import bluez-5.52-1.el8

2020-07-28 05:28:54 -04:00 · 2020-07-28 05:28:54 -04:00 · bfa1dc9e35
commit bfa1dc9e35
parent e78b0878c6
11 changed files with 254 additions and 98 deletions
--- a/.bluez.metadata
+++ b/.bluez.metadata
@ -1 +1 @@
-a59289c91ccb7fac248e916838d4e66d7936151e SOURCES/bluez-5.50.tar.xz
+75e907922a62588c12d5642293403be0625b4d02 SOURCES/bluez-5.52.tar.xz
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/bluez-5.50.tar.xz
+SOURCES/bluez-5.52.tar.xz
--- a/SOURCES/0001-HOGP-must-only-accept-data-from-bonded-devices.patch
+++ b/SOURCES/0001-HOGP-must-only-accept-data-from-bonded-devices.patch
@ -0,0 +1,37 @@
+From 89fb68570e72a854f10d50bec99112d294597483 Mon Sep 17 00:00:00 2001
+From: Gopal Tiwari <gtiwari@redhat.com>
+Date: Fri, 24 Apr 2020 16:06:37 +0530
+Subject: [PATCH BlueZ 1/2]     HOGP must only accept data from bonded devices.
+
+commit 8cdbd3b09f29da29374e2f83369df24228da0ad1
+Author: Alain Michaud <alainm@chromium.org>
+Date:   Tue Mar 10 02:35:16 2020 +0000
+
+    HOGP must only accept data from bonded devices.
+
+    HOGP 1.0 Section 6.1 establishes that the HOGP must require bonding.
+
+    Reference:
+    https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.htm
+---
+ profiles/input/hog.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/profiles/input/hog.c b/profiles/input/hog.c
+index 23c9c1529..f8a82bc20 100644
+--- a/profiles/input/hog.c
+++ b/profiles/input/hog.c
+@@ -186,6 +186,10 @@ static int hog_accept(struct btd_service *service)
+ 			return -EINVAL;
+ 	}
+ 
+	/* HOGP 1.0 Section 6.1 requires bonding */
+	if (!device_is_bonded(device, btd_device_get_bdaddr_type(device)))
+		return -ECONNREFUSED;
+
+ 	/* TODO: Replace GAttrib with bt_gatt_client */
+ 	bt_hog_attach(dev->hog, attrib);
+ 
+-- 
+2.21.1
+
--- a/SOURCES/0001-build-Always-define-confdir-and-statedir.patch
+++ b/SOURCES/0001-build-Always-define-confdir-and-statedir.patch
@ -1,35 +1,41 @@
+From 5a62336f4da3a2d1a1ab38d03980d57844bce147 Mon Sep 17 00:00:00 2001
+From: Gopal Tiwari <gtiwari@redhat.com>
+Date: Mon, 8 Jun 2020 20:56:46 +0530
+Subject: [PATCH BlueZ 1/4] build: Always define confdir and statedir
+
 From 69d2e7bebb79f500179298c6c51fafbc217df6c8 Mon Sep 17 00:00:00 2001
 From: Bastien Nocera <hadess@hadess.net>
 Date: Wed, 20 Sep 2017 12:49:10 +0200
-Subject: [PATCH 1/4] build: Always define confdir and statedir
+
+build: Always define confdir and statedir

 As we will need those paths to lock down on them.
 ---
- Makefile.am | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
+ Makefile.am | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)

 diff --git a/Makefile.am b/Makefile.am
-index 555f301ca..1c38d94e5 100644
+index 84c9712c9..6e77ed91e 100644
 --- a/Makefile.am
 +++ b/Makefile.am
-@@ -30,14 +30,14 @@ include_HEADERS =
- AM_CFLAGS = $(WARNING_CFLAGS) $(MISC_CFLAGS)
+@@ -31,14 +31,15 @@ pkginclude_HEADERS =
+ AM_CFLAGS = $(WARNING_CFLAGS) $(MISC_CFLAGS) $(UDEV_CFLAGS) $(ell_cflags)
 AM_LDFLAGS = $(MISC_LDFLAGS)
 
 +confdir = $(sysconfdir)/bluetooth
 +statedir = $(localstatedir)/lib/bluetooth
 +
 if DATAFILES
- dbusdir = @DBUS_CONFDIR@/dbus-1/system.d
+ dbusdir = $(DBUS_CONFDIR)/dbus-1/system.d
 dbus_DATA = src/bluetooth.conf
 
 -confdir = $(sysconfdir)/bluetooth
 conf_DATA =
-
+ 
 -statedir = $(localstatedir)/lib/bluetooth
 state_DATA =
 endif
 
 -- 
-2.14.1
+2.21.1

--- a/SOURCES/0001-build-Enable-BIND_NOW.patch
+++ b/SOURCES/0001-build-Enable-BIND_NOW.patch
@ -1,31 +0,0 @@
-From e45c8fdcb3d7cdb654f6819c02d1bbb5b40b6116 Mon Sep 17 00:00:00 2001
-From: Florian Weimer <fweimer@redhat.com>
-Date: Thu, 7 Nov 2013 09:23:35 +0100
-Subject: [PATCH 1/4] build: Enable BIND_NOW
-
-Partial RELRO means that the object is GNU_RELRO but not BIND_NOW.  This
-reduces the effectiveness of RELRO.  bluez triggers this because it
-enables PIE during the build, and rpmdiff takes this as an indicator
-that the best possible hardening is desired.
-
-https://bugzilla.redhat.com/show_bug.cgi?id=983161
---
- acinclude.m4 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/acinclude.m4 b/acinclude.m4
-index bc39c6d73..efce2f3cb 100644
--- a/acinclude.m4
-+++ b/acinclude.m4
-@@ -50,7 +50,7 @@ AC_DEFUN([MISC_FLAGS], [
- 		if (test "${enableval}" = "yes" &&
- 				test "${ac_cv_prog_cc_pie}" = "yes"); then
- 			misc_cflags="$misc_cflags -fPIC"
-			misc_ldflags="$misc_ldflags -pie"
-+			misc_ldflags="$misc_ldflags -pie -Wl,-z,now"
- 		fi
- 	])
- 	if (test "$enable_coverage" = "yes"); then
-- 
-2.14.1
-
--- a/SOURCES/0002-HID-accepts-bonded-device-connections-only.patch
+++ b/SOURCES/0002-HID-accepts-bonded-device-connections-only.patch
@ -0,0 +1,144 @@
+From b84b23845ec9730b783f4e6efcee70c8b2f09f29 Mon Sep 17 00:00:00 2001
+From: Gopal Tiwari <gtiwari@redhat.com>
+Date: Fri, 24 Apr 2020 16:27:58 +0530
+Subject: [PATCH BlueZ 2/2]     HID accepts bonded device connections only.
+
+commit 3cccdbab2324086588df4ccf5f892fb3ce1f1787
+Author: Alain Michaud <alainm@chromium.org>
+Date:   Tue Mar 10 02:35:18 2020 +0000
+
+    HID accepts bonded device connections only.
+
+    This change adds a configuration for platforms to choose a more secure
+    posture for the HID profile.  While some older mice are known to not
+    support pairing or encryption, some platform may choose a more secure
+    posture by requiring the device to be bonded  and require the
+    connection to be encrypted when bonding is required.
+
+    Reference:
+    https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html
+---
+ profiles/input/device.c   | 23 ++++++++++++++++++++++-
+ profiles/input/device.h   |  1 +
+ profiles/input/input.conf |  8 ++++++++
+ profiles/input/manager.c  | 13 ++++++++++++-
+ 4 files changed, 43 insertions(+), 2 deletions(-)
+
+diff --git a/profiles/input/device.c b/profiles/input/device.c
+index 84614784d..3abd2f592 100644
+--- a/profiles/input/device.c
+++ b/profiles/input/device.c
+@@ -91,6 +91,7 @@ struct input_device {
+ 
+ static int idle_timeout = 0;
+ static bool uhid_enabled = false;
+static bool classic_bonded_only = false;
+ 
+ void input_set_idle_timeout(int timeout)
+ {
+@@ -102,6 +103,11 @@ void input_enable_userspace_hid(bool state)
+ 	uhid_enabled = state;
+ }
+ 
+void input_set_classic_bonded_only(bool state)
+{
+	classic_bonded_only = state;
+}
+
+ static void input_device_enter_reconnect_mode(struct input_device *idev);
+ static int connection_disconnect(struct input_device *idev, uint32_t flags);
+ 
+@@ -969,8 +975,18 @@ static int hidp_add_connection(struct input_device *idev)
+ 	if (device_name_known(idev->device))
+ 		device_get_name(idev->device, req->name, sizeof(req->name));
+ 
+	/* Make sure the device is bonded if required */
+	if (classic_bonded_only && !device_is_bonded(idev->device,
+				btd_device_get_bdaddr_type(idev->device))) {
+		error("Rejected connection from !bonded device %s", dst_addr);
+		goto cleanup;
+	}
+
+ 	/* Encryption is mandatory for keyboards */
+-	if (req->subclass & 0x40) {
+	/* Some platforms may choose to require encryption for all devices */
+	/* Note that this only matters for pre 2.1 devices as otherwise the */
+	/* device is encrypted by default by the lower layers */
+	if (classic_bonded_only || req->subclass & 0x40) {
+ 		if (!bt_io_set(idev->intr_io, &gerr,
+ 					BT_IO_OPT_SEC_LEVEL, BT_IO_SEC_MEDIUM,
+ 					BT_IO_OPT_INVALID)) {
+@@ -1202,6 +1218,11 @@ static void input_device_enter_reconnect_mode(struct input_device *idev)
+ 	DBG("path=%s reconnect_mode=%s", idev->path,
+ 				reconnect_mode_to_string(idev->reconnect_mode));
+ 
+	/* Make sure the device is bonded if required */
+	if (classic_bonded_only && !device_is_bonded(idev->device,
+				btd_device_get_bdaddr_type(idev->device)))
+		return;
+
+ 	/* Only attempt an auto-reconnect when the device is required to
+ 	 * accept reconnections from the host.
+ 	 */
+diff --git a/profiles/input/device.h b/profiles/input/device.h
+index 51a9aee18..3044db673 100644
+--- a/profiles/input/device.h
+++ b/profiles/input/device.h
+@@ -29,6 +29,7 @@ struct input_conn;
+ 
+ void input_set_idle_timeout(int timeout);
+ void input_enable_userspace_hid(bool state);
+void input_set_classic_bonded_only(bool state);
+ 
+ int input_device_register(struct btd_service *service);
+ void input_device_unregister(struct btd_service *service);
+diff --git a/profiles/input/input.conf b/profiles/input/input.conf
+index 3e1d65aae..166aff4a4 100644
+--- a/profiles/input/input.conf
+++ b/profiles/input/input.conf
+@@ -11,3 +11,11 @@
+ # Enable HID protocol handling in userspace input profile
+ # Defaults to false (HIDP handled in HIDP kernel module)
+ #UserspaceHID=true
+
+# Limit HID connections to bonded devices
+# The HID Profile does not specify that devices must be bonded, however some
+# platforms may want to make sure that input connections only come from bonded
+# device connections. Several older mice have been known for not supporting
+# pairing/encryption.
+# Defaults to false to maximize device compatibility.
+#ClassicBondedOnly=true
+diff --git a/profiles/input/manager.c b/profiles/input/manager.c
+index 1d31b0652..5cd27b839 100644
+--- a/profiles/input/manager.c
+++ b/profiles/input/manager.c
+@@ -96,7 +96,7 @@ static int input_init(void)
+ 	config = load_config_file(CONFIGDIR "/input.conf");
+ 	if (config) {
+ 		int idle_timeout;
+-		gboolean uhid_enabled;
+		gboolean uhid_enabled, classic_bonded_only;
+ 
+ 		idle_timeout = g_key_file_get_integer(config, "General",
+ 							"IdleTimeout", &err);
+@@ -114,6 +114,17 @@ static int input_init(void)
+ 			input_enable_userspace_hid(uhid_enabled);
+ 		} else
+ 			g_clear_error(&err);
+
+		classic_bonded_only = g_key_file_get_boolean(config, "General",
+						"ClassicBondedOnly", &err);
+
+		if (!err) {
+			DBG("input.conf: ClassicBondedOnly=%s",
+					classic_bonded_only ? "true" : "false");
+			input_set_classic_bonded_only(classic_bonded_only);
+		} else
+			g_clear_error(&err);
+
+ 	}
+ 
+ 	btd_profile_register(&input_profile);
+-- 
+2.21.1
+
--- a/SOURCES/0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch
+++ b/SOURCES/0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch
@ -1,7 +1,13 @@
+From 98826d0717fe831265256f996c9e90d15262bef1 Mon Sep 17 00:00:00 2001
+From: Gopal Tiwari <gtiwari@redhat.com>
+Date: Mon, 8 Jun 2020 19:54:24 +0530
+Subject: [PATCH BlueZ 2/4] systemd: Add PrivateTmp and NoNewPrivileges options
+
 From 4570164f0c90603bd07eb9e7c07e17bbafb5b5da Mon Sep 17 00:00:00 2001
 From: Craig Andrews <candrews@integralblue.com>
 Date: Wed, 13 Sep 2017 15:23:09 +0200
-Subject: [PATCH 2/4] systemd: Add PrivateTmp and NoNewPrivileges options
+
+systemd: Add PrivateTmp and NoNewPrivileges options

 PrivateTmp makes bluetoothd's /tmp and /var/tmp be inside a different
 namespace. This is useful to secure access to temporary files of the
@ -15,7 +21,7 @@ possible privilege escalations.
 1 file changed, 6 insertions(+)

 diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
-index f799f65f0..a6f3030f9 100644
+index f9faaa452..7c2f60bb4 100644
 --- a/src/bluetooth.service.in
 +++ b/src/bluetooth.service.in
@@ -12,8 +12,14 @@ NotifyAccess=main
@ -34,5 +40,5 @@ index f799f65f0..a6f3030f9 100644
 [Install]
 WantedBy=bluetooth.target
 -- 
-2.14.1
+2.21.1

--- a/SOURCES/0003-systemd-Add-more-filesystem-lockdown.patch
+++ b/SOURCES/0003-systemd-Add-more-filesystem-lockdown.patch
@ -1,7 +1,13 @@
+From 1da4185a89fba1c14032ab87757e5fb798d76bc0 Mon Sep 17 00:00:00 2001
+From: Gopal Tiwari <gtiwari@redhat.com>
+Date: Mon, 8 Jun 2020 19:55:39 +0530
+Subject: [PATCH BlueZ 3/4] systemd: Add more filesystem lockdown
+
 From 73a9c0902e7c97adf96e735407a75033152c04a9 Mon Sep 17 00:00:00 2001
 From: Bastien Nocera <hadess@hadess.net>
 Date: Wed, 13 Sep 2017 15:37:11 +0200
-Subject: [PATCH 3/4] systemd: Add more filesystem lockdown
+
+systemd: Add more filesystem lockdown

 We can only access the configuration file as read-only and read-write
 to the Bluetooth cache directory and sub-directories.
@ -11,20 +17,20 @@ to the Bluetooth cache directory and sub-directories.
 2 files changed, 6 insertions(+)

 diff --git a/Makefile.am b/Makefile.am
-index 1c38d94e5..13ccf9079 100644
+index cdd2fd8fb..0af1a8c45 100644
 --- a/Makefile.am
 +++ b/Makefile.am
-@@ -478,6 +478,8 @@ MAINTAINERCLEANFILES = Makefile.in \
+@@ -580,6 +580,8 @@ MAINTAINERCLEANFILES = Makefile.in \
 
 SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \
- 		$(SED) -e 's,@libexecdir\@,$(libexecdir),g' \
+ 		$(SED) -e 's,@pkglibexecdir\@,$(pkglibexecdir),g' \
 +		       -e 's,@statedir\@,$(statedir),g' \
 +		       -e 's,@confdir\@,$(confdir),g' \
 		< $< > $@
 
 %.service: %.service.in Makefile
 diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
-index a6f3030f9..7e55b5043 100644
+index 7c2f60bb4..4daedef2a 100644
 --- a/src/bluetooth.service.in
 +++ b/src/bluetooth.service.in
@@ -17,6 +17,10 @@ LimitNPROC=1
@ -39,5 +45,5 @@ index a6f3030f9..7e55b5043 100644
 # Privilege escalation
 NoNewPrivileges=true
 -- 
-2.14.1
+2.21.1

--- a/SOURCES/0003-tools-csr_usb-Fix-compilation-failure.patch
+++ b/SOURCES/0003-tools-csr_usb-Fix-compilation-failure.patch
@ -1,41 +0,0 @@
-From 07a12a6685ea57be18f39e349dbc42e4af3744ed Mon Sep 17 00:00:00 2001
-From: Bastien Nocera <hadess@hadess.net>
-Date: Tue, 5 Sep 2017 10:32:15 +0200
-Subject: [PATCH 3/4] tools/csr_usb: Fix compilation failure
-
-GCC's "format-nonliteral" security check is enabled as an error in
-recent versions of Fedora. Given the reduced scope of use, mark the
-error as ignorable through pragma.
-
-tools/csr_usb.c: In function 'read_value':
-tools/csr_usb.c:82:2: error: format not a string literal, argument types not checked [-Werror=format-nonliteral]
-  n = fscanf(file, format, &value);
-  ^
---
- tools/csr_usb.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/tools/csr_usb.c b/tools/csr_usb.c
-index a1d7324f7..33e9968a2 100644
--- a/tools/csr_usb.c
-+++ b/tools/csr_usb.c
-@@ -67,6 +67,8 @@ struct usbfs_bulktransfer {
- #define USBFS_IOCTL_CLAIMINTF	_IOR('U', 15, unsigned int)
- #define USBFS_IOCTL_RELEASEINTF	_IOR('U', 16, unsigned int)
- 
-+#pragma GCC diagnostic push
-+#pragma GCC diagnostic ignored "-Wformat-nonliteral"
- static int read_value(const char *name, const char *attr, const char *format)
- {
- 	char path[PATH_MAX];
-@@ -88,6 +90,7 @@ static int read_value(const char *name, const char *attr, const char *format)
- 	fclose(file);
- 	return value;
- }
-+#pragma GCC diagnostic pop
- 
- static char *check_device(const char *name)
- {
-- 
-2.14.1
-
--- a/SOURCES/0004-systemd-More-lockdown.patch
+++ b/SOURCES/0004-systemd-More-lockdown.patch
@ -1,7 +1,13 @@
+From 9a7872f04cb748e8de743d9136ecd91539d13cb7 Mon Sep 17 00:00:00 2001
+From: Gopal Tiwari <gtiwari@redhat.com>
+Date: Mon, 8 Jun 2020 19:56:42 +0530
+Subject: [PATCH BlueZ 4/4] systemd: More lockdown
+
 From 171d812218883281fed57b57fafd5c18eac441ac Mon Sep 17 00:00:00 2001
 From: Bastien Nocera <hadess@hadess.net>
 Date: Wed, 13 Sep 2017 15:38:26 +0200
-Subject: [PATCH 4/4] systemd: More lockdown
+
+systemd: More lockdown

