Re: bluez / CVE-2020-0556
Brian May <brian@linuxpenguins.xyz> writes:
> Looking at commit
> https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=7d9718cfcc11eaa9d8059e721301cdc00ef8c82e,
> it looks like maybe we should be patching the attio_connected_cb()
> function instead. But this function doesn't appear to have any way to
> return an error indicating it failed, which seems to be required by the
> patch. It might be sufficient just to ignore the error and return
> without immediately if device is not bonded. Not sure how much I can
> trust this however.
>
> My gut feeling to fix this we should backport version 5.43-2+deb9u2 from
> stretch to Jessie. Yes, this might break stuff, but I suspect just the
> very basic idea of this security fix - rejecting unbonded connections -
> could break stuff also.
Thinking this through some more, I struggle to get bluetooth working
correctly on the latest Debian, let alone testing an older release. I am
not sure if this is due to hardware or software issues. Not to mention
the fact I don't have a lot of bluetooth HID devices to test. I am sure
I had a bluetooth keyboard somewhere...
Is anybody here in a better position then I am to test this? If not,
this might be another reason to backport the Stretch version...
Regardless, I suspect something like the following patch might be a good
starting point. Although I am not entirely convinced you can reject a
connection from the attio_connected_cb function like this...
=== cut ====
diff --git a/profiles/input/hog.c b/profiles/input/hog.c
index b9aba657a..971fda822 100644
--- a/profiles/input/hog.c
+++ b/profiles/input/hog.c
@@ -654,6 +654,11 @@ static void attio_connected_cb(GAttrib *attrib, gpointer user_data)
DBG("HoG connected");
+ /* HOGP 1.0 Section 6.1 requires bonding */
+ if (!device_is_bonded(hogdev, btd_device_get_bdaddr_type(hogdev)))
+ DBG("HoG not bonded");
+ return;
+
hogdev->attrib = g_attrib_ref(attrib);
if (hogdev->reports == NULL) {
=== cut ====
--
Brian May <bam@debian.org>
Reply to: