diff --git a/0001-build-Always-define-confdir-and-statedir.patch b/0001-build-Always-define-confdir-and-statedir.patch index 6e0c8ca0a8493be7cdeeee9d9790ab08952be3d1..35f64e48c9443d7c338c2f3228fe11743cc0d277 100644 --- a/0001-build-Always-define-confdir-and-statedir.patch +++ b/0001-build-Always-define-confdir-and-statedir.patch @@ -1,4 +1,4 @@ -From 69d2e7bebb79f500179298c6c51fafbc217df6c8 Mon Sep 17 00:00:00 2001 +From 5744f79d84ecee3929a682166034c5bbc36c0ef5 Mon Sep 17 00:00:00 2001 From: Bastien Nocera Date: Wed, 20 Sep 2017 12:49:10 +0200 Subject: [PATCH 1/4] build: Always define confdir and statedir @@ -9,18 +9,18 @@ As we will need those paths to lock down on them. 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Makefile.am b/Makefile.am -index 555f301ca..1c38d94e5 100644 +index 9d25a815b..ac88c12e0 100644 --- a/Makefile.am +++ b/Makefile.am -@@ -30,14 +30,14 @@ include_HEADERS = - AM_CFLAGS = $(WARNING_CFLAGS) $(MISC_CFLAGS) +@@ -31,14 +31,14 @@ pkginclude_HEADERS = + AM_CFLAGS = $(WARNING_CFLAGS) $(MISC_CFLAGS) $(UDEV_CFLAGS) $(ell_cflags) AM_LDFLAGS = $(MISC_LDFLAGS) +confdir = $(sysconfdir)/bluetooth +statedir = $(localstatedir)/lib/bluetooth + if DATAFILES - dbusdir = @DBUS_CONFDIR@/dbus-1/system.d + dbusdir = $(DBUS_CONFDIR)/dbus-1/system.d dbus_DATA = src/bluetooth.conf -confdir = $(sysconfdir)/bluetooth @@ -31,5 +31,5 @@ index 555f301ca..1c38d94e5 100644 endif -- -2.14.1 +2.21.0 diff --git a/0001-build-Enable-BIND_NOW.patch b/0001-build-Enable-BIND_NOW.patch deleted file mode 100644 index b7c7e577bc9a2f651c3fd14f02461bbafeccec6b..0000000000000000000000000000000000000000 --- a/0001-build-Enable-BIND_NOW.patch +++ /dev/null @@ -1,31 +0,0 @@ -From e45c8fdcb3d7cdb654f6819c02d1bbb5b40b6116 Mon Sep 17 00:00:00 2001 -From: Florian Weimer -Date: Thu, 7 Nov 2013 09:23:35 +0100 -Subject: [PATCH 1/4] build: Enable BIND_NOW - -Partial RELRO means that the object is GNU_RELRO but not BIND_NOW. This -reduces the effectiveness of RELRO. bluez triggers this because it -enables PIE during the build, and rpmdiff takes this as an indicator -that the best possible hardening is desired. - -https://bugzilla.redhat.com/show_bug.cgi?id=983161 ---- - acinclude.m4 | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/acinclude.m4 b/acinclude.m4 -index bc39c6d73..efce2f3cb 100644 ---- a/acinclude.m4 -+++ b/acinclude.m4 -@@ -50,7 +50,7 @@ AC_DEFUN([MISC_FLAGS], [ - if (test "${enableval}" = "yes" && - test "${ac_cv_prog_cc_pie}" = "yes"); then - misc_cflags="$misc_cflags -fPIC" -- misc_ldflags="$misc_ldflags -pie" -+ misc_ldflags="$misc_ldflags -pie -Wl,-z,now" - fi - ]) - if (test "$enable_coverage" = "yes"); then --- -2.14.1 - diff --git a/0001-policy-Add-logic-to-connect-a-Sink.patch b/0001-policy-Add-logic-to-connect-a-Sink.patch deleted file mode 100644 index 3a3d9a00ee1a35a85b50837ea9e3da5c4efca125..0000000000000000000000000000000000000000 --- a/0001-policy-Add-logic-to-connect-a-Sink.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 477ecca127c529611adbc53f08039cefaf86305d Mon Sep 17 00:00:00 2001 -From: Luiz Augusto von Dentz -Date: Tue, 26 Jun 2018 13:37:33 +0300 -Subject: [PATCH] policy: Add logic to connect a Sink - -If HFP/HSP HS connects and the device also supports a Sink connect it -as well since some devices (e.g. Sony MW600) may not connect it -automatically. ---- - plugins/policy.c | 39 +++++++++++++++++++++++++++++++++++++++ - 1 file changed, 39 insertions(+) - -diff --git a/plugins/policy.c b/plugins/policy.c -index 1f5a506a2..de51e58b9 100644 ---- a/plugins/policy.c -+++ b/plugins/policy.c -@@ -297,6 +297,42 @@ static void sink_cb(struct btd_service *service, btd_service_state_t old_state, - } - } - -+static void hs_cb(struct btd_service *service, btd_service_state_t old_state, -+ btd_service_state_t new_state) -+{ -+ struct btd_device *dev = btd_service_get_device(service); -+ struct policy_data *data; -+ struct btd_service *sink; -+ -+ /* If the device supports Sink set a timer to connect it as well */ -+ sink = btd_device_get_service(dev, A2DP_SINK_UUID); -+ if (sink == NULL) -+ return; -+ -+ data = policy_get_data(dev); -+ -+ switch (new_state) { -+ case BTD_SERVICE_STATE_UNAVAILABLE: -+ break; -+ case BTD_SERVICE_STATE_DISCONNECTED: -+ break; -+ case BTD_SERVICE_STATE_CONNECTING: -+ break; -+ case BTD_SERVICE_STATE_CONNECTED: -+ /* Check if service initiate the connection then proceed -+ * immediately otherwise set timer -+ */ -+ if (old_state == BTD_SERVICE_STATE_CONNECTING) -+ policy_connect(data, sink); -+ else if (btd_service_get_state(sink) != -+ BTD_SERVICE_STATE_CONNECTED) -+ policy_set_sink_timer(data); -+ break; -+ case BTD_SERVICE_STATE_DISCONNECTING: -+ break; -+ } -+} -+ - static gboolean policy_connect_tg(gpointer user_data) - { - struct policy_data *data = user_data; -@@ -615,6 +651,9 @@ static void service_cb(struct btd_service *service, - controller_cb(service, old_state, new_state); - else if (g_str_equal(profile->remote_uuid, AVRCP_TARGET_UUID)) - target_cb(service, old_state, new_state); -+ else if (g_str_equal(profile->remote_uuid, HFP_HS_UUID) || -+ g_str_equal(profile->remote_uuid, HSP_HS_UUID)) -+ hs_cb(service, old_state, new_state); - - /* - * Return if the reconnection feature is not enabled (all --- -2.17.1 - diff --git a/0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch b/0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch index cd9f69e46632d8daa10f13a5dbfb8e331ee859ad..d6dff2af55320f9b24177d8811a23deb6cb8f8ba 100644 --- a/0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch +++ b/0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch @@ -1,4 +1,4 @@ -From 4570164f0c90603bd07eb9e7c07e17bbafb5b5da Mon Sep 17 00:00:00 2001 +From 36a44fc05feebe1aab16c33a1121f952986b2801 Mon Sep 17 00:00:00 2001 From: Craig Andrews Date: Wed, 13 Sep 2017 15:23:09 +0200 Subject: [PATCH 2/4] systemd: Add PrivateTmp and NoNewPrivileges options @@ -15,7 +15,7 @@ possible privilege escalations. 1 file changed, 6 insertions(+) diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in -index f799f65f0..a6f3030f9 100644 +index f9faaa452..7c2f60bb4 100644 --- a/src/bluetooth.service.in +++ b/src/bluetooth.service.in @@ -12,8 +12,14 @@ NotifyAccess=main @@ -34,5 +34,5 @@ index f799f65f0..a6f3030f9 100644 [Install] WantedBy=bluetooth.target -- -2.14.1 +2.21.0 diff --git a/0003-systemd-Add-more-filesystem-lockdown.patch b/0003-systemd-Add-more-filesystem-lockdown.patch index 6d14e2eff52ebd0cb67dc9706f382b72a45edc5e..d3d6dd494f9e606c514764bdfa07cd6cc4695bc7 100644 --- a/0003-systemd-Add-more-filesystem-lockdown.patch +++ b/0003-systemd-Add-more-filesystem-lockdown.patch @@ -1,4 +1,4 @@ -From 73a9c0902e7c97adf96e735407a75033152c04a9 Mon Sep 17 00:00:00 2001 +From 13a348670fef0047555395ce6977e86e0005f8bd Mon Sep 17 00:00:00 2001 From: Bastien Nocera Date: Wed, 13 Sep 2017 15:37:11 +0200 Subject: [PATCH 3/4] systemd: Add more filesystem lockdown @@ -6,25 +6,26 @@ Subject: [PATCH 3/4] systemd: Add more filesystem lockdown We can only access the configuration file as read-only and read-write to the Bluetooth cache directory and sub-directories. --- - Makefile.am | 2 ++ + Makefile.am | 3 +++ src/bluetooth.service.in | 4 ++++ - 2 files changed, 6 insertions(+) + 2 files changed, 7 insertions(+) diff --git a/Makefile.am b/Makefile.am -index 1c38d94e5..13ccf9079 100644 +index ac88c12e0..0a6d09847 100644 --- a/Makefile.am +++ b/Makefile.am -@@ -478,6 +478,8 @@ MAINTAINERCLEANFILES = Makefile.in \ +@@ -562,6 +562,9 @@ MAINTAINERCLEANFILES = Makefile.in \ SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \ - $(SED) -e 's,@libexecdir\@,$(libexecdir),g' \ + $(SED) -e 's,@pkglibexecdir\@,$(pkglibexecdir),g' \ ++ -e 's,@libexecdir\@,$(libexecdir),g' \ + -e 's,@statedir\@,$(statedir),g' \ + -e 's,@confdir\@,$(confdir),g' \ < $< > $@ %.service: %.service.in Makefile diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in -index a6f3030f9..7e55b5043 100644 +index 7c2f60bb4..4daedef2a 100644 --- a/src/bluetooth.service.in +++ b/src/bluetooth.service.in @@ -17,6 +17,10 @@ LimitNPROC=1 @@ -39,5 +40,5 @@ index a6f3030f9..7e55b5043 100644 # Privilege escalation NoNewPrivileges=true -- -2.14.1 +2.21.0 diff --git a/0004-systemd-More-lockdown.patch b/0004-systemd-More-lockdown.patch index 3ad3e14c7ab1995b7b651dc01f4a1ec2511c6dcf..4f9c2187ef6927fdd1fc76cb636e5424df2907a0 100644 --- a/0004-systemd-More-lockdown.patch +++ b/0004-systemd-More-lockdown.patch @@ -1,4 +1,4 @@ -From 171d812218883281fed57b57fafd5c18eac441ac Mon Sep 17 00:00:00 2001 +From a6963e0402695d7b6a89c1b1c75c40dbd8fcde52 Mon Sep 17 00:00:00 2001 From: Bastien Nocera Date: Wed, 13 Sep 2017 15:38:26 +0200 Subject: [PATCH 4/4] systemd: More lockdown @@ -10,7 +10,7 @@ access, so block those. 