Re: bluez / CVE-2020-0556
Hi Brian
When looking at this with actually having the patch at hand and not
answering from memory I realize that the reason why I thought that
hog.c would not be affected was that there were no accept function in
the Jessie version. Now when looking at your proposed patch I can see
that connected is probably a similar thing. From that I think your
patch would work quite well.
But I'm not an bluetooth expert so please judge without too much
thinking on what I think. What I can say is that it looks reasonable.
Best regards
// Ola
On Tue, 12 May 2020 at 00:01, Brian May <bam@debian.org> wrote:
>
> Brian May <brian@linuxpenguins.xyz> writes:
>
> > Looking at commit
> > https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=7d9718cfcc11eaa9d8059e721301cdc00ef8c82e,
> > it looks like maybe we should be patching the attio_connected_cb()
> > function instead. But this function doesn't appear to have any way to
> > return an error indicating it failed, which seems to be required by the
> > patch. It might be sufficient just to ignore the error and return
> > without immediately if device is not bonded. Not sure how much I can
> > trust this however.
> >
> > My gut feeling to fix this we should backport version 5.43-2+deb9u2 from
> > stretch to Jessie. Yes, this might break stuff, but I suspect just the
> > very basic idea of this security fix - rejecting unbonded connections -
> > could break stuff also.
>
> Thinking this through some more, I struggle to get bluetooth working
> correctly on the latest Debian, let alone testing an older release. I am
> not sure if this is due to hardware or software issues. Not to mention
> the fact I don't have a lot of bluetooth HID devices to test. I am sure
> I had a bluetooth keyboard somewhere...
>
> Is anybody here in a better position then I am to test this? If not,
> this might be another reason to backport the Stretch version...
>
> Regardless, I suspect something like the following patch might be a good
> starting point. Although I am not entirely convinced you can reject a
> connection from the attio_connected_cb function like this...
>
> === cut ====
> diff --git a/profiles/input/hog.c b/profiles/input/hog.c
> index b9aba657a..971fda822 100644
> --- a/profiles/input/hog.c
> +++ b/profiles/input/hog.c
> @@ -654,6 +654,11 @@ static void attio_connected_cb(GAttrib *attrib, gpointer user_data)
>
> DBG("HoG connected");
>
> + /* HOGP 1.0 Section 6.1 requires bonding */
> + if (!device_is_bonded(hogdev, btd_device_get_bdaddr_type(hogdev)))
> + DBG("HoG not bonded");
> + return;
> +
> hogdev->attrib = g_attrib_ref(attrib);
>
> if (hogdev->reports == NULL) {
> === cut ====
> --
> Brian May <bam@debian.org>
>
--
--- Inguza Technology AB --- MSc in Information Technology ----
| ola@inguza.com opal@debian.org |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
---------------------------------------------------------------
Reply to: