packages/bluez
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!92 fix CVE-2023-45866

Browse Source 
From: @zhouwenpei 
Reviewed-by: @yanan-rock 
Signed-off-by: @yanan-rock
This commit is contained in:
openeuler-ci-bot 2023-12-15 09:10:42 +00:00 committed by Gitee
commit 5c59ce508a
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 52 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
backport-CVE-2023-45866.patch Normal file
View File

@ -0,0 +1,47 @@
From 25a471a83e02e1effb15d5a488b3f0085eaeb675 Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Tue, 10 Oct 2023 13:03:12 -0700
Subject: input.conf: Change default of ClassicBondedOnly
This changes the default of ClassicBondedOnly since defaulting to false
is not inline with HID specification which mandates the of Security Mode
4:
BLUETOOTH SPECIFICATION Page 84 of 123
Human Interface Device (HID) Profile:
5.4.3.4.2 Security Modes
Bluetooth HID Hosts shall use Security Mode 4 when interoperating with
Bluetooth HID devices that are compliant to the Bluetooth Core
Specification v2.1+EDR[6].
---
profiles/input/device.c | 2 +-
profiles/input/input.conf | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/profiles/input/device.c b/profiles/input/device.c
index d89da2d..e6f9e84 100644
--- a/profiles/input/device.c
+++ b/profiles/input/device.c
@@ -92,7 +92,7 @@ struct input_device {
static int idle_timeout = 0;
static bool uhid_enabled = false;
-static bool classic_bonded_only = false;
+static bool classic_bonded_only = true;
void input_set_idle_timeout(int timeout)
{
diff --git a/profiles/input/input.conf b/profiles/input/input.conf
index 166aff4..d0b6449 100644
--- a/profiles/input/input.conf
+++ b/profiles/input/input.conf
@@ -17,5 +17,5 @@
# platforms may want to make sure that input connections only come from bonded
# device connections. Several older mice have been known for not supporting
# pairing/encryption.
-# Defaults to false to maximize device compatibility.
+# Defaults to true for security.
#ClassicBondedOnly=true
--
2.33.0

6
bluez.spec
View File

@ -1,7 +1,7 @@
Name: bluez
Summary: Bluetooth utilities
Version: 5.54
Release: 17
Release: 18
License: GPLv2+
URL: http://www.bluez.org/
Source0: http://www.kernel.org/pub/linux/bluetooth/bluez-%{version}.tar.xz
@ -38,6 +38,7 @@ Patch6012: backport-0002-CVE-2022-39177.patch
Patch6013: bluez-5.54-sw.patch
%endif
Patch6014: backport-CVE-2023-27349.patch
Patch6015: backport-CVE-2023-45866.patch
BuildRequires: dbus-devel >= 1.6 libell-devel >= 0.28 autoconf
BuildRequires: glib2-devel libical-devel readline-devel
@ -194,6 +195,9 @@ make check
%{_mandir}/man8/*
%changelog
* Fri Dec 08 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 5.54-18
- fix CVE-2023-45866
* Tue Apr 18 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 5.54-17
- DESC:fix CVE-2023-27349