From f4def93aef09b1d94ff90ea44ad16477518b99d9 Mon Sep 17 00:00:00 2001 From: Vchanger Date: Wed, 18 Mar 2020 16:18:47 +0800 Subject: [PATCH] fix CVE-2018-10910 --- bluez.spec | 11 ++- fix-CVE-2018-10910-1.patch | 136 +++++++++++++++++++++++++++++++++++++ fix-CVE-2018-10910-2.patch | 59 ++++++++++++++++ 3 files changed, 205 insertions(+), 1 deletion(-) create mode 100644 fix-CVE-2018-10910-1.patch create mode 100644 fix-CVE-2018-10910-2.patch diff --git a/bluez.spec b/bluez.spec index 5ddce5f..ad6cb92 100644 --- a/bluez.spec +++ b/bluez.spec @@ -1,7 +1,7 @@ Name: bluez Summary: Bluetooth utilities Version: 5.50 -Release: 6 +Release: 7 License: GPLv2+ URL: http://www.bluez.org/ Source0: http://www.kernel.org/pub/linux/bluetooth/bluez-%{version}.tar.xz @@ -18,6 +18,9 @@ Patch0005: 0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch Patch0006: 0003-systemd-Add-more-filesystem-lockdown.patch Patch0007: 0004-systemd-More-lockdown.patch Patch0008: 0001-policy-Add-logic-to-connect-a-Sink.patch +Patch0009: fix-CVE-2018-10910-1.patch +Patch0010: fix-CVE-2018-10910-2.patch + BuildRequires: dbus-devel >= 1.6 BuildRequires: git-core glib2-devel libical-devel readline-devel libell-devel BuildRequires: json-c-devel systemd-devel cups-devel libtool automake autoconf @@ -162,6 +165,12 @@ make check %_cups_serverbin/backend/bluetooth %changelog +* Wed Mar 18 2020 chenzhen - 5.50-7 +- Type:cves +- ID:CVE-2018-10910 +- SUG:NA +- DESC:fix CVE-2018-10910 + * Mon Feb 17 2020 hexiujun - 5.50-6 - Type:enhancement - ID:NA diff --git a/fix-CVE-2018-10910-1.patch b/fix-CVE-2018-10910-1.patch new file mode 100644 index 0000000..dc74776 --- /dev/null +++ b/fix-CVE-2018-10910-1.patch @@ -0,0 +1,136 @@ +From linux-bluetooth Fri Jul 27 13:02:17 2018 +From: Luiz Augusto von Dentz +Date: Fri, 27 Jul 2018 13:02:17 +0000 +To: linux-bluetooth +Subject: [PATCH BlueZ 1/2] core: Add AlwaysPairable to main.conf +Message-Id: <20180727130218.16975-1-luiz.dentz () gmail ! com> +X-MARC-Message: https://marc.info/?l=linux-bluetooth&m=153269654418730 + +From: Luiz Augusto von Dentz + +This adds a new option called AlwaysPairable to main.conf, it can be +used to enable Adapter.Pairable even in case there is no Agent +available. + +Since that could be consider a security problem to allow pairing +without user's consent the option defaults to false. +--- + src/adapter.c | 16 +++++++++++++++- + src/agent.h | 7 +++++++ + src/hcid.h | 1 + + src/main.c | 11 +++++++++++ + src/main.conf | 5 +++++ + 5 files changed, 39 insertions(+), 1 deletion(-) + +diff --git a/src/adapter.c b/src/adapter.c +index af340fd..720621f 100644 +--- a/src/adapter.c ++++ b/src/adapter.c +@@ -7754,6 +7754,19 @@ int adapter_set_io_capability(struct btd_adapter *adapter, uint8_t io_cap) + { + struct mgmt_cp_set_io_capability cp; + ++ if (!main_opts.pairable) { ++ if (io_cap == IO_CAPABILITY_INVALID) { ++ if (adapter->current_settings & MGMT_SETTING_BONDABLE) ++ set_mode(adapter, MGMT_OP_SET_BONDABLE, 0x00); ++ ++ return 0; ++ } ++ ++ if (!(adapter->current_settings & MGMT_SETTING_BONDABLE)) ++ set_mode(adapter, MGMT_OP_SET_BONDABLE, 0x01); ++ } else if (io_cap == IO_CAPABILITY_INVALID) ++ io_cap = IO_CAPABILITY_NOINPUTNOOUTPUT; ++ + memset(&cp, 0, sizeof(cp)); + cp.io_capability = io_cap; + +@@ -8682,7 +8695,8 @@ static void read_info_complete(uint8_t status, uint16_t length, + + set_name(adapter, btd_adapter_get_name(adapter)); + +- if (!(adapter->current_settings & MGMT_SETTING_BONDABLE)) ++ if (main_opts.pairable && ++ !(adapter->current_settings & MGMT_SETTING_BONDABLE)) + set_mode(adapter, MGMT_OP_SET_BONDABLE, 0x01); + + if (!kernel_conn_control) +diff --git a/src/agent.h b/src/agent.h +index 1e46920..088c258 100644 +--- a/src/agent.h ++++ b/src/agent.h +@@ -22,6 +22,13 @@ + * + */ + ++#define IO_CAPABILITY_DISPLAYONLY 0x00 ++#define IO_CAPABILITY_DISPLAYYESNO 0x01 ++#define IO_CAPABILITY_KEYBOARDONLY 0x02 ++#define IO_CAPABILITY_NOINPUTNOOUTPUT 0x03 ++#define IO_CAPABILITY_KEYBOARDDISPLAY 0x04 ++#define IO_CAPABILITY_INVALID 0xFF ++ + struct agent; + + typedef void (*agent_cb) (struct agent *agent, DBusError *err, +diff --git a/src/hcid.h b/src/hcid.h +index 2c2b89d..ba25057 100644 +--- a/src/hcid.h ++++ b/src/hcid.h +@@ -38,6 +38,7 @@ typedef enum { + struct main_opts { + char *name; + uint32_t class; ++ gboolean pairable; + uint32_t pairto; + uint32_t discovto; + uint8_t privacy; +diff --git a/src/main.c b/src/main.c +index 7e6af42..e32df14 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -81,6 +81,7 @@ static const char *supported_options[] = { + "Name", + "Class", + "DiscoverableTimeout", ++ "AlwaysPairable", + "PairableTimeout", + "DeviceID", + "ReverseServiceDiscovery", +@@ -287,6 +288,16 @@ static void parse_config(GKeyFile *config) + main_opts.discovto = val; + } + ++ boolean = g_key_file_get_boolean(config, "General", ++ "AlwaysPairable", &err); ++ if (err) { ++ DBG("%s", err->message); ++ g_clear_error(&err); ++ } else { ++ DBG("pairable=%s", boolean ? "true" : "false"); ++ main_opts.pairable = boolean; ++ } ++ + val = g_key_file_get_integer(config, "General", + "PairableTimeout", &err); + if (err) { +diff --git a/src/main.conf b/src/main.conf +index cbae32e..0d480d1 100644 +--- a/src/main.conf ++++ b/src/main.conf +@@ -13,6 +13,11 @@ + # 0 = disable timer, i.e. stay discoverable forever + #DiscoverableTimeout = 0 + ++# Always allow pairing even if there are no agent registered ++# Possible values: true, false ++# Default: false ++#AlwaysPairable = false ++ + # How long to stay in pairable mode before going back to non-discoverable + # The value is in seconds. Default is 0. + # 0 = disable timer, i.e. stay pairable forever +-- +1.8.3.1 + diff --git a/fix-CVE-2018-10910-2.patch b/fix-CVE-2018-10910-2.patch new file mode 100644 index 0000000..e575fa4 --- /dev/null +++ b/fix-CVE-2018-10910-2.patch @@ -0,0 +1,59 @@ +From linux-bluetooth Fri Jul 27 13:02:18 2018 +From: Luiz Augusto von Dentz +Date: Fri, 27 Jul 2018 13:02:18 +0000 +To: linux-bluetooth +Subject: [PATCH BlueZ 2/2] agent: Make the first agent to register the default +Message-Id: <20180727130218.16975-2-luiz.dentz () gmail ! com> +X-MARC-Message: https://marc.info/?l=linux-bluetooth&m=153269654618731 + +From: Luiz Augusto von Dentz + +This simplifies the handling of default agent and enforce the IO +capabilities to be set whenever there is an agent available in the +system. +--- + src/agent.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +diff --git a/src/agent.c b/src/agent.c +index ff44d57..183e2f1 100644 +--- a/src/agent.c ++++ b/src/agent.c +@@ -50,13 +50,6 @@ + #include "agent.h" + #include "shared/queue.h" + +-#define IO_CAPABILITY_DISPLAYONLY 0x00 +-#define IO_CAPABILITY_DISPLAYYESNO 0x01 +-#define IO_CAPABILITY_KEYBOARDONLY 0x02 +-#define IO_CAPABILITY_NOINPUTNOOUTPUT 0x03 +-#define IO_CAPABILITY_KEYBOARDDISPLAY 0x04 +-#define IO_CAPABILITY_INVALID 0xFF +- + #define REQUEST_TIMEOUT (60 * 1000) /* 60 seconds */ + #define AGENT_INTERFACE "org.bluez.Agent1" + +@@ -150,7 +143,7 @@ static void set_io_cap(struct btd_adapter *adapter, gpointer user_data) + if (agent) + io_cap = agent->capability; + else +- io_cap = IO_CAPABILITY_NOINPUTNOOUTPUT; ++ io_cap = IO_CAPABILITY_INVALID; + + adapter_set_io_capability(adapter, io_cap); + } +@@ -294,6 +287,11 @@ static struct agent *agent_create( const char *name, const char *path, + name, agent_disconnect, + agent, NULL); + ++ if (queue_isempty(default_agents)) ++ add_default_agent(agent); ++ else ++ queue_push_tail(default_agents, agent); ++ + return agent_ref(agent); + } + +-- +1.8.3.1 + -- Gitee