6 +195,19 @@ static int hog_accept(struct btd_service *service)
return -EINVAL;
}
+ /* HOGP 1.0 Section 6.1 requires bonding */
+ if (!device_is_bonded(device, btd_device_get_bdaddr_type(device))) {
+ struct bt_gatt_client *client;
+
+ if (!auto_sec)
+ return -ECONNREFUSED;
+
+ client = btd_device_get_gatt_client(device);
+ if (!bt_gatt_client_set_security(client,
+ BT_ATT_SECURITY_MEDIUM))
+ return -ECONNREFUSED;
+ }
+
/* TODO: Replace GAttrib with bt_gatt_client */
bt_hog_attach(dev->hog, attrib);
diff --git a/profiles/input/input.conf b/profiles/input/input.conf
index 3e1d65a..4c70bc5 100644
--- a/profiles/input/input.conf
+++ b/profiles/input/input.conf
@@ -11,3 +11,16 @@
# Enable HID protocol handling in userspace input profile
# Defaults to false (HIDP handled in HIDP kernel module)
#UserspaceHID=true
+
+# Limit HID connections to bonded devices
+# The HID Profile does not specify that devices must be bonded, however some
+# platforms may want to make sure that input connections only come from bonded
+# device connections. Several older mice have been known for not supporting
+# pairing/encryption.
+# Defaults to false to maximize device compatibility.
+#ClassicBondedOnly=true
+
+# LE upgrade security
+# Enables upgrades of security automatically if required.
+# Defaults to true to maximize device compatibility.
+#LEAutoSecurity=true
diff --git a/profiles/input/manager.c b/profiles/input/manager.c
index 1d31b06..bf4acb4 100644
--- a/profiles/input/manager.c
+++ b/profiles/input/manager.c
@@ -96,7 +96,7 @@ static int input_init(void)
config = load_config_file(CONFIGDIR "/input.conf");
if (config) {
int idle_timeout;
- gboolean uhid_enabled;
+ gboolean uhid_enabled, classic_bonded_only, auto_sec;
idle_timeout = g_key_file_get_integer(config, "General",
"IdleTimeout", &err);
@@ -114,6 +114,26 @@ static int input_init(void)
input_enable_userspace_hid(uhid_enabled);
} else
g_clear_error(&err);
+
+ classic_bonded_only = g_key_file_get_boolean(config, "General",
+ "ClassicBondedOnly", &err);
+
+ if (!err) {
+ DBG("input.conf: ClassicBondedOnly=%s",
+ classic_bonded_only ? "true" : "false");
+ input_set_classic_bonded_only(classic_bonded_only);
+ } else
+ g_clear_error(&err);
+
+ auto_sec = g_key_file_get_boolean(config, "General",
+ "LEAutoSecurity", &err);
+ if (!err) {
+ DBG("input.conf: LEAutoSecurity=%s",
+ auto_sec ? "true" : "false");
+ input_set_auto_sec(auto_sec);
+ } else
+ g_clear_error(&err);
+
}
btd_profile_register(&input_profile);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment