import bluez-5.52-1.el8
This commit is contained in:
		
							parent
							
								
									e78b0878c6
								
							
						
					
					
						commit
						bfa1dc9e35
					
				| @ -1 +1 @@ | |||||||
| a59289c91ccb7fac248e916838d4e66d7936151e SOURCES/bluez-5.50.tar.xz | 75e907922a62588c12d5642293403be0625b4d02 SOURCES/bluez-5.52.tar.xz | ||||||
|  | |||||||
							
								
								
									
										2
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										2
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							| @ -1 +1 @@ | |||||||
| SOURCES/bluez-5.50.tar.xz | SOURCES/bluez-5.52.tar.xz | ||||||
|  | |||||||
| @ -0,0 +1,37 @@ | |||||||
|  | From 89fb68570e72a854f10d50bec99112d294597483 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Gopal Tiwari <gtiwari@redhat.com> | ||||||
|  | Date: Fri, 24 Apr 2020 16:06:37 +0530 | ||||||
|  | Subject: [PATCH BlueZ 1/2]     HOGP must only accept data from bonded devices. | ||||||
|  | 
 | ||||||
|  | commit 8cdbd3b09f29da29374e2f83369df24228da0ad1 | ||||||
|  | Author: Alain Michaud <alainm@chromium.org> | ||||||
|  | Date:   Tue Mar 10 02:35:16 2020 +0000 | ||||||
|  | 
 | ||||||
|  |     HOGP must only accept data from bonded devices. | ||||||
|  | 
 | ||||||
|  |     HOGP 1.0 Section 6.1 establishes that the HOGP must require bonding. | ||||||
|  | 
 | ||||||
|  |     Reference: | ||||||
|  |     https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.htm | ||||||
|  | ---
 | ||||||
|  |  profiles/input/hog.c | 4 ++++ | ||||||
|  |  1 file changed, 4 insertions(+) | ||||||
|  | 
 | ||||||
|  | diff --git a/profiles/input/hog.c b/profiles/input/hog.c
 | ||||||
|  | index 23c9c1529..f8a82bc20 100644
 | ||||||
|  | --- a/profiles/input/hog.c
 | ||||||
|  | +++ b/profiles/input/hog.c
 | ||||||
|  | @@ -186,6 +186,10 @@ static int hog_accept(struct btd_service *service)
 | ||||||
|  |  			return -EINVAL; | ||||||
|  |  	} | ||||||
|  |   | ||||||
|  | +	/* HOGP 1.0 Section 6.1 requires bonding */
 | ||||||
|  | +	if (!device_is_bonded(device, btd_device_get_bdaddr_type(device)))
 | ||||||
|  | +		return -ECONNREFUSED;
 | ||||||
|  | +
 | ||||||
|  |  	/* TODO: Replace GAttrib with bt_gatt_client */ | ||||||
|  |  	bt_hog_attach(dev->hog, attrib); | ||||||
|  |   | ||||||
|  | -- 
 | ||||||
|  | 2.21.1 | ||||||
|  | 
 | ||||||
| @ -1,35 +1,41 @@ | |||||||
|  | From 5a62336f4da3a2d1a1ab38d03980d57844bce147 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Gopal Tiwari <gtiwari@redhat.com> | ||||||
|  | Date: Mon, 8 Jun 2020 20:56:46 +0530 | ||||||
|  | Subject: [PATCH BlueZ 1/4] build: Always define confdir and statedir | ||||||
|  | 
 | ||||||
| From 69d2e7bebb79f500179298c6c51fafbc217df6c8 Mon Sep 17 00:00:00 2001 | From 69d2e7bebb79f500179298c6c51fafbc217df6c8 Mon Sep 17 00:00:00 2001 | ||||||
| From: Bastien Nocera <hadess@hadess.net> | From: Bastien Nocera <hadess@hadess.net> | ||||||
| Date: Wed, 20 Sep 2017 12:49:10 +0200 | Date: Wed, 20 Sep 2017 12:49:10 +0200 | ||||||
| Subject: [PATCH 1/4] build: Always define confdir and statedir | 
 | ||||||
|  | build: Always define confdir and statedir | ||||||
| 
 | 
 | ||||||
| As we will need those paths to lock down on them. | As we will need those paths to lock down on them. | ||||||
| ---
 | ---
 | ||||||
|  Makefile.am | 6 +++--- |  Makefile.am | 5 +++-- | ||||||
|  1 file changed, 3 insertions(+), 3 deletions(-) |  1 file changed, 3 insertions(+), 2 deletions(-) | ||||||
| 
 | 
 | ||||||
| diff --git a/Makefile.am b/Makefile.am
 | diff --git a/Makefile.am b/Makefile.am
 | ||||||
| index 555f301ca..1c38d94e5 100644
 | index 84c9712c9..6e77ed91e 100644
 | ||||||
| --- a/Makefile.am
 | --- a/Makefile.am
 | ||||||
| +++ b/Makefile.am
 | +++ b/Makefile.am
 | ||||||
| @@ -30,14 +30,14 @@ include_HEADERS =
 | @@ -31,14 +31,15 @@ pkginclude_HEADERS =
 | ||||||
|  AM_CFLAGS = $(WARNING_CFLAGS) $(MISC_CFLAGS) |  AM_CFLAGS = $(WARNING_CFLAGS) $(MISC_CFLAGS) $(UDEV_CFLAGS) $(ell_cflags) | ||||||
|  AM_LDFLAGS = $(MISC_LDFLAGS) |  AM_LDFLAGS = $(MISC_LDFLAGS) | ||||||
|   |   | ||||||
| +confdir = $(sysconfdir)/bluetooth
 | +confdir = $(sysconfdir)/bluetooth
 | ||||||
| +statedir = $(localstatedir)/lib/bluetooth
 | +statedir = $(localstatedir)/lib/bluetooth
 | ||||||
| +
 | +
 | ||||||
|  if DATAFILES |  if DATAFILES | ||||||
|  dbusdir = @DBUS_CONFDIR@/dbus-1/system.d |  dbusdir = $(DBUS_CONFDIR)/dbus-1/system.d | ||||||
|  dbus_DATA = src/bluetooth.conf |  dbus_DATA = src/bluetooth.conf | ||||||
|   |   | ||||||
| -confdir = $(sysconfdir)/bluetooth
 | -confdir = $(sysconfdir)/bluetooth
 | ||||||
|  conf_DATA = |  conf_DATA = | ||||||
| -
 |   | ||||||
| -statedir = $(localstatedir)/lib/bluetooth
 | -statedir = $(localstatedir)/lib/bluetooth
 | ||||||
|  state_DATA = |  state_DATA = | ||||||
|  endif |  endif | ||||||
|   |   | ||||||
| -- 
 | -- 
 | ||||||
| 2.14.1 | 2.21.1 | ||||||
| 
 | 
 | ||||||
|  | |||||||
| @ -1,31 +0,0 @@ | |||||||
| From e45c8fdcb3d7cdb654f6819c02d1bbb5b40b6116 Mon Sep 17 00:00:00 2001 |  | ||||||
| From: Florian Weimer <fweimer@redhat.com> |  | ||||||
| Date: Thu, 7 Nov 2013 09:23:35 +0100 |  | ||||||
| Subject: [PATCH 1/4] build: Enable BIND_NOW |  | ||||||
| 
 |  | ||||||
| Partial RELRO means that the object is GNU_RELRO but not BIND_NOW.  This |  | ||||||
| reduces the effectiveness of RELRO.  bluez triggers this because it |  | ||||||
| enables PIE during the build, and rpmdiff takes this as an indicator |  | ||||||
| that the best possible hardening is desired. |  | ||||||
| 
 |  | ||||||
| https://bugzilla.redhat.com/show_bug.cgi?id=983161 |  | ||||||
| ---
 |  | ||||||
|  acinclude.m4 | 2 +- |  | ||||||
|  1 file changed, 1 insertion(+), 1 deletion(-) |  | ||||||
| 
 |  | ||||||
| diff --git a/acinclude.m4 b/acinclude.m4
 |  | ||||||
| index bc39c6d73..efce2f3cb 100644
 |  | ||||||
| --- a/acinclude.m4
 |  | ||||||
| +++ b/acinclude.m4
 |  | ||||||
| @@ -50,7 +50,7 @@ AC_DEFUN([MISC_FLAGS], [
 |  | ||||||
|  		if (test "${enableval}" = "yes" && |  | ||||||
|  				test "${ac_cv_prog_cc_pie}" = "yes"); then |  | ||||||
|  			misc_cflags="$misc_cflags -fPIC" |  | ||||||
| -			misc_ldflags="$misc_ldflags -pie"
 |  | ||||||
| +			misc_ldflags="$misc_ldflags -pie -Wl,-z,now"
 |  | ||||||
|  		fi |  | ||||||
|  	]) |  | ||||||
|  	if (test "$enable_coverage" = "yes"); then |  | ||||||
| -- 
 |  | ||||||
| 2.14.1 |  | ||||||
| 
 |  | ||||||
							
								
								
									
										144
									
								
								SOURCES/0002-HID-accepts-bonded-device-connections-only.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										144
									
								
								SOURCES/0002-HID-accepts-bonded-device-connections-only.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,144 @@ | |||||||
|  | From b84b23845ec9730b783f4e6efcee70c8b2f09f29 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Gopal Tiwari <gtiwari@redhat.com> | ||||||
|  | Date: Fri, 24 Apr 2020 16:27:58 +0530 | ||||||
|  | Subject: [PATCH BlueZ 2/2]     HID accepts bonded device connections only. | ||||||
|  | 
 | ||||||
|  | commit 3cccdbab2324086588df4ccf5f892fb3ce1f1787 | ||||||
|  | Author: Alain Michaud <alainm@chromium.org> | ||||||
|  | Date:   Tue Mar 10 02:35:18 2020 +0000 | ||||||
|  | 
 | ||||||
|  |     HID accepts bonded device connections only. | ||||||
|  | 
 | ||||||
|  |     This change adds a configuration for platforms to choose a more secure | ||||||
|  |     posture for the HID profile.  While some older mice are known to not | ||||||
|  |     support pairing or encryption, some platform may choose a more secure | ||||||
|  |     posture by requiring the device to be bonded  and require the | ||||||
|  |     connection to be encrypted when bonding is required. | ||||||
|  | 
 | ||||||
|  |     Reference: | ||||||
|  |     https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html | ||||||
|  | ---
 | ||||||
|  |  profiles/input/device.c   | 23 ++++++++++++++++++++++- | ||||||
|  |  profiles/input/device.h   |  1 + | ||||||
|  |  profiles/input/input.conf |  8 ++++++++ | ||||||
|  |  profiles/input/manager.c  | 13 ++++++++++++- | ||||||
|  |  4 files changed, 43 insertions(+), 2 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/profiles/input/device.c b/profiles/input/device.c
 | ||||||
|  | index 84614784d..3abd2f592 100644
 | ||||||
|  | --- a/profiles/input/device.c
 | ||||||
|  | +++ b/profiles/input/device.c
 | ||||||
|  | @@ -91,6 +91,7 @@ struct input_device {
 | ||||||
|  |   | ||||||
|  |  static int idle_timeout = 0; | ||||||
|  |  static bool uhid_enabled = false; | ||||||
|  | +static bool classic_bonded_only = false;
 | ||||||
|  |   | ||||||
|  |  void input_set_idle_timeout(int timeout) | ||||||
|  |  { | ||||||
|  | @@ -102,6 +103,11 @@ void input_enable_userspace_hid(bool state)
 | ||||||
|  |  	uhid_enabled = state; | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | +void input_set_classic_bonded_only(bool state)
 | ||||||
|  | +{
 | ||||||
|  | +	classic_bonded_only = state;
 | ||||||
|  | +}
 | ||||||
|  | +
 | ||||||
|  |  static void input_device_enter_reconnect_mode(struct input_device *idev); | ||||||
|  |  static int connection_disconnect(struct input_device *idev, uint32_t flags); | ||||||
|  |   | ||||||
|  | @@ -969,8 +975,18 @@ static int hidp_add_connection(struct input_device *idev)
 | ||||||
|  |  	if (device_name_known(idev->device)) | ||||||
|  |  		device_get_name(idev->device, req->name, sizeof(req->name)); | ||||||
|  |   | ||||||
|  | +	/* Make sure the device is bonded if required */
 | ||||||
|  | +	if (classic_bonded_only && !device_is_bonded(idev->device,
 | ||||||
|  | +				btd_device_get_bdaddr_type(idev->device))) {
 | ||||||
|  | +		error("Rejected connection from !bonded device %s", dst_addr);
 | ||||||
|  | +		goto cleanup;
 | ||||||
|  | +	}
 | ||||||
|  | +
 | ||||||
|  |  	/* Encryption is mandatory for keyboards */ | ||||||
|  | -	if (req->subclass & 0x40) {
 | ||||||
|  | +	/* Some platforms may choose to require encryption for all devices */
 | ||||||
|  | +	/* Note that this only matters for pre 2.1 devices as otherwise the */
