Control: tags 953770 + patch Control: tags 953770 + pending
Dear maintainer, I've prepared an NMU for bluez (versioned as 5.50-1.1) and uploaded it to DELAYED/5. Please feel free to tell me if I should delay it longer. I decided to not explicitly change the default set for the new configuration option (ClassicBondedOnly) which defaults to false in the patchset, and which actually allows to make sure that input connections come from bonded device connectsion. Not sure if we should actually change this, CC'ing the security team alias for further comments. Regards, Salvatore
diff -Nru bluez-5.50/debian/changelog bluez-5.50/debian/changelog --- bluez-5.50/debian/changelog 2018-07-29 04:46:24.000000000 +0200 +++ bluez-5.50/debian/changelog 2020-03-13 21:31:22.000000000 +0100 @@ -1,3 +1,12 @@ +bluez (5.50-1.1) unstable; urgency=high + + * Non-maintainer upload. + * Address INTEL-SA-00352 (CVE-2020-0556) (Closes: #953770) + - HOGP must only accept data from bonded devices + - HID accepts bonded device connections only + + -- Salvatore Bonaccorso <car...@debian.org> Fri, 13 Mar 2020 21:31:22 +0100 + bluez (5.50-1) unstable; urgency=medium * Update to 5.50. diff -Nru bluez-5.50/debian/patches/HID-accepts-bonded-device-connections-only.patch bluez-5.50/debian/patches/HID-accepts-bonded-device-connections-only.patch --- bluez-5.50/debian/patches/HID-accepts-bonded-device-connections-only.patch 1970-01-01 01:00:00.000000000 +0100 +++ bluez-5.50/debian/patches/HID-accepts-bonded-device-connections-only.patch 2020-03-13 21:31:22.000000000 +0100 @@ -0,0 +1,140 @@ +From: Alain Michaud <ala...@chromium.org> +Date: Tue, 10 Mar 2020 02:35:18 +0000 +Subject: HID accepts bonded device connections only. +Origin: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit?id=3cccdbab2324086588df4ccf5f892fb3ce1f1787 +Bug-Debian: https://bugs.debian.org/953770 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-0556 + +This change adds a configuration for platforms to choose a more secure +posture for the HID profile. While some older mice are known to not +support pairing or encryption, some platform may choose a more secure +posture by requiring the device to be bonded and require the +connection to be encrypted when bonding is required. + +Reference: +https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html +--- + profiles/input/device.c | 23 ++++++++++++++++++++++- + profiles/input/device.h | 1 + + profiles/input/input.conf | 8 ++++++++ + profiles/input/manager.c | 13 ++++++++++++- + 4 files changed, 43 insertions(+), 2 deletions(-) + +diff --git a/profiles/input/device.c b/profiles/input/device.c +index 2cb3811c8d46..d89da2d7ccac 100644 +--- a/profiles/input/device.c ++++ b/profiles/input/device.c +@@ -92,6 +92,7 @@ struct input_device { + + static int idle_timeout = 0; + static bool uhid_enabled = false; ++static bool classic_bonded_only = false; + + void input_set_idle_timeout(int timeout) + { +@@ -103,6 +104,11 @@ void input_enable_userspace_hid(bool state) + uhid_enabled = state; + } + ++void input_set_classic_bonded_only(bool state) ++{ ++ classic_bonded_only = state; ++} ++ + static void input_device_enter_reconnect_mode(struct input_device *idev); + static int connection_disconnect(struct input_device *idev, uint32_t flags); + +@@ -970,8 +976,18 @@ static int hidp_add_connection(struct input_device *idev) + if (device_name_known(idev->device)) + device_get_name(idev->device, req->name, sizeof(req->name)); + ++ /* Make sure the device is bonded if required */ ++ if (classic_bonded_only && !device_is_bonded(idev->device, ++ btd_device_get_bdaddr_type(idev->device))) { ++ error("Rejected connection from !bonded device %s", dst_addr); ++ goto cleanup; ++ } ++ + /* Encryption is mandatory for keyboards */ +- if (req->subclass & 0x40) { ++ /* Some platforms may choose to require encryption for all devices */ ++ /* Note that this only matters for pre 2.1 devices as otherwise the */ ++ /* device is encrypted by default by the lower layers */ ++ if (classic_bonded_only || req->subclass & 0x40) { + if (!bt_io_set(idev->intr_io, &gerr, + BT_IO_OPT_SEC_LEVEL, BT_IO_SEC_MEDIUM, + BT_IO_OPT_INVALID)) { +@@ -1203,6 +1219,11 @@ static void input_device_enter_reconnect_mode(struct input_device *idev) + DBG("path=%s reconnect_mode=%s", idev->path, + reconnect_mode_to_string(idev->reconnect_mode)); + ++ /* Make