SHA256
1
0
forked from pool/bluez

Accepting request 787079 from home:seife:testing

update to bluez-5.54

OBS-URL: https://build.opensuse.org/request/show/787079
OBS-URL: https://build.opensuse.org/package/show/Base:System/bluez?expand=0&rev=290
This commit is contained in:
Stefan Seyfried 2020-03-21 09:00:30 +00:00 committed by Git OBS Bridge
parent b1e48279da
commit b061e3b3a7
8 changed files with 32 additions and 184 deletions

View File

@ -1,138 +0,0 @@
From 3cccdbab2324086588df4ccf5f892fb3ce1f1787 Mon Sep 17 00:00:00 2001
From: Alain Michaud <alainm@chromium.org>
Date: Tue, 10 Mar 2020 02:35:18 +0000
Subject: [PATCH] HID accepts bonded device connections only.
This change adds a configuration for platforms to choose a more secure
posture for the HID profile. While some older mice are known to not
support pairing or encryption, some platform may choose a more secure
posture by requiring the device to be bonded and require the
connection to be encrypted when bonding is required.
Reference:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html
---
profiles/input/device.c | 23 ++++++++++++++++++++++-
profiles/input/device.h | 1 +
profiles/input/input.conf | 8 ++++++++
profiles/input/manager.c | 13 ++++++++++++-
4 files changed, 43 insertions(+), 2 deletions(-)
diff --git a/profiles/input/device.c b/profiles/input/device.c
index 2cb3811c8..d89da2d7c 100644
--- a/profiles/input/device.c
+++ b/profiles/input/device.c
@@ -92,6 +92,7 @@ struct input_device {
static int idle_timeout = 0;
static bool uhid_enabled = false;
+static bool classic_bonded_only = false;
void input_set_idle_timeout(int timeout)
{
@@ -103,6 +104,11 @@ void input_enable_userspace_hid(bool state)
uhid_enabled = state;
}
+void input_set_classic_bonded_only(bool state)
+{
+ classic_bonded_only = state;
+}
+
static void input_device_enter_reconnect_mode(struct input_device *idev);
static int connection_disconnect(struct input_device *idev, uint32_t flags);
@@ -970,8 +976,18 @@ static int hidp_add_connection(struct input_device *idev)
if (device_name_known(idev->device))
device_get_name(idev->device, req->name, sizeof(req->name));
+ /* Make sure the device is bonded if required */
+ if (classic_bonded_only && !device_is_bonded(idev->device,
+ btd_device_get_bdaddr_type(idev->device))) {
+ error("Rejected connection from !bonded device %s", dst_addr);
+ goto cleanup;
+ }
+
/* Encryption is mandatory for keyboards */
- if (req->subclass & 0x40) {
+ /* Some platforms may choose to require encryption for all devices */
+ /* Note that this only matters for pre 2.1 devices as otherwise the */
+ /* device is encrypted by default by the lower layers */
+ if (classic_bonded_only || req->subclass & 0x40) {
if (!bt_io_set(idev->intr_io, &gerr,
BT_IO_OPT_SEC_LEVEL, BT_IO_SEC_MEDIUM,
BT_IO_OPT_INVALID)) {
@@ -1203,6 +1219,11 @@ static void input_device_enter_reconnect_mode(struct input_device *idev)
DBG("path=%s reconnect_mode=%s", idev->path,
reconnect_mode_to_string(idev->reconnect_mode));
+ /* Make sure the device is bonded if required */
+ if (classic_bonded_only && !device_is_bonded(idev->device,
+ btd_device_get_bdaddr_type(idev->device)))
+ return;
+
/* Only attempt an auto-reconnect when the device is required to
* accept reconnections from the host.
*/
diff --git a/profiles/input/device.h b/profiles/input/device.h
index 51a9aee18..3044db673 100644
--- a/profiles/input/device.h
+++ b/profiles/input/device.h
@@ -29,6 +29,7 @@ struct input_conn;
void input_set_idle_timeout(int timeout);
void input_enable_userspace_hid(bool state);
+void input_set_classic_bonded_only(bool state);
int input_device_register(struct btd_service *service);
void input_device_unregister(struct btd_service *service);
diff --git a/profiles/input/input.conf b/profiles/input/input.conf
index 3e1d65aae..166aff4a4 100644
--- a/profiles/input/input.conf
+++ b/profiles/input/input.conf
@@ -11,3 +11,11 @@
# Enable HID protocol handling in userspace input profile
# Defaults to false (HIDP handled in HIDP kernel module)
#UserspaceHID=true
+
+# Limit HID connections to bonded devices
+# The HID Profile does not specify that devices must be bonded, however some
+# platforms may want to make sure that input connections only come from bonded
+# device connections. Several older mice have been known for not supporting
+# pairing/encryption.
+# Defaults to false to maximize device compatibility.
+#ClassicBondedOnly=true
diff --git a/profiles/input/manager.c b/profiles/input/manager.c
index 1d31b0652..5cd27b839 100644
--- a/profiles/input/manager.c
+++ b/profiles/input/manager.c
@@ -96,7 +96,7 @@ static int input_init(void)
config = load_config_file(CONFIGDIR "/input.conf");
if (config) {
int idle_timeout;
- gboolean uhid_enabled;
+ gboolean uhid_enabled, classic_bonded_only;
idle_timeout = g_key_file_get_integer(config, "General",
"IdleTimeout", &err);
@@ -114,6 +114,17 @@ static int input_init(void)
input_enable_userspace_hid(uhid_enabled);
} else
g_clear_error(&err);
+
+ classic_bonded_only = g_key_file_get_boolean(config, "General",
+ "ClassicBondedOnly", &err);
+
+ if (!err) {
+ DBG("input.conf: ClassicBondedOnly=%s",
+ classic_bonded_only ? "true" : "false");
+ input_set_classic_bonded_only(classic_bonded_only);
+ } else
+ g_clear_error(&err);
+
}
btd_profile_register(&input_profile);
--
2.25.1