 bluetoothd does not need to execute mapped memory, or real-time
 access, so block those.
@ -10,7 +16,7 @@ access, so block those.
 1 file changed, 6 insertions(+)

 diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
-index 7e55b5043..e8267b338 100644
+index 4daedef2a..f18801866 100644
 --- a/src/bluetooth.service.in
 +++ b/src/bluetooth.service.in
@@ -22,9 +22,15 @@ ProtectControlGroups=true
@ -30,5 +36,5 @@ index 7e55b5043..e8267b338 100644
 WantedBy=bluetooth.target
 Alias=dbus-org.bluez.service
 -- 
-2.14.1
+2.21.1

--- a/SPECS/bluez.spec
+++ b/SPECS/bluez.spec
@ -1,6 +1,6 @@
 Name:    bluez
 Summary: Bluetooth utilities
-Version: 5.50
+Version: 5.52
 Release: 1%{?dist}
 License: GPLv2+
 URL:     http://www.bluez.org/
@ -15,8 +15,8 @@ Source3: btattach-bcm@.service
 Source4: btattach-bcm-service.sh

 # https://github.com/hadess/bluez/commits/build-fixes-5.46
-Patch1: 0001-build-Enable-BIND_NOW.patch
-Patch2: 0003-tools-csr_usb-Fix-compilation-failure.patch
+#Patch1: 0001-build-Enable-BIND_NOW.patch
+#Patch2: 0003-tools-csr_usb-Fix-compilation-failure.patch

 # https://github.com/hadess/bluez/commits/obex-5.46
 Patch3: 0001-obex-Use-GLib-helper-function-to-manipulate-paths.patch
@ -33,6 +33,12 @@ Patch23: 0004-systemd-More-lockdown.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1567622
 Patch24: 0001-adapter-Don-t-refresh-adv_manager-for-non-LE-devices.patch

+#Patch25: 0001-core-Add-AlwaysPairable-to-main.conf.patch 
+#Patch26: 0002-agent-Make-the-first-agent-to-register-the-default.patch 
+
+Patch27: 0001-HOGP-must-only-accept-data-from-bonded-devices.patch
+Patch28: 0002-HID-accepts-bonded-device-connections-only.patch
+
 BuildRequires: git-core
 BuildRequires: dbus-devel >= 1.6
 BuildRequires: glib2-devel
@ -220,6 +226,7 @@ make check
 %{_bindir}/mpris-proxy
 %{_bindir}/gatttool
 %{_bindir}/rctest
+%{_datadir}/zsh/site-functions/_bluetoothctl
 %{_mandir}/man1/btattach.1.gz
 %{_mandir}/man1/ciptool.1.gz
 %{_mandir}/man1/hcitool.1.gz
@ -241,6 +248,7 @@ make check
 %{_unitdir}/btattach-bcm@.service
 %{_udevrulesdir}/69-btattach-bcm.rules

+
 %files libs
 %{!?_licensedir:%global license %%doc}
 %license COPYING
@ -266,6 +274,21 @@ make check
 %{_userunitdir}/obex.service

 %changelog
+* Tue Jun 9 2020 Gopal Tiwari <gtiwari@redhat.com> - 5.52-1
+ bluez-5.52-1
+- Fixing (#1830397)
+
+* Fri Apr 24 2020 Gopal Tiwari <gtiwari@redhat.com> - 5.50-4
+ bluez-5.50-4
+- Fixing CVE-2020-0556
+
+* Mon Jan 13 2020 Gopal Tiwari <gtiwari@redhat.com> - 5.50-3
+ bluez-5.50-3
+- Bump the version 
+
+* Mon Jan 13 2020 Gopal Tiwari <gtiwari@redhat.com> - 5.50-2
+ bluez-5.50-2
+- Fixing CVE-2018-10910 (#1606373)

 * Fri Sep 7 2018 Gopal Tiwari <gtiwari@redhat.com> - 5.50-1
 + bluez-5.50-1