 | ||||||
|  | +	/* device is encrypted by default by the lower layers */
 | ||||||
|  | +	if (classic_bonded_only || req->subclass & 0x40) {
 | ||||||
|  |  		if (!bt_io_set(idev->intr_io, &gerr, | ||||||
|  |  					BT_IO_OPT_SEC_LEVEL, BT_IO_SEC_MEDIUM, | ||||||
|  |  					BT_IO_OPT_INVALID)) { | ||||||
|  | @@ -1202,6 +1218,11 @@ static void input_device_enter_reconnect_mode(struct input_device *idev)
 | ||||||
|  |  	DBG("path=%s reconnect_mode=%s", idev->path, | ||||||
|  |  				reconnect_mode_to_string(idev->reconnect_mode)); | ||||||
|  |   | ||||||
|  | +	/* Make sure the device is bonded if required */
 | ||||||
|  | +	if (classic_bonded_only && !device_is_bonded(idev->device,
 | ||||||
|  | +				btd_device_get_bdaddr_type(idev->device)))
 | ||||||
|  | +		return;
 | ||||||
|  | +
 | ||||||
|  |  	/* Only attempt an auto-reconnect when the device is required to | ||||||
|  |  	 * accept reconnections from the host. | ||||||
|  |  	 */ | ||||||
|  | diff --git a/profiles/input/device.h b/profiles/input/device.h
 | ||||||
|  | index 51a9aee18..3044db673 100644
 | ||||||
|  | --- a/profiles/input/device.h
 | ||||||
|  | +++ b/profiles/input/device.h
 | ||||||
|  | @@ -29,6 +29,7 @@ struct input_conn;
 | ||||||
|  |   | ||||||
|  |  void input_set_idle_timeout(int timeout); | ||||||
|  |  void input_enable_userspace_hid(bool state); | ||||||
|  | +void input_set_classic_bonded_only(bool state);
 | ||||||
|  |   | ||||||
|  |  int input_device_register(struct btd_service *service); | ||||||
|  |  void input_device_unregister(struct btd_service *service); | ||||||
|  | diff --git a/profiles/input/input.conf b/profiles/input/input.conf
 | ||||||
|  | index 3e1d65aae..166aff4a4 100644
 | ||||||
|  | --- a/profiles/input/input.conf
 | ||||||
|  | +++ b/profiles/input/input.conf
 | ||||||
|  | @@ -11,3 +11,11 @@
 | ||||||
|  |  # Enable HID protocol handling in userspace input profile | ||||||
|  |  # Defaults to false (HIDP handled in HIDP kernel module) | ||||||
|  |  #UserspaceHID=true | ||||||
|  | +
 | ||||||
|  | +# Limit HID connections to bonded devices
 | ||||||
|  | +# The HID Profile does not specify that devices must be bonded, however some
 | ||||||
|  | +# platforms may want to make sure that input connections only come from bonded
 | ||||||
|  | +# device connections. Several older mice have been known for not supporting
 | ||||||
|  | +# pairing/encryption.
 | ||||||
|  | +# Defaults to false to maximize device compatibility.
 | ||||||
|  | +#ClassicBondedOnly=true
 | ||||||
|  | diff --git a/profiles/input/manager.c b/profiles/input/manager.c
 | ||||||
|  | index 1d31b0652..5cd27b839 100644
 | ||||||
|  | --- a/profiles/input/manager.c
 | ||||||
|  | +++ b/profiles/input/manager.c
 | ||||||
|  | @@ -96,7 +96,7 @@ static int input_init(void)
 | ||||||
|  |  	config = load_config_file(CONFIGDIR "/input.conf"); | ||||||
|  |  	if (config) { | ||||||
|  |  		int idle_timeout; | ||||||
|  | -		gboolean uhid_enabled;
 | ||||||
|  | +		gboolean uhid_enabled, classic_bonded_only;
 | ||||||
|  |   | ||||||
|  |  		idle_timeout = g_key_file_get_integer(config, "General", | ||||||
|  |  							"IdleTimeout", &err); | ||||||
|  | @@ -114,6 +114,17 @@ static int input_init(void)
 | ||||||
|  |  			input_enable_userspace_hid(uhid_enabled); | ||||||
|  |  		} else | ||||||
|  |  			g_clear_error(&err); | ||||||
|  | +
 | ||||||
|  | +		classic_bonded_only = g_key_file_get_boolean(config, "General",
 | ||||||
|  | +						"ClassicBondedOnly", &err);
 | ||||||
|  | +
 | ||||||
|  | +		if (!err) {
 | ||||||
|  | +			DBG("input.conf: ClassicBondedOnly=%s",
 | ||||||
|  | +					classic_bonded_only ? "true" : "false");
 | ||||||
|  | +			input_set_classic_bonded_only(classic_bonded_only);
 | ||||||
|  | +		} else
 | ||||||
|  | +			g_clear_error(&err);
 | ||||||
|  | +
 | ||||||
|  |  	} | ||||||
|  |   | ||||||
|  |  	btd_profile_register(&input_profile); | ||||||
|  | -- 
 | ||||||
|  | 2.21.1 | ||||||
|  | 
 | ||||||
| @ -1,7 +1,13 @@ | |||||||
|  | From 98826d0717fe831265256f996c9e90d15262bef1 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Gopal Tiwari <gtiwari@redhat.com> | ||||||
|  | Date: Mon, 8 Jun 2020 19:54:24 +0530 | ||||||
|  | Subject: [PATCH BlueZ 2/4] systemd: Add PrivateTmp and NoNewPrivileges options | ||||||
|  | 
 | ||||||
| From 4570164f0c90603bd07eb9e7c07e17bbafb5b5da Mon Sep 17 00:00:00 2001 | From 4570164f0c90603bd07eb9e7c07e17bbafb5b5da Mon Sep 17 00:00:00 2001 | ||||||
| From: Craig Andrews <candrews@integralblue.com> | From: Craig Andrews <candrews@integralblue.com> | ||||||
| Date: Wed, 13 Sep 2017 15:23:09 +0200 | Date: Wed, 13 Sep 2017 15:23:09 +0200 | ||||||
| Subject: [PATCH 2/4] systemd: Add PrivateTmp and NoNewPrivileges options | 
 | ||||||
|  | systemd: Add PrivateTmp and NoNewPrivileges options | ||||||
| 
 | 
 | ||||||
| PrivateTmp makes bluetoothd's /tmp and /var/tmp be inside a different | PrivateTmp makes bluetoothd's /tmp and /var/tmp be inside a different | ||||||
| namespace. This is useful to secure access to temporary files of the | namespace. This is useful to secure access to temporary files of the | ||||||
| @ -15,7 +21,7 @@ possible privilege escalations. | |||||||
|  1 file changed, 6 insertions(+) |  1 file changed, 6 insertions(+) | ||||||
| 
 | 
 | ||||||
| diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
 | diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
 | ||||||
| index f799f65f0..a6f3030f9 100644
 | index f9faaa452..7c2f60bb4 100644
 | ||||||
| --- a/src/bluetooth.service.in
 | --- a/src/bluetooth.service.in
 | ||||||
| +++ b/src/bluetooth.service.in
 | +++ b/src/bluetooth.service.in
 | ||||||
| @@ -12,8 +12,14 @@ NotifyAccess=main
 | @@ -12,8 +12,14 @@ NotifyAccess=main
 | ||||||
| @ -34,5 +40,5 @@ index f799f65f0..a6f3030f9 100644 | |||||||
|  [Install] |  [Install] | ||||||
|  WantedBy=bluetooth.target |  WantedBy=bluetooth.target | ||||||
| -- 
 | -- 
 | ||||||
| 2.14.1 | 2.21.1 | ||||||
| 
 | 
 | ||||||
|  | |||||||
| @ -1,7 +1,13 @@ | |||||||
|  | From 1da4185a89fba1c14032ab87757e5fb798d76bc0 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Gopal Tiwari <gtiwari@redhat.com> | ||||||
|  | Date: Mon, 8 Jun 2020 19:55:39 +0530 | ||||||
|  | Subject: [PATCH BlueZ 3/4] systemd: Add more filesystem lockdown | ||||||
|  | 
 | ||||||
| From 73a9c0902e7c97adf96e735407a75033152c04a9 Mon Sep 17 00:00:00 2001 | From 73a9c0902e7c97adf96e735407a75033152c04a9 Mon Sep 17 00:00:00 2001 | ||||||
| From: Bastien Nocera <hadess@hadess.net> | From: Bastien Nocera <hadess@hadess.net> | ||||||
| Date: Wed, 13 Sep 2017 15:37:11 +0200 | Date: Wed, 13 Sep 2017 15:37:11 +0200 | ||||||
| Subject: [PATCH 3/4] systemd: Add more filesystem lockdown | 
