summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVincent Legoll <vincent.legoll@gmail.com>2020-03-15 19:07:57 +0100
committerLeo Famulari <leo@famulari.name>2020-03-15 14:25:36 -0400
commitf24aaa81de8c709adfda2e89271c562a5ca8d959 (patch)
tree3422fbefa7991b67d2707b3537e4458ba6efca65
parent323841bda4e5b8f9b30626ab768aaf711ee6aabf (diff)
gnu: BlueZ: Update to 5.54.
* gnu/packages/linux.scm (bluez): Update to 5.54. [replacement]: Remove field. (bluez/fixed): Remove variable. * gnu/packages/patches/bluez-CVE-2020-0556.patch: Remove file. * gnu/local.mk (dist_patch_DATA): Remove it. Signed-off-by: Leo Famulari <leo@famulari.name>
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/linux.scm13
-rw-r--r--gnu/packages/patches/bluez-CVE-2020-0556.patch180
3 files changed, 2 insertions, 192 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index 3be54b2627..b628bbee0c 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -764,7 +764,6 @@ dist_patch_DATA = \
%D%/packages/patches/binutils-loongson-workaround.patch \
%D%/packages/patches/blender-2.79-newer-ffmpeg.patch \
%D%/packages/patches/blender-2.79-python-3.7-fix.patch \
- %D%/packages/patches/bluez-CVE-2020-0556.patch \
%D%/packages/patches/byobu-writable-status.patch \
%D%/packages/patches/calibre-no-updates-dialog.patch \
%D%/packages/patches/calibre-remove-test-bs4.patch \
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index f1bc5798ab..fda7570d89 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -4039,8 +4039,7 @@ Bluetooth audio output devices like headphones or loudspeakers.")
(define-public bluez
(package
(name "bluez")
- (replacement bluez/fixed)
- (version "5.53")
+ (version "5.54")
(source (origin
(method url-fetch)
(uri (string-append
@@ -4048,7 +4047,7 @@ Bluetooth audio output devices like headphones or loudspeakers.")
version ".tar.xz"))
(sha256
(base32
- "1g1qg6dz6hl3csrmz75ixr12lwv836hq3ckb259svvrg62l2vaiq"))))
+ "1p2ncvjz6alr9n3l5wvq2arqgc7xjs6dqyar1l9jp0z8cfgapkb8"))))
(build-system gnu-build-system)
(arguments
`(#:configure-flags
@@ -4105,14 +4104,6 @@ Bluetooth audio output devices like headphones or loudspeakers.")
is flexible, efficient and uses a modular implementation.")
(license license:gpl2+)))
-(define bluez/fixed
- (package
- (inherit bluez)
- (source (origin
- (inherit (package-source bluez))
- (patches (append (origin-patches (package-source bluez))
- (search-patches "bluez-CVE-2020-0556.patch")))))))
-
(define-public fuse-exfat
(package
(name "fuse-exfat")
diff --git a/gnu/packages/patches/bluez-CVE-2020-0556.patch b/gnu/packages/patches/bluez-CVE-2020-0556.patch
deleted file mode 100644
index 7c34459a3a..0000000000
--- a/gnu/packages/patches/bluez-CVE-2020-0556.patch
+++ /dev/null
@@ -1,180 +0,0 @@
-Fix CVE-2020-0556:
-
-https://lore.kernel.org/linux-bluetooth/20200310023516.209146-1-alainm@chromium.org/
-https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html
-http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0556
-
-Patches copied from upstream source repository:
-
-https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3cccdbab2324086588df4ccf5f892fb3ce1f1787
-https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=8cdbd3b09f29da29374e2f83369df24228da0ad1
-
-From 3cccdbab2324086588df4ccf5f892fb3ce1f1787 Mon Sep 17 00:00:00 2001
-From: Alain Michaud <alainm@chromium.org>
-Date: Tue, 10 Mar 2020 02:35:18 +0000
-Subject: [PATCH] HID accepts bonded device connections only.
-
-This change adds a configuration for platforms to choose a more secure
-posture for the HID profile. While some older mice are known to not
-support pairing or encryption, some platform may choose a more secure
-posture by requiring the device to be bonded and require the
-connection to be encrypted when bonding is required.
