From patchwork Sun Mar 15 18:11:35 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vincent Legoll X-Patchwork-Id: 20693 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 9523527BBEA; Sun, 15 Mar 2020 18:12:37 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI,T_DKIM_INVALID, URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.2 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTP id E5BB927BBE4 for ; Sun, 15 Mar 2020 18:12:36 +0000 (GMT) Received: from localhost ([::1]:56658 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jDXka-0005JM-A4 for patchwork@mira.cbaines.net; Sun, 15 Mar 2020 14:12:36 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:57367) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jDXk4-0005HD-9U for guix-patches@gnu.org; Sun, 15 Mar 2020 14:12:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1jDXk2-0003Vc-8Y for guix-patches@gnu.org; Sun, 15 Mar 2020 14:12:04 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:57762) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1jDXk1-0003Uy-TH for guix-patches@gnu.org; Sun, 15 Mar 2020 14:12:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1jDXk1-0003hh-OP for guix-patches@gnu.org; Sun, 15 Mar 2020 14:12:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#40081] [PATCH] gnu: bluez: Update to 5.54. Resent-From: Vincent Legoll Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 15 Mar 2020 18:12:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 40081 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 40081@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.158429591414223 (code B ref -1); Sun, 15 Mar 2020 18:12:01 +0000 Received: (at submit) by debbugs.gnu.org; 15 Mar 2020 18:11:54 +0000 Received: from localhost ([127.0.0.1]:35502 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jDXju-0003hK-6c for submit@debbugs.gnu.org; Sun, 15 Mar 2020 14:11:54 -0400 Received: from lists.gnu.org ([209.51.188.17]:55149) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jDXjs-0003hC-4Y for submit@debbugs.gnu.org; Sun, 15 Mar 2020 14:11:52 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:57063) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jDXjp-0005AR-Rh for guix-patches@gnu.org; Sun, 15 Mar 2020 14:11:51 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1jDXjn-0002Jf-Pj for guix-patches@gnu.org; Sun, 15 Mar 2020 14:11:49 -0400 Received: from mail-io1-xd35.google.com ([2607:f8b0:4864:20::d35]:43768) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1jDXjn-0002EN-Ip for guix-patches@gnu.org; Sun, 15 Mar 2020 14:11:47 -0400 Received: by mail-io1-xd35.google.com with SMTP id n21so14782318ioo.10 for ; Sun, 15 Mar 2020 11:11:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=S0uf5gyoKJAi4o8TmgAItPxMBzIcSLM3kU4/3n2obGE=; b=qCyGxVjfa3llrFx7EfC3nva0aW8AMe80erxr/P9umlQBaLHjhs6ZtknDomCIRzF+m2 WRUQbyb7ovDSLnkN0XhUm6xGSp73W4gjGMJF8DRvFt1/5uXR/1CgLhm9/410Zk/2eMoJ qmWYVIHs4m7JEWvyR0XbYDI/Eyu1ek34JrcKfDd2iWWcvT8xZJc+RTe/soGOYX1vsRNC CGBLeTlGuJqWosDG9dnXQZV+WrBsjT29Rzi9yCdDsGXBWxdMvclmC2GgGWX6tmg+DmJy OyDgezdmu7DucRagkmUhvJq5q3AhkRRJwLFFvnKKyo1Xu3YTRkZi4a2RA9cRDzohBEoz RNig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=S0uf5gyoKJAi4o8TmgAItPxMBzIcSLM3kU4/3n2obGE=; b=qeOdFQZgike4Qojk/JPOE7j/gn4WfcwDF4zGb8TQZrRMUDHEZKOKvqCRNBl6VlQaaf vVpg//dt2qaOhGofF1AplU9zXIEp6pN3dVWeivI6FwJTgWHatXz7ae3l2GjudNyAPlpw UWht8Wl01WgsJW4vzbBKes1s349oQtEV7cQ983d6Y+6/YbDbV4fA0Mrq96XVYKp4+EAk TesIzzQCpt7OIjAZtU58t6fOnlxCqbxYNGpj9G7VFNM/ZbUYHcF60HuWsNW4EHOO414r k/zVkl6yam4ExqsUv6ZjYcNfSYovzg3dM8hKX7RC+/jcA+pgQyVKgd4D9/yz7taQB/UC H2+A== X-Gm-Message-State: ANhLgQ2QgNqQMek4/nIi8BGMWzJnmG40p2Edk3+On7JrEB3uNmtYAqQI EsCqzV5YTs0W8JFrg1WRB9NxC+OnQKXo1tks1mMWfg== X-Google-Smtp-Source: ADFU+vvMTm3nHMePxp+cMvYIfwEDxkzNV0s2QOLd998KSs91CN/idrOzg/cZvFTuoRzgrzbxEwTTK9JiTPA/RQDMJtE= X-Received: by 2002:a02:8184:: with SMTP id n4mr22460026jag.31.1584295906642; Sun, 15 Mar 2020 11:11:46 -0700 (PDT) MIME-Version: 1.0 From: Vincent Legoll Date: Sun, 15 Mar 2020 19:11:35 +0100 Message-ID: X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.51.188.43 X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" X-getmail-retrieved-from-mailbox: Patches I checked that the CVE patches have been applied upstream. From a84f040fd88b02b556a0fbd207f8edce1a940924 Mon Sep 17 00:00:00 2001 From: Vincent Legoll Date: Sun, 15 Mar 2020 19:07:57 +0100 Subject: [PATCH] gnu: bluez: Update to 5.54. * gnu/packages/linux.scm (bluez) : Update to 5.54. (bluez/fixed): remove variable. * gnu/packages/patches/bluez-CVE-2020-0556.patch: Remove file --- gnu/packages/linux.scm | 13 +- .../patches/bluez-CVE-2020-0556.patch | 180 ------------------ 2 files changed, 2 insertions(+), 191 deletions(-) delete mode 100644 gnu/packages/patches/bluez-CVE-2020-0556.patch diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index 688d9eefaf..78c6d48474 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -4009,8 +4009,7 @@ Bluetooth audio output devices like headphones or loudspeakers.") (define-public bluez (package (name "bluez") - (replacement bluez/fixed) - (version "5.53") + (version "5.54") (source (origin (method url-fetch) (uri (string-append @@ -4018,7 +4017,7 @@ Bluetooth audio output devices like headphones or loudspeakers.") version ".tar.xz")) (sha256 (base32 - "1g1qg6dz6hl3csrmz75ixr12lwv836hq3ckb259svvrg62l2vaiq")))) + "1p2ncvjz6alr9n3l5wvq2arqgc7xjs6dqyar1l9jp0z8cfgapkb8")))) (build-system gnu-build-system) (arguments `(#:configure-flags @@ -4075,14 +4074,6 @@ Bluetooth audio output devices like headphones or loudspeakers.") is flexible, efficient and uses a modular implementation.") (license license:gpl2+))) -(define bluez/fixed - (package - (inherit bluez) - (source (origin - (inherit (package-source bluez)) - (patches (append (origin-patches (package-source bluez)) - (search-patches "bluez-CVE-2020-0556.patch"))))))) - (define-public fuse-exfat (package (name "fuse-exfat") diff --git a/gnu/packages/patches/bluez-CVE-2020-0556.patch b/gnu/packages/patches/bluez-CVE-2020-0556.patch deleted file mode 100644 index 7c34459a3a..0000000000 --- a/gnu/packages/patches/bluez-CVE-2020-0556.patch +++ /dev/null @@ -1,180 +0,0 @@ -Fix CVE-2020-0556: - -https://lore.kernel.org/linux-bluetooth/20200310023516.209146-1-alainm@chromium.org/ -https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0556 - -Patches copied from upstream source repository: - -https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3cccdbab2324086588df4ccf5f892fb3ce1f1787 -https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=8cdbd3b09f29da29374e2f83369df24228da0ad1 - -From 3cccdbab2324086588df4ccf5f892fb3ce1f1787 Mon Sep 17 00:00:00 2001 -From: Alain Michaud -Date: Tue, 10 Mar 2020 02:35:18 +0000 -Subject: [PATCH] HID accepts bonded device connections only. - -This change adds a configuration for platforms to choose a more secure -posture for the HID profile. While some older mice are known to not -support pairing or encryption, some platform may choose a more secure -posture by requiring the device to be bonded and require the -connection to be encrypted when bonding is required. - -Reference: -https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html ---- - profiles/input/device.c | 23 ++++++++++++++++++++++- - profiles/input/device.h | 1 + - profiles/input/input.conf | 8 ++++++++ - profiles/input/manager.c | 13 ++++++++++++- - 4 files changed, 43 insertions(+), 2 deletions(-) - -diff --git a/profiles/input/device.c b/profiles/input/device.c -index 2cb3811c8..d89da2d7c 100644 ---- a/profiles/input/device.c -+++ b/profiles/input/device.c -@@ -92,6 +92,7 @@ struct input_device { - - static int idle_timeout = 0; - static bool uhid_enabled = false; -+static bool classic_bonded_only = false; - - void input_set_idle_timeout(int timeout) - { -@@ -103,6 +104,11 @@ void input_enable_userspace_hid(bool state) - uhid_enabled = state; - } - -+void input_set_classic_bonded_only(bool state) -+{ -+ classic_bonded_only = state; -+} -+ - static void input_device_enter_reconnect_mode(struct input_device *idev); - static int connection_disconnect(struct input_device *idev, uint32_t flags); - -@@ -970,8 +976,18 @@ static int hidp_add_connection(struct input_device *idev) - if (device_name_known(idev->device)) - device_get_name(idev->device, req->name, sizeof(req->name)); - -+ /* Make sure the device is bonded