Re: bluez / CVE-2020-0556

To: Brian May <brian@linuxpenguins.xyz>
Cc: Debian LTS <debian-lts@lists.debian.org>
Subject: Re: bluez / CVE-2020-0556
From: Ola Lundqvist <ola@inguza.com>
Date: Mon, 11 May 2020 14:25:11 +0200
Message-id: <[🔎] CABY6=0kt7xF8fmP4qT7BBwzbR4dBE0eP1ymzvGSoX32NGmfmjw@mail.gmail.com>
In-reply-to: <[🔎] 871rnrcv83.fsf@silverfish.pri>
References: <[🔎] 871rnrcv83.fsf@silverfish.pri>

Hi

I based my conclusion on the fact that hog.c does not seem to have the
concept of bonded at all.
This is what I mean with "does not seem to need". But I'm new to this
code so I could very well be wrong.

I hope this helps.

// Ola

On Sun, 10 May 2020 at 23:54, Brian May <brian@linuxpenguins.xyz> wrote:
>
> I am a bit puzzled by the following comment from dla-needed.txtfor bluez:
>
>   NOTE: 20200503: Looking at the four patches included in the stretch update it looks like it
>   NOTE: 20200503: can be applied as is. What will fail is hog.c but that file do not seem to
>   NOTE: 20200503: need an update. (Ola)
>
> As far as i can tell, the first commit fixes the security flaw, and the
> only file it touches in hog.c. If true that hog.c does not need an
> update, does this means the package is not vulnerable? I suspect not.
>
> https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=8cdbd3b09f29da29374e2f83369df24228da0ad1
> - fix vulnerability.
>
> https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3cccdbab2324086588df4ccf5f892fb3ce1f1787
> - make security posture configurable to support newer devices.
>
> https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=35d8d895cd0b724e58129374beb0bb4a2edf9519
> https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=f2778f5877d20696d68a452b26e4accb91bfb19e
> - fix potential regressions.
>
> The patch patches the hog_accept function, which is a callback set as
> part of the hog_profile:
>
> static struct btd_profile hog_profile = {
>         .name           = "input-hog",
>         .remote_uuid    = HOG_UUID,
>         .device_probe   = hog_probe,
>         .device_remove  = hog_remove,
>         .accept         = hog_accept,
>         .disconnect     = hog_disconnect,
>         .auto_connect   = true,
> };
>
> Unfortunately the version in Jessie doesn't even have an accept entry:
>
> static struct btd_profile hog_profile = {
>         .name           = "input-hog",
>         .remote_uuid    = HOG_UUID,
>         .device_probe   = hog_probe,
>         .device_remove  = hog_remove,
> };
>
> Looking at commit
> https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=7d9718cfcc11eaa9d8059e721301cdc00ef8c82e,
> it looks like maybe we should be patching the attio_connected_cb()
> function instead. But this function doesn't appear to have any way to
> return an error indicating it failed, which seems to be required by the
> patch. It might be sufficient just to ignore the error and return
> without immediately if device is not bonded. Not sure how much I can
> trust this however.
>
> My gut feeling to fix this we should backport version 5.43-2+deb9u2 from
> stretch to Jessie. Yes, this might break stuff, but I suspect just the
> very basic idea of this security fix - rejecting unbonded connections -
> could break stuff also.
> --
> Brian May <brian@linuxpenguins.xyz>
> https://linuxpenguins.xyz/brian/
>


-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
 ---------------------------------------------------------------

Reply to:

Follow-Ups:
- Re: bluez / CVE-2020-0556
  - From: Brian May <bam@debian.org>

References:
- bluez / CVE-2020-0556
  - From: Brian May <brian@linuxpenguins.xyz>

Prev by Date: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
Next by Date: Re: Triage of CVE-2020-9489/tika
Previous by thread: bluez / CVE-2020-0556
Next by thread: Re: bluez / CVE-2020-0556
Index(es):
- Date
- Thread