1 file changed, 6 insertions(+) diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in -index 7e55b5043..e8267b338 100644 +index 4daedef2a..f18801866 100644 --- a/src/bluetooth.service.in +++ b/src/bluetooth.service.in @@ -22,9 +22,15 @@ ProtectControlGroups=true @@ -30,5 +30,5 @@ index 7e55b5043..e8267b338 100644 WantedBy=bluetooth.target Alias=dbus-org.bluez.service -- -2.14.1 +2.21.0 diff --git a/CVE-2020-0556-1.patch b/CVE-2020-0556-1.patch deleted file mode 100644 index 18fb4e9ddb3c59b6767b41c0b7ac465bfa2a0cc2..0000000000000000000000000000000000000000 --- a/CVE-2020-0556-1.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 6e47f991fa00fb069f22fe0ef4779fd85dc0f540 Mon Sep 17 00:00:00 2001 -From: Alain Michaud -Date: Tue, 10 Mar 2020 02:35:16 +0000 -Subject: [PATCH 1/4] HOGP must only accept data from bonded devices. - -HOGP 1.0 Section 6.1 establishes that the HOGP must require bonding. - -Reference: -https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.htm ---- - profiles/input/hog.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/profiles/input/hog.c b/profiles/input/hog.c -index 23c9c15..f8a82bc 100644 ---- a/profiles/input/hog.c -+++ b/profiles/input/hog.c -@@ -186,6 +186,10 @@ static int hog_accept(struct btd_service *service) - return -EINVAL; - } - -+ /* HOGP 1.0 Section 6.1 requires bonding */ -+ if (!device_is_bonded(device, btd_device_get_bdaddr_type(device))) -+ return -ECONNREFUSED; -+ - /* TODO: Replace GAttrib with bt_gatt_client */ - bt_hog_attach(dev->hog, attrib); - --- -1.8.3.1 - diff --git a/CVE-2020-0556-2.patch b/CVE-2020-0556-2.patch deleted file mode 100644 index eb70e4fb8eb21d29ee5664cf2b98e7dafaf4ed7c..0000000000000000000000000000000000000000 --- a/CVE-2020-0556-2.patch +++ /dev/null @@ -1,138 +0,0 @@ -From e16c6d3b62d0d7d5885255cf9cef686a2415330d Mon Sep 17 00:00:00 2001 -From: Alain Michaud -Date: Tue, 10 Mar 2020 02:35:18 +0000 -Subject: [PATCH 2/4] HID accepts bonded device connections only. - -This change adds a configuration for platforms to choose a more secure -posture for the HID profile. While some older mice are known to not -support pairing or encryption, some platform may choose a more secure -posture by requiring the device to be bonded and require the -connection to be encrypted when bonding is required. - -Reference: -https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html ---- - profiles/input/device.c | 23 ++++++++++++++++++++++- - profiles/input/device.h | 1 + - profiles/input/input.conf | 8 ++++++++ - profiles/input/manager.c | 13 ++++++++++++- - 4 files changed, 43 insertions(+), 2 deletions(-) - -diff --git a/profiles/input/device.c b/profiles/input/device.c -index 8461478..3abd2f5 100644 ---- a/profiles/input/device.c -+++ b/profiles/input/device.c -@@ -91,6 +91,7 @@ struct input_device { - - static int idle_timeout = 0; - static bool uhid_enabled = false; -+static bool classic_bonded_only = false; - - void input_set_idle_timeout(int timeout) - { -@@ -102,6 +103,11 @@ void input_enable_userspace_hid(bool state) - uhid_enabled = state; - } - -+void input_set_classic_bonded_only(bool state) -+{ -+ classic_bonded_only = state; -+} -+ - static void input_device_enter_reconnect_mode(struct input_device *idev); - static int connection_disconnect(struct input_device *idev, uint32_t flags); - -@@ -969,8 +975,18 @@ static int hidp_add_connection(struct input_device *idev) - if (device_name_known(idev->device)) - device_get_name(idev->device, req->name, sizeof(req->name)); - -+ /* Make sure the device is bonded if required */ -+ if (classic_bonded_only && !device_is_bonded(idev->device, -+ btd_device_get_bdaddr_type(idev->device))) { -+ error("Rejected connection from !bonded device %s", dst_addr); -+ goto cleanup; -+ } -+ - /* Encryption is mandatory for keyboards */ -- if (req->subclass & 0x40) { -+ /* Some platforms may choose to require encryption for all devices */ -+ /* Note that this only matters for pre 2.1 devices as otherwise the */ -+ /* device is encrypted by default by the lower layers */ -+ if (classic_bonded_only || req->subclass & 0x40) { - if (!bt_io_set(idev->intr_io, &gerr, - BT_IO_OPT_SEC_LEVEL, BT_IO_SEC_MEDIUM, - BT_IO_OPT_INVALID)) { -@@ -1202,6 +1218,11 @@ static void input_device_enter_reconnect_mode(struct input_device *idev) - DBG("path=%s reconnect_mode=%s", idev->path, - reconnect_mode_to_string(idev->reconnect_mode)); - -+ /* Make sure the device is bonded if required */ -+ if (classic_bonded_only && !device_is_bonded(idev->device, -+ btd_device_get_bdaddr_type(idev->device))) -+ return; -+ - /* Only attempt an auto-reconnect when the device is required to - * accept reconnections from the host. - */ -diff --git a/profiles/input/device.h b/profiles/input/device.h -index 51a9aee..3044db6 100644 ---- a/profiles/input/device.h -+++ b/profiles/input/device.h -@@ -29,6 +29,7 @@ struct input_conn; - - void input_set_idle_timeout(int timeout); - void input_enable_userspace_hid(bool state); -+void input_set_classic_bonded_only(bool state); - - int input_device_register(struct btd_service *service); - void input_device_unregister(struct btd_service *service); -diff --git a/profiles/input/input.conf b/profiles/input/input.conf -index 3e1d65a..166aff4 100644 ---- a/profiles/input/input.conf -+++ b/profiles/input/input.conf -@@ -11,3 +11,11 @@ - # Enable HID protocol handling in userspace input profile - # Defaults to false (HIDP handled in HIDP kernel module) - #UserspaceHID=true -+ -+# Limit HID connections to bonded devices -+# The HID Profile does not specify that devices must be bonded, however some -+# platforms may want to make sure that input connections only come from bonded -+# device connections. Several older mice have been known for not supporting -+# pairing/encryption. -+# Defaults to false to maximize device compatibility. -+#ClassicBondedOnly=true -diff --git a/profiles/input/manager.c b/profiles/input/manager.c -index 1d31b06..5cd27b8 100644 ---- a/profiles/input/manager.c -+++ b/profiles/input/manager.c -@@ -96,7 +96,7 @@ static int input_init(void) - config = load_config_file(CONFIGDIR "/input.conf"); - if (config) { - int idle_timeout; -- gboolean uhid_enabled; -+ gboolean uhid_enabled, classic_bonded_only; - - idle_timeout = g_key_file_get_integer(config, "General", - "IdleTimeout", &err); -@@ -114,6 +114,17 @@ static int input_init(void) - input_enable_userspace_hid(uhid_enabled); - } else - g_clear_error(&err); -+ -+ classic_bonded_only = g_key_file_get_boolean(config, "General", -+ "ClassicBondedOnly", &err); -+ -+ if (!err) { -+ DBG("input.conf: ClassicBondedOnly=%s", -+ classic_bonded_only ? "true" : "false"); -+ input_set_classic_bonded_only(classic_bonded_only); -+ } else -+ g_clear_error(&err); -+ - } - - btd_profile_register(&input_profile); --- -1.8.3.1 - diff --git a/CVE-2020-0556-3.patch b/CVE-2020-0556-3.patch deleted file mode 100644 index a905045c659178f47adba673a1b8b302fe5048de..0000000000000000000000000000000000000000 --- a/CVE-2020-0556-3.patch +++ /dev/null @@ -1,48 +0,0 @@ -From dbb346f3606d07005a162e093b616519b337c5f0 Mon Sep 17 00:00:00 2001 -From: Luiz Augusto von Dentz -Date: Tue, 10 Mar 2020 09:59:07 -0700 -Subject: [PATCH 3/4] input: hog: Attempt to set security level if not bonded - -This attempts to set the security if the device is not bonded, the -kernel will block any communication on the ATT socket while bumping -the security and if that fails the device will be disconnected which -is better than having the device dangling around without being able to -communicate with it until it is properly bonded. ---- - profiles/input/hog.c | 13 +++++++++++-- - 1 file changed, 11 insertions(+), 2 deletions(-) - -diff --git a/profiles/input/hog.c b/profiles/input/hog.c -index f8a82bc..e0e9df2 100644 ---- a/profiles/input/hog.c -+++ b/profiles/input/hog.c -@@ -49,6 +49,8 @@ - #include "src/shared/util.h" - #include "src/shared/uhid.h" - #include "src/shared/queue.h" -+#include "src/shared/att.h" -+#include "src/shared/gatt-client.h" - #include "src/plugin.h" - - #include "suspend.h" -@@ -187,8 +189,15 @@ static int hog_accept(struct btd_service *service) - } - - /* HOGP 1.0 Section 6.1 requires bonding */ -- if (!device_is_bonded(device, btd_device_get_bdaddr_type(device))) -- return -ECONNREFUSED; -+ if (!device_is_bonded(device, btd_device_get_bdaddr_type(device))) { -+ struct bt_gatt_client *client; -+ -+ client = btd_device_get_gatt_client(device); -+ if (!bt_gatt_client_set_security(client, -+ BT_ATT_SECURITY_MEDIUM)) { -+ return -ECONNREFUSED; -+ } -+ } - - /* TODO: Replace GAttrib with bt_gatt_client */ - bt_hog_attach(dev->hog, attrib); --- -1.8.3.1 - diff --git a/CVE-2020-0556-4.patch b/CVE-2020-0556-4.patch deleted file mode 100644 index 7e70a6a1afbad67a5aa2fb7b73489dd875ed6ee4..0000000000000000000000000000000000000000 --- a/CVE-2020-0556-4.patch +++ /dev/null @@ -1,121 +0,0 @@ -From 304843c6f5e4d7a5a588cce7a41b2819324fc1b0 Mon Sep 17 00:00:00 2001 -From: Luiz Augusto von Dentz -Date: Wed, 11 Mar 2020 11:43:21 -0700 -Subject: [PATCH 4/4] input: Add LEAutoSecurity setting to input.conf - -LEAutoSecurity can be used to enable/disable automatic upgrades of -security for LE devices, by default it is enabled so existing devices -that did not require security and were not bonded will automatically -upgrade the security. - -Note: Platforms disabling this setting would require users to manually -bond the device which may require changes to the user interface to -always force bonding for input devices as APIs such as Device.Connect -will no longer work which maybe perceived as a regression. ---- - profiles/input/device.h | 1 + - profiles/input/hog.c | 13 +++++++++++-- - profiles/input/input.conf | 5 +++++ - profiles/input/manager.c | 11 ++++++++++- - 4 files changed, 27 insertions(+), 3 deletions(-) - -diff --git a/profiles/input/device.h b/profiles/input/device.h -index 3044db6..5a077f9 100644 ---- a/profiles/input/device.h -+++ b/profiles/input/device.h -@@ -30,6 +30,7 @@ struct input_conn; - void input_set_idle_timeout(int timeout); - void input_enable_userspace_hid(bool state); - void input_set_classic_bonded_only(bool state); -+void input_set_auto_sec(bool state); - - int input_device_register(struct btd_service *service); - void input_device_unregister(struct btd_service *service); -diff --git a/profiles/input/hog.c b/profiles/input/hog.c -index e0e9df2..4714e1e 100644 ---- a/profiles/input/hog.c -+++ b/profiles/input/hog.c -@@ -53,6 +53,7 @@ - #include "src/shared/gatt-client.h" - #include "src/plugin.h" - -+#include "device.h" - #include "suspend.h" - #include "attrib/att.h" - #include "attrib/gattrib.h" -@@ -67,8 +68,14 @@ struct hog_device { - }; - - static gboolean suspend_supported = FALSE; -+static bool auto_sec = true; - static struct queue *devices = NULL; - -+void input_set_auto_sec(bool state) -+{ -+ auto_sec = state; -+} -+ - static void hog_device_accept(struct hog_device *dev, struct gatt_db *db) - { - char name[248]; -@@ -192,11 +199,13 @@ static int hog_accept(struct btd_service *service) - if (!device_is_bonded(device, btd_device_get_bdaddr_type(device))) { - struct bt_gatt_client *client; - -+ if (!auto_sec) -+ return -ECONNREFUSED; -+ - client = btd_device_get_gatt_client(device); - if (!bt_gatt_client_set_security(client, -- BT_ATT_SECURITY_MEDIUM)) { -+ BT_ATT_SECURITY_MEDIUM)) - return -ECONNREFUSED; -- } - } - - /* TODO: Replace GAttrib with bt_gatt_client */ -diff --git a/profiles/input/input.conf b/profiles/input/input.conf -index 166aff4..4c70bc5 100644 ---- a/profiles/input/input.conf -+++ b/profiles/input/input.conf -@@ -19,3 +19,8 @@ - # pairing/encryption. - # Defaults to false to maximize device compatibility. - #ClassicBondedOnly=true -+ -+# LE upgrade security -+# Enables upgrades of security automatically if required. -+# Defaults to true to maximize device compatibility. -+#LEAutoSecurity=true -diff --git a/profiles/input/manager.c b/profiles/input/manager.c -index 5cd27b8..bf4acb4 100644 ---- a/profiles/input/manager.c -+++ b/profiles/input/manager.c -@@ -96,7 +96,7 @@ static int input_init(void) - config = load_config_file(CONFIGDIR "/input.conf"); - if (config) { - int idle_timeout; -- gboolean uhid_enabled, classic_bonded_only; -+ gboolean uhid_enabled, classic_bonded_only, auto_sec; - - idle_timeout = g_key_file_get_integer(config, "General", - "IdleTimeout", &err); -@@ -125,6 +125,15 @@ static int input_init(void) - } else - g_clear_error(&err); - -+ auto_sec = g_key_file_get_boolean(config, "General", -+ "LEAutoSecurity", &err); -+ if (!err) { -+ DBG("input.conf: LEAutoSecurity=%s", -+ auto_sec ? "true" : "false"); -+ input_set_auto_sec(auto_sec); -+ } else -+ g_clear_error(&err); -+ - } - - btd_profile_register(&input_profile); --- -1.8.3.1 - diff --git a/bluez-5.50.tar.xz b/bluez-5.50.tar.xz deleted file mode 100644 index 4a8ee8d138024179152d2f37ab6cfe8a33571a41..0000000000000000000000000000000000000000 Binary files a/bluez-5.50.tar.xz and /dev/null differ diff --git a/bluez-5.54.tar.xz b/bluez-5.54.tar.xz new file mode 100644 index 0000000000000000000000000000000000000000..2918ea64b5524fb6b35b47353ef632f58521ccd2 Binary files /dev/null and b/bluez-5.54.tar.xz differ diff --git a/bluez.spec b/bluez.spec index e1908eefe9062a74cd372c5455fd7801d8eff1c7..e97d0bc895dd41b2be79ba975d019142ffe848b1 100644 --- a/bluez.spec +++ b/bluez.spec @@ -1,7 +1,7 @@ Name: bluez Summary: Bluetooth utilities -Version: 5.50 -Release: 8 +Version: 5.54 +Release: 1 License: GPLv2+ URL: http://www.bluez.org/ Source0: http://www.kernel.org/pub/linux/bluetooth/bluez-%{version}.tar.xz @@ -11,30 +11,25 @@ Source2: 69-btattach-bcm.rules Source3: btattach-bcm@.service Source4: btattach-bcm-service.sh -Patch0001: 0001-build-Enable-BIND_NOW.patch -Patch0003: 0001-obex-Use-GLib-helper-function-to-manipulate-paths.patch -Patch0004: 0001-build-Always-define-confdir-and-statedir.patch -Patch0005: 0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch -Patch0006: 0003-systemd-Add-more-filesystem-lockdown.patch -Patch0007: 0004-systemd-More-lockdown.patch -Patch0008: 0001-policy-Add-logic-to-connect-a-Sink.patch -Patch0009: fix-CVE-2018-10910-1.patch -Patch0010: fix-CVE-2018-10910-2.patch - -Patch0011: CVE-2020-0556-1.patch -Patch0012: CVE-2020-0556-2.patch -Patch0013: CVE-2020-0556-3.patch -Patch0014: CVE-2020-0556-4.patch - -BuildRequires: dbus-devel >= 1.6 -BuildRequires: git-core glib2-devel libical-devel readline-devel libell-devel -BuildRequires: json-c-devel systemd-devel cups-devel libtool automake autoconf +Patch0001: 0001-obex-Use-GLib-helper-function-to-manipulate-paths.patch +Patch0002: 0001-build-Always-define-confdir-and-statedir.patch +Patch0003: 0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch +Patch0004: 0003-systemd-Add-more-filesystem-lockdown.patch +Patch0005: 0004-systemd-More-lockdown.patch + +BuildRequires: dbus-devel >= 1.6 libell-devel >= 0.28 autoconf +BuildRequires: git-core glib2-devel libical-devel readline-devel +BuildRequires: json-c-devel systemd-devel cups-devel libtool automake Requires: dbus >= 1.6 %{name}-libs = %{version}-%{release} Requires(post): systemd Requires(preun): systemd Requires(postun): systemd -Provides: bluez-hid2hci bluez-obexd -Obsoletes: bluez-hid2hci bluez-obexd +Provides: bluez-hid2hci = %{version}-%{release} +Provides: bluez-obexd = %{version}-%{release} +Provides: bluez-mesh = %{version}-%{release} +Obsoletes: bluez-hid2hci < %{version}-%{release} +Obsoletes: bluez-obexd < %{version}-%{release} +Obsoletes: bluez-mesh < %{version}-%{release} %description This package provides all utilities for use in Bluetooth applications. @@ -49,18 +44,14 @@ Libraries forbluez. %package devel Summary: Development libraries for Bluetooth applications Requires: %{name}-libs = %{version}-%{release} -Provides: bluez-libs-devel -Obsoletes: bluez-libs-devel +Provides: bluez-libs-devel = %{version}-%{release} +Obsoletes: bluez-libs-devel < %{version}-%{release} %description devel This package provides development libraries and headers for Bluetooth related applications. -%package help -Summary: Help manual for bluetooth application related utilities - -%description help -This package provides help manual function for Bluetooth utilities separately. +%package_help %package cups Summary: CUPS printer backend for Bluetooth printers @@ -78,6 +69,7 @@ libtoolize -f autoreconf -f -i %configure --enable-tools --enable-library --enable-deprecated \ --enable-sixaxis --enable-cups --enable-nfc --enable-mesh \ + --enable-testing \ --with-systemdsystemunitdir=%{_unitdir} \ --with-systemduserunitdir=%{_userunitdir} %make_build V=1 @@ -86,8 +78,7 @@ autoreconf -f -i %make_install install -m0755 attrib/gatttool $RPM_BUILD_ROOT%{_bindir} -# Remove autocrap and libtool related redundant items -find $RPM_BUILD_ROOT -name '*.la' -delete +%delete_la # Remove the cups backend from libdir, and install it in new default CUPS binary directory if test -d ${RPM_BUILD_ROOT}/usr/lib64/cups ; then @@ -95,13 +86,16 @@ if test -d ${RPM_BUILD_ROOT}/usr/lib64/cups ; then rm -rf ${RPM_BUILD_ROOT}%{_libdir}/cups fi -rm -f ${RPM_BUILD_ROOT}/%{_udevrulesdir}/*.rules -install -D -p -m0644 tools/hid2hci.rules ${RPM_BUILD_ROOT}/%{_udevrulesdir}/97-hid2hci.rules -install -d -m0755 $RPM_BUILD_ROOT/%{_localstatedir}/lib/bluetooth -install -d $RPM_BUILD_ROOT/%{_libdir}/bluetooth/ +rm -f %{buildroot}/%{_sysconfdir}/udev/*.rules %{buildroot}/usr/lib/udev/rules.d/*.rules +install -D -p -m 0644 tools/hid2hci.rules %{buildroot}/%{_udevrulesdir}/97-hid2hci.rules +install -d -m 0755 %{buildroot}/%{_localstatedir}/lib/bluetooth +install -d -m 0755 %{buildroot}/%{_localstatedir}/lib/bluetooth/mesh +install -d %{buildroot}/%{_libdir}/bluetooth/ # Copy bluetooth config file -install -D -p -m0644 src/main.conf ${RPM_BUILD_ROOT}/etc/bluetooth/main.conf +install -D -p -m0644 src/main.conf %{buildroot}/etc/bluetooth/main.conf +install -D -p -m0644 mesh/mesh-main.conf %{buildroot}/etc/bluetooth/mesh-main.conf + # Setup auto enable sed -i 's/#\[Policy\]$/\[Policy\]/; s/#AutoEnable=false/AutoEnable=true/' ${RPM_BUILD_ROOT}/%{_sysconfdir}/bluetooth/main.conf @@ -113,63 +107,77 @@ install -D -p -m0755 %{SOURCE4} ${RPM_BUILD_ROOT}/%{_libexecdir}/bluetooth/ %check make check +%ldconfig_scriptlets libs + %preun %systemd_preun bluetooth.service %systemd_user_preun obex.service +%systemd_user_preun bluetooth-mesh.service %post %systemd_post bluetooth.service /sbin/udevadm trigger --subsystem-match=usb %systemd_user_post obex.service +%systemd_user_post bluetooth-mesh.service %postun %systemd_postun_with_restart bluetooth.service -%ldconfig_scriptlets libs %files -%{!?