 | ||||||
|  | systemd: Add more filesystem lockdown | ||||||
| 
 | 
 | ||||||
| We can only access the configuration file as read-only and read-write | We can only access the configuration file as read-only and read-write | ||||||
| to the Bluetooth cache directory and sub-directories. | to the Bluetooth cache directory and sub-directories. | ||||||
| @ -11,20 +17,20 @@ to the Bluetooth cache directory and sub-directories. | |||||||
|  2 files changed, 6 insertions(+) |  2 files changed, 6 insertions(+) | ||||||
| 
 | 
 | ||||||
| diff --git a/Makefile.am b/Makefile.am
 | diff --git a/Makefile.am b/Makefile.am
 | ||||||
| index 1c38d94e5..13ccf9079 100644
 | index cdd2fd8fb..0af1a8c45 100644
 | ||||||
| --- a/Makefile.am
 | --- a/Makefile.am
 | ||||||
| +++ b/Makefile.am
 | +++ b/Makefile.am
 | ||||||
| @@ -478,6 +478,8 @@ MAINTAINERCLEANFILES = Makefile.in \
 | @@ -580,6 +580,8 @@ MAINTAINERCLEANFILES = Makefile.in \
 | ||||||
|   |   | ||||||
|  SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \ |  SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \ | ||||||
|  		$(SED) -e 's,@libexecdir\@,$(libexecdir),g' \ |  		$(SED) -e 's,@pkglibexecdir\@,$(pkglibexecdir),g' \ | ||||||
| +		       -e 's,@statedir\@,$(statedir),g' \
 | +		       -e 's,@statedir\@,$(statedir),g' \
 | ||||||
| +		       -e 's,@confdir\@,$(confdir),g' \
 | +		       -e 's,@confdir\@,$(confdir),g' \
 | ||||||
|  		< $< > $@ |  		< $< > $@ | ||||||
|   |   | ||||||
|  %.service: %.service.in Makefile |  %.service: %.service.in Makefile | ||||||
| diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
 | diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
 | ||||||
| index a6f3030f9..7e55b5043 100644
 | index 7c2f60bb4..4daedef2a 100644
 | ||||||
| --- a/src/bluetooth.service.in
 | --- a/src/bluetooth.service.in
 | ||||||
| +++ b/src/bluetooth.service.in
 | +++ b/src/bluetooth.service.in
 | ||||||
| @@ -17,6 +17,10 @@ LimitNPROC=1
 | @@ -17,6 +17,10 @@ LimitNPROC=1
 | ||||||
| @ -39,5 +45,5 @@ index a6f3030f9..7e55b5043 100644 | |||||||
|  # Privilege escalation |  # Privilege escalation | ||||||
|  NoNewPrivileges=true |  NoNewPrivileges=true | ||||||
| -- 
 | -- 
 | ||||||
| 2.14.1 | 2.21.1 | ||||||
| 
 | 
 | ||||||
|  | |||||||
| @ -1,41 +0,0 @@ | |||||||
| From 07a12a6685ea57be18f39e349dbc42e4af3744ed Mon Sep 17 00:00:00 2001 |  | ||||||
| From: Bastien Nocera <hadess@hadess.net> |  | ||||||
| Date: Tue, 5 Sep 2017 10:32:15 +0200 |  | ||||||
| Subject: [PATCH 3/4] tools/csr_usb: Fix compilation failure |  | ||||||
| 
 |  | ||||||
| GCC's "format-nonliteral" security check is enabled as an error in |  | ||||||
| recent versions of Fedora. Given the reduced scope of use, mark the |  | ||||||
| error as ignorable through pragma. |  | ||||||
| 
 |  | ||||||
| tools/csr_usb.c: In function 'read_value': |  | ||||||
| tools/csr_usb.c:82:2: error: format not a string literal, argument types not checked [-Werror=format-nonliteral] |  | ||||||
|   n = fscanf(file, format, &value); |  | ||||||
|   ^ |  | ||||||
| ---
 |  | ||||||
|  tools/csr_usb.c | 3 +++ |  | ||||||
|  1 file changed, 3 insertions(+) |  | ||||||
| 
 |  | ||||||
| diff --git a/tools/csr_usb.c b/tools/csr_usb.c
 |  | ||||||
| index a1d7324f7..33e9968a2 100644
 |  | ||||||
| --- a/tools/csr_usb.c
 |  | ||||||
| +++ b/tools/csr_usb.c
 |  | ||||||