if required */ -+ if (classic_bonded_only && !device_is_bonded(idev->device, -+ btd_device_get_bdaddr_type(idev->device))) { -+ error("Rejected connection from !bonded device %s", dst_addr); -+ goto cleanup; -+ } -+ - /* Encryption is mandatory for keyboards */ -- if (req->subclass & 0x40) { -+ /* Some platforms may choose to require encryption for all devices */ -+ /* Note that this only matters for pre 2.1 devices as otherwise the */ -+ /* device is encrypted by default by the lower layers */ -+ if (classic_bonded_only || req->subclass & 0x40) { - if (!bt_io_set(idev->intr_io, &gerr, - BT_IO_OPT_SEC_LEVEL, BT_IO_SEC_MEDIUM, - BT_IO_OPT_INVALID)) { -@@ -1203,6 +1219,11 @@ static void input_device_enter_reconnect_mode(struct input_device *idev) - DBG("path=%s reconnect_mode=%s", idev->path, - reconnect_mode_to_string(idev->reconnect_mode)); - -+ /* Make sure the device is bonded if required */ -+ if (classic_bonded_only && !device_is_bonded(idev->device, -+ btd_device_get_bdaddr_type(idev->device))) -+ return; -+ - /* Only attempt an auto-reconnect when the device is required to - * accept reconnections from the host. - */ -diff --git a/profiles/input/device.h b/profiles/input/device.h -index 51a9aee18..3044db673 100644 ---- a/profiles/input/device.h -+++ b/profiles/input/device.h -@@ -29,6 +29,7 @@ struct input_conn; - - void input_set_idle_timeout(int timeout); - void input_enable_userspace_hid(bool state); -+void input_set_classic_bonded_only(bool state); - - int input_device_register(struct btd_service *service); - void input_device_unregister(struct btd_service *service); -diff --git a/profiles/input/input.conf b/profiles/input/input.conf -index 3e1d65aae..166aff4a4 100644 ---- a/profiles/input/input.conf -+++ b/profiles/input/input.conf -@@ -11,3 +11,11 @@ - # Enable HID protocol handling in userspace input profile - # Defaults to false (HIDP handled in HIDP kernel module) - #UserspaceHID=true -+ -+# Limit HID connections to bonded devices -+# The HID Profile does not specify that devices must be bonded, however some -+# platforms may want to make sure that input connections only come from bonded -+# device connections. Several older mice have been known for not supporting -+# pairing/encryption. -+# Defaults to false to maximize device compatibility. -+#ClassicBondedOnly=true -diff --git a/profiles/input/manager.c b/profiles/input/manager.c -index 1d31b0652..5cd27b839 100644 ---- a/profiles/input/manager.c -+++ b/profiles/input/manager.c -@@ -96,7 +96,7 @@ static int input_init(void) - config = load_config_file(CONFIGDIR "/input.conf"); - if (config) { - int idle_timeout; -- gboolean uhid_enabled; -+ gboolean uhid_enabled, classic_bonded_only; - - idle_timeout = g_key_file_get_integer(config, "General", - "IdleTimeout", &err); -@@ -114,6 +114,17 @@ static int input_init(void) - input_enable_userspace_hid(uhid_enabled); - } else - g_clear_error(&err); -+ -+ classic_bonded_only = g_key_file_get_boolean(config, "General", -+ "ClassicBondedOnly", &err); -+ -+ if (!err) { -+ DBG("input.conf: ClassicBondedOnly=%s", -+ classic_bonded_only ? "true" : "false"); -+ input_set_classic_bonded_only(classic_bonded_only); -+ } else -+ g_clear_error(&err); -+ - } - - btd_profile_register(&input_profile); --- -2.25.1 - -From 8cdbd3b09f29da29374e2f83369df24228da0ad1 Mon Sep 17 00:00:00 2001 -From: Alain Michaud -Date: Tue, 10 Mar 2020 02:35:16 +0000 -Subject: [PATCH] HOGP must only accept data from bonded devices. - -HOGP 1.0 Section 6.1 establishes that the HOGP must require bonding. - -Reference: -https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.htm ---- - profiles/input/hog.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/profiles/input/hog.c b/profiles/input/hog.c -index 83c017dcb..dfac68921 100644 ---- a/profiles/input/hog.c -+++ b/profiles/input/hog.c -@@ -186,6 +186,10 @@ static int hog_accept(struct btd_service *service) - return -EINVAL; - } - -+ /* HOGP 1.0 Section 6.1 requires bonding */ -+ if (!device_is_bonded(device, btd_device_get_bdaddr_type(device))) -+ return -ECONNREFUSED; -+ - /* TODO: Replace GAttrib with bt_gatt_client */ - bt_hog_attach(dev->hog, attrib); - --- -2.25.1 - -- 2.25.1