From ad7639dde9286f2281122140536cce7c080f43dc Mon Sep 17 00:00:00 2001 From: David Marlin Date: Thu, 30 May 2024 14:12:19 -0500 Subject: [PATCH] Change default of ClassicBondedOnly to true to align with HID specification. Resolves: RHEL-18429 Fixes CVE-2023-45866 Signed-off-by: David Marlin --- ...-Change-default-of-ClassicBondedOnly.patch | 54 +++++++++++++++++++ bluez.spec | 10 +++- 2 files changed, 63 insertions(+), 1 deletion(-) create mode 100644 0001-Change-default-of-ClassicBondedOnly.patch diff --git a/0001-Change-default-of-ClassicBondedOnly.patch b/0001-Change-default-of-ClassicBondedOnly.patch new file mode 100644 index 0000000..37e6a73 --- /dev/null +++ b/0001-Change-default-of-ClassicBondedOnly.patch @@ -0,0 +1,54 @@ +From: David Marlin + +Subject: input.conf: Change default of ClassicBondedOnly + +Resolves: RHEL-18429 + +CVE: CVE-2023-45866 + +commit 25a471a83e02e1effb15d5a488b3f0085eaeb675 +Author: Luiz Augusto von Dentz +Date: Tue Oct 10 13:03:12 2023 -0700 + + input.conf: Change default of ClassicBondedOnly + + This changes the default of ClassicBondedOnly since defaulting to false + is not inline with HID specification which mandates the of Security Mode + 4: + + BLUETOOTH SPECIFICATION Page 84 of 123 + Human Interface Device (HID) Profile: + + 5.4.3.4.2 Security Modes + Bluetooth HID Hosts shall use Security Mode 4 when interoperating with + Bluetooth HID devices that are compliant to the Bluetooth Core + Specification v2.1+EDR[6]. + +Signed-off-by: David Marlin + +diff --git a/profiles/input/device.c b/profiles/input/device.c +index 4a50ea9921a97751a94547c0e73177d58184a75d..4310dd192e113f9875c07117d523167655cef954 100644 +--- a/profiles/input/device.c ++++ b/profiles/input/device.c +@@ -81,7 +81,7 @@ struct input_device { + + static int idle_timeout = 0; + static bool uhid_enabled = false; +-static bool classic_bonded_only = false; ++static bool classic_bonded_only = true; + + void input_set_idle_timeout(int timeout) + { +diff --git a/profiles/input/input.conf b/profiles/input/input.conf +index 4c70bc561f05429442c6fe0a183584ad1536fa4b..d8645f3dd664e2d671791878462f8a0dc74e04a5 100644 +--- a/profiles/input/input.conf ++++ b/profiles/input/input.conf +@@ -17,7 +17,7 @@ + # platforms may want to make sure that input connections only come from bonded + # device connections. Several older mice have been known for not supporting + # pairing/encryption. +-# Defaults to false to maximize device compatibility. ++# Defaults to true for security. + #ClassicBondedOnly=true + + # LE upgrade security diff --git a/bluez.spec b/bluez.spec index 62cb5b9..4f97443 100644 --- a/bluez.spec +++ b/bluez.spec @@ -1,7 +1,7 @@ Name: bluez Summary: Bluetooth utilities Version: 5.63 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ URL: http://www.bluez.org/ @@ -49,6 +49,8 @@ Patch25: 0001-gdbus-Emit-InterfacesAdded-of-parents-objects-first.patch #Patch32: 0001-sdpd-Fix-leaking-buffers-stored-in-cstates-cache.patch +Patch40: 0001-Change-default-of-ClassicBondedOnly.patch + BuildRequires: git-core BuildRequires: dbus-devel >= 1.6 BuildRequires: glib2-devel @@ -283,6 +285,12 @@ make check %{_userunitdir}/obex.service %changelog +* Wed May 29 2024 David Marlin - 5.63-2 ++ bluez-5.63-2 +- Change default of ClassicBondedOnly to true to align with HID specification. +- Resolves: RHEL-18429 +- Fixing CVE-2021-41229 + * Tue May 17 2022 Gopal Tiwari - 5.63-1 + bluez-5.63-1 - Fixing (#)