| @@ -67,6 +67,8 @@ struct usbfs_bulktransfer {
 |  | ||||||
|  #define USBFS_IOCTL_CLAIMINTF	_IOR('U', 15, unsigned int) |  | ||||||
|  #define USBFS_IOCTL_RELEASEINTF	_IOR('U', 16, unsigned int) |  | ||||||
|   |  | ||||||
| +#pragma GCC diagnostic push
 |  | ||||||
| +#pragma GCC diagnostic ignored "-Wformat-nonliteral"
 |  | ||||||
|  static int read_value(const char *name, const char *attr, const char *format) |  | ||||||
|  { |  | ||||||
|  	char path[PATH_MAX]; |  | ||||||
| @@ -88,6 +90,7 @@ static int read_value(const char *name, const char *attr, const char *format)
 |  | ||||||
|  	fclose(file); |  | ||||||
|  	return value; |  | ||||||
|  } |  | ||||||
| +#pragma GCC diagnostic pop
 |  | ||||||
|   |  | ||||||
|  static char *check_device(const char *name) |  | ||||||
|  { |  | ||||||
| -- 
 |  | ||||||
| 2.14.1 |  | ||||||
| 
 |  | ||||||
| @ -1,7 +1,13 @@ | |||||||
|  | From 9a7872f04cb748e8de743d9136ecd91539d13cb7 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Gopal Tiwari <gtiwari@redhat.com> | ||||||
|  | Date: Mon, 8 Jun 2020 19:56:42 +0530 | ||||||
|  | Subject: [PATCH BlueZ 4/4] systemd: More lockdown | ||||||
|  | 
 | ||||||
| From 171d812218883281fed57b57fafd5c18eac441ac Mon Sep 17 00:00:00 2001 | From 171d812218883281fed57b57fafd5c18eac441ac Mon Sep 17 00:00:00 2001 | ||||||
| From: Bastien Nocera <hadess@hadess.net> | From: Bastien Nocera <hadess@hadess.net> | ||||||
| Date: Wed, 13 Sep 2017 15:38:26 +0200 | Date: Wed, 13 Sep 2017 15:38:26 +0200 | ||||||
| Subject: [PATCH 4/4] systemd: More lockdown | 
 | ||||||
|  | systemd: More lockdown | ||||||
| 
 | 
 | ||||||
| bluetoothd does not need to execute mapped memory, or real-time | bluetoothd does not need to execute mapped memory, or real-time | ||||||
| access, so block those. | access, so block those. | ||||||
| @ -10,7 +16,7 @@ access, so block those. | |||||||
|  1 file changed, 6 insertions(+) |  1 file changed, 6 insertions(+) | ||||||
| 
 | 
 | ||||||
| diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
 | diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
 | ||||||
| index 7e55b5043..e8267b338 100644
 | index 4daedef2a..f18801866 100644
 | ||||||
| --- a/src/bluetooth.service.in
 | --- a/src/bluetooth.service.in
 | ||||||
| +++ b/src/bluetooth.service.in
 | +++ b/src/bluetooth.service.in
 | ||||||
| @@ -22,9 +22,15 @@ ProtectControlGroups=true
 | @@ -22,9 +22,15 @@ ProtectControlGroups=true
 | ||||||
| @ -30,5 +36,5 @@ index 7e55b5043..e8267b338 100644 | |||||||
|  WantedBy=bluetooth.target |  WantedBy=bluetooth.target | ||||||
|  Alias=dbus-org.bluez.service |  Alias=dbus-org.bluez.service | ||||||
| -- 
 | -- 
 | ||||||
| 2.14.1 | 2.21.1 | ||||||
| 
 | 
 | ||||||
|  | |||||||
| @ -1,6 +1,6 @@ | |||||||
| Name:    bluez | Name:    bluez | ||||||
| Summary: Bluetooth utilities | Summary: Bluetooth utilities | ||||||
| Version: 5.50 | Version: 5.52 | ||||||
| Release: 1%{?dist} | Release: 1%{?dist} | ||||||
| License: GPLv2+ | License: GPLv2+ | ||||||
| URL:     http://www.bluez.org/ | URL:     http://www.bluez.org/ | ||||||
| @ -15,8 +15,8 @@ Source3: btattach-bcm@.service | |||||||
| Source4: btattach-bcm-service.sh | Source4: btattach-bcm-service.sh | ||||||
| 
 | 
 | ||||||
| # https://github.com/hadess/bluez/commits/build-fixes-5.46 | # https://github.com/hadess/bluez/commits/build-fixes-5.46 | ||||||