-
-Reference:
-https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html
----
- profiles/input/device.c | 23 ++++++++++++++++++++++-
- profiles/input/device.h | 1 +
- profiles/input/input.conf | 8 ++++++++
- profiles/input/manager.c | 13 ++++++++++++-
- 4 files changed, 43 insertions(+), 2 deletions(-)
-
-diff --git a/profiles/input/device.c b/profiles/input/device.c
-index 2cb3811c8..d89da2d7c 100644
---- a/profiles/input/device.c
-+++ b/profiles/input/device.c
-@@ -92,6 +92,7 @@ struct input_device {
-
- static int idle_timeout = 0;
- static bool uhid_enabled = false;
-+static bool classic_bonded_only = false;
-
- void input_set_idle_timeout(int timeout)
- {
-@@ -103,6 +104,11 @@ void input_enable_userspace_hid(bool state)
- uhid_enabled = state;
- }
-
-+void input_set_classic_bonded_only(bool state)
-+{
-+ classic_bonded_only = state;
-+}
-+
- static void input_device_enter_reconnect_mode(struct input_device *idev);
- static int connection_disconnect(struct input_device *idev, uint32_t flags);
-
-@@ -970,8 +976,18 @@ static int hidp_add_connection(struct input_device *idev)
- if (device_name_known(idev->device))
- device_get_name(idev->device, req->name, sizeof(req->name));
-
-+ /* Make sure the device is bonded if required */
-+ if (classic_bonded_only && !device_is_bonded(idev->device,
-+ btd_device_get_bdaddr_type(idev->device))) {
-+ error("Rejected connection from !bonded device %s", dst_addr);
-+ goto cleanup;
-+ }
-+
- /* Encryption is mandatory for keyboards */
-- if (req->subclass & 0x40) {
-+ /* Some platforms may choose to require encryption for all devices */
-+ /* Note that this only matters for pre 2.1 devices as otherwise the */
-+ /* device is encrypted by default by the lower layers */
-+ if (classic_bonded_only || req->subclass & 0x40) {
- if (!bt_io_set(idev->intr_io, &gerr,
- BT_IO_OPT_SEC_LEVEL, BT_IO_SEC_MEDIUM,
- BT_IO_OPT_INVALID)) {
-@@ -1203,6 +1219,11 @@ static void input_device_enter_reconnect_mode(struct input_device *idev)
- DBG("path=%s reconnect_mode=%s", idev->path,
- reconnect_mode_to_string(idev->reconnect_mode));
-
-+ /* Make sure the device is bonded if required */
-+ if (classic_bonded_only && !device_is_bonded(idev->device,
-+ btd_device_get_bdaddr_type(idev->device)))
-+ return;
-+
- /* Only attempt an auto-reconnect when the device is required to
- * accept reconnections from the host.
- */
-diff --git a/profiles/input/device.h b/profiles/input/device.h
-index 51a9aee18..3044db673 100644
---- a/profiles/input/device.h
-+++ b/profiles/input/device.h
-@@ -29,6 +29,7 @@ struct input_conn;
-
- void input_set_idle_timeout(int timeout);
- void input_enable_userspace_hid(bool state);
-+void input_set_classic_bonded_only(bool state);
-
- int input_device_register(struct btd_service *service);
- void input_device_unregister(struct btd_service *service);
-diff --git a/profiles/input/input.conf b/profiles/input/input.conf
-index 3e1d65aae..166aff4a4 100644
---- a/profiles/input/input.conf
-+++ b/profiles/input/input.conf
-@@ -11,3 +11,11 @@
- # Enable HID protocol handling in userspace input profile
- # Defaults to false (HIDP handled in HIDP kernel module)
- #UserspaceHID=true
-+
-+# Limit HID connections to bonded devices
-+# The HID Profile does not specify that devices must be bonded, however some
-+# platforms may want to make sure that input connections only come from bonded
-+# device connections. Several older mice have been known for not supporting
-+# pairing/encryption.
-+# Defaults to false to maximize device compatibility.
-+#ClassicBondedOnly=true
-diff --git a/profiles/input/manager.c b/profiles/input/manager.c
-index 1d31b0652..5cd27b839 100644
---- a/profiles/input/manager.c
-+++ b/profiles/input/manager.c
-@@ -96,7 +96,7 @@ static int input_init(void)
- config = load_config_file(CONFIGDIR "/input.conf");
- if (config) {
- int idle_timeout;
-- gboolean uhid_enabled;
-+ gboolean uhid_enabled, classic_bonded_only;
-
- idle_timeout = g_key_file_get_integer(config, "General",
- "IdleTimeout", &err);
-@@ -114,6 +114,17 @@ static int input_init(void)
- input_enable_userspace_hid(uhid_enabled);
- } else
- g_clear_error(&err);
-+
-+ classic_bonded_only = g_key_file_get_boolean(config, "General",
-+ "ClassicBondedOnly", &err);
-+
-+ if (!err) {
-+ DBG("input.conf: ClassicBondedOnly=%s",
-+ classic_bonded_only ? "true" : "false");
-+ input_set_classic_bonded_only(classic_bonded_only);
-+ } else
-+ g_clear_error(&err);
-+
- }
-
- btd_profile_register(&input_profile);
---
-2.25.1
-
-From 8cdbd3b09f29da29374e2f83369df24228da0ad1 Mon Sep 17 00:00:00 2001
-From: Alain Michaud <alainm@chromium.org>
-Date: Tue, 10 Mar 2020 02:35:16 +0000
-Subject: [PATCH] HOGP must only accept data from bonded devices.
-
-HOGP 1.0 Section 6.1 establishes that the HOGP must require bonding.
-
-Reference:
-https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.htm
----
- profiles/input/hog.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/profiles/input/hog.c b/profiles/input/hog.c
-index 83c017dcb..dfac68921 100644
---- a/profiles/input/hog.c
-+++ b/profiles/input/hog.c
-@@ -186,6 +186,10 @@ static int hog_accept(struct btd_service *service)
- return -EINVAL;
- }
-
-+ /* HOGP 1.0 Section 6.1 requires bonding */
-+ if (!device_is_bonded(device, btd_device_get_bdaddr_type(device)))
-+ return -ECONNREFUSED;
-+
- /* TODO: Replace GAttrib with bt_gatt_client */
- bt_hog_attach(dev->hog, attrib);
-
---
-2.25.1
-