sure the device is bonded if required */ ++ if (classic_bonded_only && !device_is_bonded(idev->device, ++ btd_device_get_bdaddr_type(idev->device))) ++ return; ++ + /* Only attempt an auto-reconnect when the device is required to + * accept reconnections from the host. + */ +diff --git a/profiles/input/device.h b/profiles/input/device.h +index 51a9aee181ab..3044db67332c 100644 +--- a/profiles/input/device.h ++++ b/profiles/input/device.h +@@ -29,6 +29,7 @@ struct input_conn; + + void input_set_idle_timeout(int timeout); + void input_enable_userspace_hid(bool state); ++void input_set_classic_bonded_only(bool state); + + int input_device_register(struct btd_service *service); + void input_device_unregister(struct btd_service *service); +diff --git a/profiles/input/input.conf b/profiles/input/input.conf +index 3e1d65aaefee..166aff4a43b2 100644 +--- a/profiles/input/input.conf ++++ b/profiles/input/input.conf +@@ -11,3 +11,11 @@ + # Enable HID protocol handling in userspace input profile + # Defaults to false (HIDP handled in HIDP kernel module) + #UserspaceHID=true ++ ++# Limit HID connections to bonded devices ++# The HID Profile does not specify that devices must be bonded, however some ++# platforms may want to make sure that input connections only come from bonded ++# device connections. Several older mice have been known for not supporting ++# pairing/encryption. ++# Defaults to false to maximize device compatibility. ++#ClassicBondedOnly=true +diff --git a/profiles/input/manager.c b/profiles/input/manager.c +index 1d31b065298e..5cd27b8396b8 100644 +--- a/profiles/input/manager.c ++++ b/profiles/input/manager.c +@@ -96,7 +96,7 @@ static int input_init(void) + config = load_config_file(CONFIGDIR "/input.conf"); + if (config) { + int idle_timeout; +- gboolean uhid_enabled; ++ gboolean uhid_enabled, classic_bonded_only; + + idle_timeout = g_key_file_get_integer(config, "General", + "IdleTimeout", &err); +@@ -114,6 +114,17 @@ static int input_init(void) + input_enable_userspace_hid(uhid_enabled); + } else + g_clear_error(&err); ++ ++ classic_bonded_only = g_key_file_get_boolean(config, "General", ++ "ClassicBondedOnly", &err); ++ ++ if (!err) { ++ DBG("input.conf: ClassicBondedOnly=%s", ++ classic_bonded_only ? "true" : "false"); ++ input_set_classic_bonded_only(classic_bonded_only); ++ } else ++ g_clear_error(&err); ++ + } + + btd_profile_register(&input_profile); +-- +2.25.1 + diff -Nru bluez-5.50/debian/patches/HOGP-must-only-accept-data-from-bonded-devices.patch bluez-5.50/debian/patches/HOGP-must-only-accept-data-from-bonded-devices.patch --- bluez-5.50/debian/patches/HOGP-must-only-accept-data-from-bonded-devices.patch 1970-01-01 01:00:00.000000000 +0100 +++ bluez-5.50/debian/patches/HOGP-must-only-accept-data-from-bonded-devices.patch 2020-03-13 21:31:22.000000000 +0100 @@ -0,0 +1,33 @@ +From: Alain Michaud <ala...@chromium.org> +Date: Tue, 10 Mar 2020 02:35:16 +0000 +Subject: HOGP must only accept data from bonded devices. +Origin: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit?id=8cdbd3b09f29da29374e2f83369df24228da0ad1 +Bug-Debian: https://bugs.debian.org/953770 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-0556 + +HOGP 1.0 Section 6.1 establishes that the HOGP must require bonding. + +Reference: +https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.htm +--- + profiles/input/hog.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/profiles/input/hog.c b/profiles/input/hog.c +index 83c017dcb717..dfac689219a0 100644 +--- a/profiles/input/hog.c ++++ b/profiles/input/hog.c +@@ -186,6 +186,10 @@ static int hog_accept(struct btd_service *service) + return -EINVAL; + } + ++ /* HOGP 1.0 Section 6.1 requires bonding */ ++ if (!device_is_bonded(device, btd_device_get_bdaddr_type(device))) ++ return -ECONNREFUSED; ++ + /* TODO: Replace GAttrib with bt_gatt_client */ + bt_hog_attach(dev->hog, attrib); + +-- +2.25.1 + diff -Nru bluez-5.50/debian/patches/series bluez-5.50/debian/patches/series --- bluez-5.50/debian/patches/series 2018-07-29 04:46:24.000000000 +0200 +++ bluez-5.50/debian/patches/series 2020-03-13 21:31:22.000000000 +0100 @@ -9,3 +9,5 @@ Fix-typo.patch shared-gatt-client-Fix-segfault-after-PIN-entry.patch main.conf-Add-more-details-Closes-904212.patch +HOGP-must-only-accept-data-from-bonded-devices.patch +HID-accepts-bonded-device-connections-only.patch