| Patch1: 0001-build-Enable-BIND_NOW.patch | #Patch1: 0001-build-Enable-BIND_NOW.patch | ||||||
| Patch2: 0003-tools-csr_usb-Fix-compilation-failure.patch | #Patch2: 0003-tools-csr_usb-Fix-compilation-failure.patch | ||||||
| 
 | 
 | ||||||
| # https://github.com/hadess/bluez/commits/obex-5.46 | # https://github.com/hadess/bluez/commits/obex-5.46 | ||||||
| Patch3: 0001-obex-Use-GLib-helper-function-to-manipulate-paths.patch | Patch3: 0001-obex-Use-GLib-helper-function-to-manipulate-paths.patch | ||||||
| @ -33,6 +33,12 @@ Patch23: 0004-systemd-More-lockdown.patch | |||||||
| # https://bugzilla.redhat.com/show_bug.cgi?id=1567622 | # https://bugzilla.redhat.com/show_bug.cgi?id=1567622 | ||||||
| Patch24: 0001-adapter-Don-t-refresh-adv_manager-for-non-LE-devices.patch | Patch24: 0001-adapter-Don-t-refresh-adv_manager-for-non-LE-devices.patch | ||||||
| 
 | 
 | ||||||
|  | #Patch25: 0001-core-Add-AlwaysPairable-to-main.conf.patch  | ||||||
|  | #Patch26: 0002-agent-Make-the-first-agent-to-register-the-default.patch  | ||||||
|  | 
 | ||||||
|  | Patch27: 0001-HOGP-must-only-accept-data-from-bonded-devices.patch | ||||||
|  | Patch28: 0002-HID-accepts-bonded-device-connections-only.patch | ||||||
|  | 
 | ||||||
| BuildRequires: git-core | BuildRequires: git-core | ||||||
| BuildRequires: dbus-devel >= 1.6 | BuildRequires: dbus-devel >= 1.6 | ||||||
| BuildRequires: glib2-devel | BuildRequires: glib2-devel | ||||||
| @ -220,6 +226,7 @@ make check | |||||||
| %{_bindir}/mpris-proxy | %{_bindir}/mpris-proxy | ||||||
| %{_bindir}/gatttool | %{_bindir}/gatttool | ||||||
| %{_bindir}/rctest | %{_bindir}/rctest | ||||||
|  | %{_datadir}/zsh/site-functions/_bluetoothctl | ||||||
| %{_mandir}/man1/btattach.1.gz | %{_mandir}/man1/btattach.1.gz | ||||||
| %{_mandir}/man1/ciptool.1.gz | %{_mandir}/man1/ciptool.1.gz | ||||||
| %{_mandir}/man1/hcitool.1.gz | %{_mandir}/man1/hcitool.1.gz | ||||||
| @ -241,6 +248,7 @@ make check | |||||||
| %{_unitdir}/btattach-bcm@.service | %{_unitdir}/btattach-bcm@.service | ||||||
| %{_udevrulesdir}/69-btattach-bcm.rules | %{_udevrulesdir}/69-btattach-bcm.rules | ||||||
| 
 | 
 | ||||||
|  | 
 | ||||||
| %files libs | %files libs | ||||||
| %{!?_licensedir:%global license %%doc} | %{!?_licensedir:%global license %%doc} | ||||||
| %license COPYING | %license COPYING | ||||||
| @ -266,6 +274,21 @@ make check | |||||||
| %{_userunitdir}/obex.service | %{_userunitdir}/obex.service | ||||||
| 
 | 
 | ||||||
| %changelog | %changelog | ||||||
|  | * Tue Jun 9 2020 Gopal Tiwari <gtiwari@redhat.com> - 5.52-1 | ||||||
|  | + bluez-5.52-1 | ||||||
|  | - Fixing (#1830397) | ||||||
|  | 
 | ||||||
|  | * Fri Apr 24 2020 Gopal Tiwari <gtiwari@redhat.com> - 5.50-4 | ||||||
|  | + bluez-5.50-4 | ||||||
|  | - Fixing CVE-2020-0556 | ||||||
|  | 
 | ||||||
|  | * Mon Jan 13 2020 Gopal Tiwari <gtiwari@redhat.com> - 5.50-3 | ||||||
|  | + bluez-5.50-3 | ||||||
|  | - Bump the version  | ||||||
|  | 
 | ||||||
|  | * Mon Jan 13 2020 Gopal Tiwari <gtiwari@redhat.com> - 5.50-2 | ||||||
|  | + bluez-5.50-2 | ||||||
|  | - Fixing CVE-2018-10910 (#1606373) | ||||||
| 
 | 
 | ||||||
| * Fri Sep 7 2018 Gopal Tiwari <gtiwari@redhat.com> - 5.50-1 | * Fri Sep 7 2018 Gopal Tiwari <gtiwari@redhat.com> - 5.50-1 | ||||||
| + bluez-5.50-1 | + bluez-5.50-1 | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user