View File

@ -1,31 +0,0 @@
From 8cdbd3b09f29da29374e2f83369df24228da0ad1 Mon Sep 17 00:00:00 2001
From: Alain Michaud <alainm@chromium.org>
Date: Tue, 10 Mar 2020 02:35:16 +0000
Subject: [PATCH] HOGP must only accept data from bonded devices.
HOGP 1.0 Section 6.1 establishes that the HOGP must require bonding.
Reference:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.htm
---
profiles/input/hog.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/profiles/input/hog.c b/profiles/input/hog.c
index 83c017dcb..dfac68921 100644
--- a/profiles/input/hog.c
+++ b/profiles/input/hog.c
@@ -186,6 +186,10 @@ static int hog_accept(struct btd_service *service)
return -EINVAL;
}
+ /* HOGP 1.0 Section 6.1 requires bonding */
+ if (!device_is_bonded(device, btd_device_get_bdaddr_type(device)))
+ return -ECONNREFUSED;
+
/* TODO: Replace GAttrib with bt_gatt_client */
bt_hog_attach(dev->hog, attrib);
--
2.25.1

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:f7144ce2039202cfac18ccb52426efea11c98e4f6e1bb8041bcb994b8378560a
size 1957504

3
bluez-5.54.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:68cdab9e63e8832b130d5979dc8c96fdb087b31278f342874d992af3e56656dc
size 2003760

View File

@ -2,7 +2,7 @@ Index: b/Makefile.in
===================================================================
--- a/Makefile.in
+++ b/Makefile.in
@@ -3439,7 +3439,7 @@ unit_tests = $(am__append_54) unit/test-
@@ -3548,7 +3548,7 @@ unit_tests = $(am__append_54) unit/test-
@DEPRECATED_TRUE@@READLINE_TRUE@attrib_gatttool_LDADD = lib/libbluetooth-internal.la \
@DEPRECATED_TRUE@@READLINE_TRUE@ src/libshared-glib.la $(GLIB_LIBS) -lreadline
@ -15,7 +15,7 @@ Index: b/Makefile.tools
===================================================================
--- a/Makefile.tools
+++ b/Makefile.tools
@@ -441,7 +441,7 @@ endif
@@ -463,7 +463,7 @@ endif
endif
if CUPS

