- add CVE-2023-45866.patch (CVE-2023-45866, bsc#1217877)

OBS-URL: https://build.opensuse.org/package/show/Base:System/bluez?expand=0&rev=356

CVE-2023-45866.patch

@@ -0,0 +1,50 @@
+From 25a471a83e02e1effb15d5a488b3f0085eaeb675 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Tue, 10 Oct 2023 13:03:12 -0700
+Subject: input.conf: Change default of ClassicBondedOnly
+
+This changes the default of ClassicBondedOnly since defaulting to false
+is not inline with HID specification which mandates the of Security Mode
+4:
+
+BLUETOOTH SPECIFICATION Page 84 of 123
+Human Interface Device (HID) Profile:
+
+  5.4.3.4.2 Security Modes
+  Bluetooth HID Hosts shall use Security Mode 4 when interoperating with
+  Bluetooth HID devices that are compliant to the Bluetooth Core
+  Specification v2.1+EDR[6].
+---
+ profiles/input/device.c   | 2 +-
+ profiles/input/input.conf | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/profiles/input/device.c b/profiles/input/device.c
+index 4a50ea9921..4310dd192e 100644
+--- a/profiles/input/device.c
++++ b/profiles/input/device.c
+@@ -81,7 +81,7 @@ struct input_device {
+ 
+ static int idle_timeout = 0;
+ static bool uhid_enabled = false;
+-static bool classic_bonded_only = false;
++static bool classic_bonded_only = true;
+ 
+ void input_set_idle_timeout(int timeout)
+ {
+diff --git a/profiles/input/input.conf b/profiles/input/input.conf
+index 4c70bc561f..d8645f3dd6 100644
+--- a/profiles/input/input.conf
++++ b/profiles/input/input.conf
+@@ -17,7 +17,7 @@
+ # platforms may want to make sure that input connections only come from bonded
+ # device connections. Several older mice have been known for not supporting
+ # pairing/encryption.
+-# Defaults to false to maximize device compatibility.
++# Defaults to true for security.
+ #ClassicBondedOnly=true
+ 
+ # LE upgrade security
+-- 
+cgit 1.2.3-korg
+

bluez.changes

@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Wed Dec 13 09:34:20 UTC 2023 - Dirk Müller <dmueller@suse.com>
+
+- add CVE-2023-45866.patch (CVE-2023-45866, bsc#1217877)
+
 -------------------------------------------------------------------
 Mon Nov  6 21:20:03 UTC 2023 - Dirk Müller <dmueller@suse.com>
 

bluez.spec

@@ -66,6 +66,8 @@ Patch14:        hcidump-Add-assoc-dump-function-assoc-date-length-ch.patch
 Patch15:        hcidump-Fix-memory-leak-with-malformed-packet.patch
 # bsc#1013712 CVE-2016-9798
 Patch16:        hcidump-Fixed-malformed-segment-frame-length.patch
+# PATCH-FIX-UPSTREAM: https://git.kernel.org/pub/scm/bluetooth/bluez.git/patch/?id=25a471a83e02e1effb15d5a488b3f0085eaeb675
+Patch17:        CVE-2023-45866.patch
 # Upstream suggests to use btmon instead of hcidump and does not want those patches
 # => PATCH-FIX-OPENSUSE for those two :-)
 # fix some memory leak with malformed packet (reported upstream but not yet fixed)