_licensedir:%global license %%doc} -%license COPYING +%defattr(-,root,root) %doc AUTHORS ChangeLog -%config %{_sysconfdir}/dbus-1/system.d/bluetooth.conf +%license COPYING %config %{_sysconfdir}/bluetooth/main.conf +%config %{_sysconfdir}/bluetooth/mesh-main.conf +%config %{_sysconfdir}/dbus-1/system.d/bluetooth.conf +%config %{_sysconfdir}/dbus-1/system.d/bluetooth-mesh.conf %{_bindir}/* +%{_libdir}/bluetooth/ +%{_prefix}/lib/udev/hid2hci +%{_libexecdir}/bluetooth/obexd %{_libexecdir}/bluetooth/bluetoothd +%{_libexecdir}/bluetooth/bluetooth-meshd %{_libexecdir}/bluetooth/btattach-bcm-service.sh -# This is obexd relative file -%{_libexecdir}/bluetooth/obexd -%{_libdir}/bluetooth/ -# This is hid2hci relative file -%{_exec_prefix}/lib/udev/hid2hci %{_localstatedir}/lib/bluetooth -%{_datadir}/dbus-1/system-services/org.bluez.service -# This is obexd relative file -%{_datadir}/dbus-1/services/org.bluez.obex.service %{_unitdir}/bluetooth.service %{_unitdir}/btattach-bcm@.service -%{_udevrulesdir}/69-btattach-bcm.rules -# hid2hci relative files -%{_udevrulesdir}/97-hid2hci.rules -# obexd relative files +%{_unitdir}/bluetooth-mesh.service +%{_datadir}/zsh/site-functions/_bluetoothctl +%{_datadir}/dbus-1/services/org.bluez.obex.service +%{_datadir}/dbus-1/system-services/org.bluez.service +%{_datadir}/dbus-1/system-services/org.bluez.mesh.service %{_userunitdir}/obex.service +%{_udevrulesdir}/97-hid2hci.rules +%{_udevrulesdir}/69-btattach-bcm.rules %files libs +%defattr(-,root,root) %{_libdir}/libbluetooth.so.* -%files help -%{_mandir}/man1/* -%{_mandir}/man8/* - %files devel +%defattr(-,root,root) %doc doc/*txt %{_libdir}/libbluetooth.so %{_includedir}/bluetooth %{_libdir}/pkgconfig/bluez.pc %files cups +%defattr(-,root,root) %_cups_serverbin/backend/bluetooth +%files help +%defattr(-,root,root) +%{_mandir}/man1/* +%{_mandir}/man8/* + %changelog +* Wed Jul 22 2020 wangye - 5.54-1 +- update to 5.54 + +* Wed May 20 2020 songnannan - 5.50-9 +- delete the check temporarily + * Wed Apr 22 2020 openEuler Buildteam - 5.50-8 - Type:cves - ID:CVE-2020-0556 diff --git a/bluez.yaml b/bluez.yaml new file mode 100644 index 0000000000000000000000000000000000000000..78b9a75f25440df52f9760fe9e65953192c40e09 --- /dev/null +++ b/bluez.yaml @@ -0,0 +1,5 @@ +git_url: https://git.kernel.org/pub/scm/bluetooth/bluez.git +version_control: git +src_repo: https://git.kernel.org/pub/scm/bluetooth/bluez.git +tag_prefix: "^" +seperator: "." \ No newline at end of file diff --git a/fix-CVE-2018-10910-1.patch b/fix-CVE-2018-10910-1.patch deleted file mode 100644 index dc747764637e810380b40b29d08eafc81a210422..0000000000000000000000000000000000000000 --- a/fix-CVE-2018-10910-1.patch +++ /dev/null @@ -1,136 +0,0 @@ -From linux-bluetooth Fri Jul 27 13:02:17 2018 -From: Luiz Augusto von Dentz -Date: Fri, 27 Jul 2018 13:02:17 +0000 -To: linux-bluetooth -Subject: [PATCH BlueZ 1/2] core: Add AlwaysPairable to main.conf -Message-Id: <20180727130218.16975-1-luiz.dentz () gmail ! com> -X-MARC-Message: https://marc.info/?l=linux-bluetooth&m=153269654418730 - -From: Luiz Augusto von Dentz - -This adds a new option called AlwaysPairable to main.conf, it can be -used to enable Adapter.Pairable even in case there is no Agent -available. - -Since that could be consider a security problem to allow pairing -without user's consent the option defaults to false. ---- - src/adapter.c | 16 +++++++++++++++- - src/agent.h | 7 +++++++ - src/hcid.h | 1 + - src/main.c | 11 +++++++++++ - src/main.conf | 5 +++++ - 5 files changed, 39 insertions(+), 1 deletion(-) - -diff --git a/src/adapter.c b/src/adapter.c -index af340fd..720621f 100644 ---- a/src/adapter.c -+++ b/src/adapter.c -@@ -7754,6 +7754,19 @@ int adapter_set_io_capability(struct btd_adapter *adapter, uint8_t io_cap) - { - struct mgmt_cp_set_io_capability cp; - -+ if (!main_opts.pairable) { -+ if (io_cap == IO_CAPABILITY_INVALID) { -+ if (adapter->current_settings & MGMT_SETTING_BONDABLE) -+ set_mode(adapter, MGMT_OP_SET_BONDABLE, 0x00); -+ -+ return 0; -+ } -+ -+ if (!