View File

@ -2,7 +2,7 @@ Index: b/Makefile.am
===================================================================
--- a/Makefile.am
+++ b/Makefile.am
@@ -481,7 +481,8 @@ unit_test_lib_SOURCES = unit/test-lib.c
@@ -497,7 +497,8 @@ unit_test_lib_SOURCES = unit/test-lib.c
unit_test_lib_LDADD = src/libshared-glib.la \
lib/libbluetooth-internal.la $(GLIB_LIBS)
@ -12,7 +12,7 @@ Index: b/Makefile.am
unit_test_gatt_SOURCES = unit/test-gatt.c
unit_test_gatt_LDADD = src/libshared-glib.la \
@@ -511,7 +512,8 @@ unit_test_gattrib_LDADD = lib/libbluetoo
@@ -527,7 +528,8 @@ unit_test_gattrib_LDADD = lib/libbluetoo
$(GLIB_LIBS) $(DBUS_LIBS) -ldl -lrt
if MIDI
@ -22,7 +22,7 @@ Index: b/Makefile.am
unit_test_midi_CPPFLAGS = $(AM_CPPFLAGS) $(ALSA_CFLAGS) -DMIDI_TEST
unit_test_midi_SOURCES = unit/test-midi.c \
profiles/midi/libmidi.h \
@@ -521,7 +523,7 @@ unit_test_midi_LDADD = src/libshared-gli
@@ -537,7 +539,7 @@ unit_test_midi_LDADD = src/libshared-gli
endif
if MESH
@ -30,4 +30,4 @@ Index: b/Makefile.am
+#unit_tests += unit/test-mesh-crypto
unit_test_mesh_crypto_CPPFLAGS = $(ell_cflags)
unit_test_mesh_crypto_SOURCES = unit/test-mesh-crypto.c \
mesh/crypto.h ell/internal ell/ell.h \
mesh/crypto.h ell/internal ell/ell.h

View File

@ -1,3 +1,23 @@
-------------------------------------------------------------------
Fri Mar 20 17:04:10 UTC 2020 - Stefan Seyfried <seife+obs@b1-systems.com>
- update to bluez-5.54:
* Fix issue with HOGP to accept data only from bonded devices.
* Fix issue with A2DP sessions being connected at the same time.
* Fix issue with class UUID matches before connecting profile.
* Add support for handling MTU auto-tuning option for AVDTP.
* Add support for new policy for Just-Works repairing.
* Add support for Enhanced ATT bearer (EATT).
- bluez-5.53:
* Fix issue with handling unregistration for advertisment.
* Fix issue with A2DP and handling recovering process.
* Fix issue with udpating input device information.
* Add support for loading blocked keys.
- remove obsolete upstreamed patches:
* HOGP-must-only-accept-data-from-bonded-devices.patch
* HID-accepts-bonded-device-connections-only.patch
- refresh other patches
-------------------------------------------------------------------
Wed Mar 18 08:29:49 UTC 2020 - Al Cho <acho@suse.com>

View File

@ -2,7 +2,7 @@
# spec file for package bluez
#
# Copyright (c) 2020 SUSE LLC
# Copyright (c) 2010-2019 B1 Systems GmbH, Vohburg, Germany
# Copyright (c) 2010-2020 B1 Systems GmbH, Vohburg, Germany
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -29,7 +29,7 @@
# contributions via pull requests are welcome!
#
Name: bluez
Version: 5.52
Version: 5.54
Release: 0
Summary: Bluetooth Stack for Linux
License: GPL-2.0-or-later
@ -58,8 +58,6 @@ Patch10: RPi-Move-the-43xx-firmware-into-lib-firmware.patch
Patch101: CVE-2016-9800-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch
Patch102: CVE-2016-9804-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch
# PATCH-FIX-UPSTREAM: bsc#1166751 CVE-2020-0556
Patch103: HOGP-must-only-accept-data-from-bonded-devices.patch
Patch104: HID-accepts-bonded-device-connections-only.patch
Patch105: input-hog-Attempt-to-set-security-level-if-not-bonde.patch
Patch106: input-Add-LEAutoSecurity-setting-to-input.conf.patch
@ -193,8 +191,6 @@ to use the modern tools instead.
%patch10 -p1
%patch101 -p1
%patch102 -p1
%patch103 -p1
%patch104 -p1
%patch105 -p1
%patch106 -p1
mkdir dbus-apis
@ -358,6 +354,7 @@ make check V=0
%{_bindir}/btmon
%if %{with mesh}
%{_bindir}/meshctl
%{_bindir}/mesh-cfgclient
%endif
%{_bindir}/bccmd
%{_prefix}/lib/udev/