(adapter->current_settings & MGMT_SETTING_BONDABLE)) -+ set_mode(adapter, MGMT_OP_SET_BONDABLE, 0x01); -+ } else if (io_cap == IO_CAPABILITY_INVALID) -+ io_cap = IO_CAPABILITY_NOINPUTNOOUTPUT; -+ - memset(&cp, 0, sizeof(cp)); - cp.io_capability = io_cap; - -@@ -8682,7 +8695,8 @@ static void read_info_complete(uint8_t status, uint16_t length, - - set_name(adapter, btd_adapter_get_name(adapter)); - -- if (!(adapter->current_settings & MGMT_SETTING_BONDABLE)) -+ if (main_opts.pairable && -+ !(adapter->current_settings & MGMT_SETTING_BONDABLE)) - set_mode(adapter, MGMT_OP_SET_BONDABLE, 0x01); - - if (!kernel_conn_control) -diff --git a/src/agent.h b/src/agent.h -index 1e46920..088c258 100644 ---- a/src/agent.h -+++ b/src/agent.h -@@ -22,6 +22,13 @@ - * - */ - -+#define IO_CAPABILITY_DISPLAYONLY 0x00 -+#define IO_CAPABILITY_DISPLAYYESNO 0x01 -+#define IO_CAPABILITY_KEYBOARDONLY 0x02 -+#define IO_CAPABILITY_NOINPUTNOOUTPUT 0x03 -+#define IO_CAPABILITY_KEYBOARDDISPLAY 0x04 -+#define IO_CAPABILITY_INVALID 0xFF -+ - struct agent; - - typedef void (*agent_cb) (struct agent *agent, DBusError *err, -diff --git a/src/hcid.h b/src/hcid.h -index 2c2b89d..ba25057 100644 ---- a/src/hcid.h -+++ b/src/hcid.h -@@ -38,6 +38,7 @@ typedef enum { - struct main_opts { - char *name; - uint32_t class; -+ gboolean pairable; - uint32_t pairto; - uint32_t discovto; - uint8_t privacy; -diff --git a/src/main.c b/src/main.c -index 7e6af42..e32df14 100644 ---- a/src/main.c -+++ b/src/main.c -@@ -81,6 +81,7 @@ static const char *supported_options[] = { - "Name", - "Class", - "DiscoverableTimeout", -+ "AlwaysPairable", - "PairableTimeout", - "DeviceID", - "ReverseServiceDiscovery", -@@ -287,6 +288,16 @@ static void parse_config(GKeyFile *config) - main_opts.discovto = val; - } - -+ boolean = g_key_file_get_boolean(config, "General", -+ "AlwaysPairable", &err); -+ if (err) { -+ DBG("%s", err->message); -+ g_clear_error(&err); -+ } else { -+ DBG("pairable=%s", boolean ? "true" : "false"); -+ main_opts.pairable = boolean; -+ } -+ - val = g_key_file_get_integer(config, "General", - "PairableTimeout", &err); - if (err) { -diff --git a/src/main.conf b/src/main.conf -index cbae32e..0d480d1 100644 ---- a/src/main.conf -+++ b/src/main.conf -@@ -13,6 +13,11 @@ - # 0 = disable timer, i.e. stay discoverable forever - #DiscoverableTimeout = 0 - -+# Always allow pairing even if there are no agent registered -+# Possible values: true, false -+# Default: false -+#AlwaysPairable = false -+ - # How long to stay in pairable mode before going back to non-discoverable - # The value is in seconds. Default is 0. - # 0 = disable timer, i.e. stay pairable forever --- -1.8.3.1 - diff --git a/fix-CVE-2018-10910-2.patch b/fix-CVE-2018-10910-2.patch deleted file mode 100644 index e575fa4844c1d6488dff94a44e72cdf7a29dfb68..0000000000000000000000000000000000000000 --- a/fix-CVE-2018-10910-2.patch +++ /dev/null @@ -1,59 +0,0 @@ -From linux-bluetooth Fri Jul 27 13:02:18 2018 -From: Luiz Augusto von Dentz -Date: Fri, 27 Jul 2018 13:02:18 +0000 -To: linux-bluetooth -Subject: [PATCH BlueZ 2/2] agent: Make the first agent to register the default -Message-Id: <20180727130218.16975-2-luiz.dentz () gmail ! com> -X-MARC-Message: https://marc.info/?l=linux-bluetooth&m=153269654618731 - -From: Luiz Augusto von Dentz - -This simplifies the handling of default agent and enforce the IO -capabilities to be set whenever there is an agent available in the -system. ---- - src/agent.c | 14 ++++++-------- - 1 file changed, 6 insertions(+), 8 deletions(-) - -diff --git a/src/agent.c b/src/agent.c -index ff44d57..183e2f1 100644 ---- a/src/agent.c -+++ b/src/agent.c -@@ -50,13 +50,6 @@ - #include "agent.h" - #include "shared/queue.h" - --#define IO_CAPABILITY_DISPLAYONLY 0x00 --#define IO_CAPABILITY_DISPLAYYESNO 0x01 --#define IO_CAPABILITY_KEYBOARDONLY 0x02 --#define IO_CAPABILITY_NOINPUTNOOUTPUT 0x03 --#define IO_CAPABILITY_KEYBOARDDISPLAY 0x04 --#define IO_CAPABILITY_INVALID 0xFF -- - #define REQUEST_TIMEOUT (60 * 1000) /* 60 seconds */ - #define AGENT_INTERFACE "org.bluez.Agent1" - -@@ -150,7 +143,7 @@ static void set_io_cap(struct btd_adapter *adapter, gpointer user_data) - if (agent) - io_cap = agent->capability; - else -- io_cap = IO_CAPABILITY_NOINPUTNOOUTPUT; -+ io_cap = IO_CAPABILITY_INVALID; - - adapter_set_io_capability(adapter, io_cap); - } -@@ -294,6 +287,11 @@ static struct agent *agent_create( const char *name, const char *path, - name, agent_disconnect, - agent, NULL); - -+ if (queue_isempty(default_agents)) -+ add_default_agent(agent); -+ else -+ queue_push_tail(default_agents, agent); -+ - return agent_ref(agent); - } - --- -1.8.3.1 -