Version in base suite: 5.50-1 Base version: bluez_5.50-1 Target version: bluez_5.50-1.2~deb10u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/b/bluez/bluez_5.50-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/b/bluez/bluez_5.50-1.2~deb10u1.dsc changelog | 24 + patches/HID-accepts-bonded-device-connections-only.patch | 140 ++++++++++ patches/HOGP-must-only-accept-data-from-bonded-devices.patch | 33 ++ patches/input-Add-LEAutoSecurity-setting-to-input.conf.patch | 121 ++++++++ patches/input-hog-Attempt-to-set-security-level-if-not-bonde.patch | 48 +++ patches/series | 4 6 files changed, 370 insertions(+) diff -Nru bluez-5.50/debian/changelog bluez-5.50/debian/changelog --- bluez-5.50/debian/changelog 2018-07-29 02:46:24.000000000 +0000 +++ bluez-5.50/debian/changelog 2020-03-22 09:55:38.000000000 +0000 @@ -1,3 +1,27 @@ +bluez (5.50-1.2~deb10u1) buster-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Rebuild for buster-security. + + -- Salvatore Bonaccorso Sun, 22 Mar 2020 10:55:38 +0100 + +bluez (5.50-1.2) unstable; urgency=medium + + * Non-maintainer upload. + * input: hog: Attempt to set security level if not bonded + * input: Add LEAutoSecurity setting to input.conf + + -- Salvatore Bonaccorso Fri, 20 Mar 2020 21:19:01 +0100 + +bluez (5.50-1.1) unstable; urgency=high + + * Non-maintainer upload. + * Address INTEL-SA-00352 (CVE-2020-0556) (Closes: #953770) + - HOGP must only accept data from bonded devices + - HID accepts bonded device connections only + + -- Salvatore Bonaccorso Fri, 13 Mar 2020 21:31:22 +0100 + bluez (5.50-1) unstable; urgency=medium * Update to 5.50. diff -Nru bluez-5.50/debian/patches/HID-accepts-bonded-device-connections-only.patch bluez-5.50/debian/patches/HID-accepts-bonded-device-connections-only.patch --- bluez-5.50/debian/patches/HID-accepts-bonded-device-connections-only.patch 1970-01-01 00:00:00.000000000 +0000 +++ bluez-5.50/debian/patches/HID-accepts-bonded-device-connections-only.patch 2020-03-22 09:55:38.000000000 +0000 @@ -0,0 +1,140 @@ +From: Alain Michaud +Date: Tue, 10 Mar 2020 02:35:18 +0000 +Subject: HID accepts bonded device connections only. +Origin: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit?id=3cccdbab2324086588df4ccf5f892fb3ce1f1787 +Bug-Debian: https://bugs.debian.org/953770 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-0556 + +This change adds a configuration for platforms to choose a more secure +posture for the HID profile. While some older mice are known to not +support pairing or encryption, some platform may choose a more secure +posture by requiring the device to be bonded and require the +connection to be encrypted when bonding is required. + +Reference: +https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html +--- + profiles/input/device.c | 23 ++++++++++++++++++++++- + profiles/input/device.h | 1 + + profiles/input/input.conf | 8 ++++++++ + profiles/input/manager.c | 13 ++++++++++++- + 4 files changed, 43 insertions(+), 2 deletions(-) + +diff --git a/profiles/input/device.c b/profiles/input/device.c +index 2cb3811c8d46..d89da2d7ccac 100644 +--- a/profiles/input/device.c ++++ b/profiles/input/device.c +@@ -92,6 +92,7 @@ struct input_device { + + static int idle_timeout = 0; + static bool uhid_enabled = false; ++static bool classic_bonded_only = false; + + void input_set_idle_timeout(int timeout) + { +@@ -103,6 +104,11 @@ void input_enable_userspace_hid(bool state) + uhid_enabled = state; + } + ++void input_set_classic_bonded_only(bool state) ++{ ++ classic_bonded_only = state; ++} ++ + static void input_device_enter_reconnect_mode(struct input_device *idev); + static int connection_disconnect(struct input_device *idev, uint32_t flags); + +@@ -970,8 +976,18 @@ static int hidp_add_connection(struct input_device *idev) + if (device_name_known(idev->device)) + device_get_name(idev->device, req->name, sizeof(req->name)); + ++ /* Make sure the device is bonded if required */ ++ if (classic_bonded_only && !device_is_bonded(idev->device, ++ btd_device_get_bdaddr_type(idev->device))) { ++ error("Rejected connection from !bonded device %s", dst_addr); ++ goto cleanup; ++ } ++ + /* Encryption is mandatory for keyboards */ +- if (req->subclass & 0x40) { ++ /* Some platforms may choose to require encryption for all devices */ ++ /* Note that this only matters for pre 2.1 devices as otherwise the */ ++ /* device is encrypted by default by the lower layers */ ++ if (classic_bonded_only || req->subclass & 0x40) { + if (!bt_io_set(idev->intr_io, &gerr, + BT_IO_OPT_SEC_LEVEL, BT_IO_SEC_MEDIUM, + BT_IO_OPT_INVALID)) { +@@ -1203,6 +1219,11 @@ static void input_device_enter_reconnect_mode(struct input_device *idev) + DBG("path=%s reconnect_mode=%s", idev->path, + reconnect_mode_to_string(idev->reconnect_mode)); + ++ /* Make sure the device is bonded if required */ ++ if (classic_bonded_only && !device_is_bonded(idev->device, ++ btd_device_get_bdaddr_type(idev->device))) ++ return; ++ + /* Only attempt an auto-reconnect when the device is required to + * accept reconnections from the host. + */ +diff --git a/profiles/input/device.h b/profiles/input/device.h +index 51a9aee181ab..3044db67332c 100644 +--- a/profiles/input/device.h ++++ b/profiles/input/device.h +@@ -29,6 +29,7 @@ struct input_conn; + + void input_set_idle_timeout(int timeout); + void input_enable_userspace_hid(bool state); ++void input_set_classic_bonded_only(bool state); + + int input_device_register(struct btd_service *service); + void input_device_unregister(struct btd_service *service); +diff --git a/profiles/input/input.conf b/profiles/input/input.conf +index 3e1d65aaefee..166aff4a43b2 100644 +--- a/profiles/input/input.conf ++++ b/profiles/input/input.conf +@@ -11,3 +11,11 @@ + # Enable HID protocol handling in userspace input profile + # Defaults to false (HIDP handled in HIDP kernel module) + #UserspaceHID=true ++ ++# Limit HID connections to bonded devices ++# The HID Profile does not specify that devices must be bonded, however some ++# platforms may want to make sure that input connections only come from bonded ++# device connections. Several older mice have been known for not supporting ++# pairing/encryption. ++# Defaults to false to maximize device compatibility. ++#ClassicBondedOnly=true +diff --git a/profiles/input/manager.c b/profiles/input/manager.c +index 1d31b065298e..5cd27b8396b8 100644 +--- a/profiles/input/manager.c ++++ b/profiles/input/manager.c +@@ -96,7 +96,7 @@ static int input_init(void) + config = load_config_file(CONFIGDIR "/input.conf"); + if (config) { + int idle_timeout; +- gboolean uhid_enabled; ++ gboolean uhid_enabled, classic_bonded_only; + + idle_timeout = g_key_file_get_integer(config, "General", + "IdleTimeout", &err); +@@ -114,6 +114,17 @@ static int input_init(void) + input_enable_userspace_hid(uhid_enabled); + } else + g_clear_error(&err); ++ ++ classic_bonded_only = g_key_file_get_boolean(config, "General", ++ "ClassicBondedOnly", &err); ++ ++ if (!err) { ++ DBG("input.conf: ClassicBondedOnly=%s", ++ classic_bonded_only ? "true" : "false"); ++ input_set_classic_bonded_only(classic_bonded_only); ++ } else ++ g_clear_error(&err); ++ + } + + btd_profile_register(&input_profile); +-- +2.25.1 + diff -Nru bluez-5.50/debian/patches/HOGP-must-only-accept-data-from-bonded-devices.patch bluez-5.50/debian/patches/HOGP-must-only-accept-data-from-bonded-devices.patch --- bluez-5.50/debian/patches/HOGP-must-only-accept-data-from-bonded-devices.patch 1970-01-01 00:00:00.000000000 +0000 +++ bluez-5.50/debian/patches/HOGP-must-only-accept-data-from-bonded-devices.patch 2020-03-22 09:55:38.000000000 +0000 @@ -0,0 +1,33 @@ +From: Alain Michaud +Date: Tue, 10 Mar 2020 02:35:16 +0000 +Subject: HOGP must only accept data from bonded devices. +Origin: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit?id=8cdbd3b09f29da29374e2f83369df24228da0ad1 +Bug-Debian: https://bugs.debian.org/953770 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-0556 + +HOGP 1.0 Section 6.1 establishes that the HOGP must require bonding. + +Reference: +https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.htm +--- + profiles/input/hog.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/profiles/input/hog.c b/profiles/input/hog.c +index 83c017dcb717..dfac689219a0 100644 +--- a/profiles/input/hog.c ++++ b/profiles/input/hog.c +@@ -186,6 +186,10 @@ static int hog_accept(struct btd_service *service) + return -EINVAL; + } + ++ /* HOGP 1.0 Section 6.1 requires bonding */ ++ if (!device_is_bonded(device, btd_device_get_bdaddr_type(device))) ++ return -ECONNREFUSED; ++ + /* TODO: Replace GAttrib with bt_gatt_client */ + bt_hog_attach(dev->hog, attrib); + +-- +2.25.1 + diff -Nru bluez-5.50/debian/patches/input-Add-LEAutoSecurity-setting-to-input.conf.patch bluez-5.50/debian/patches/input-Add-LEAutoSecurity-setting-to-input.conf.patch --- bluez-5.50/debian/patches/input-Add-LEAutoSecurity-setting-to-input.conf.patch 1970-01-01 00:00:00.000000000 +0000 +++ bluez-5.50/debian/patches/input-Add-LEAutoSecurity-setting-to-input.conf.patch 2020-03-22 09:55:38.000000000 +0000 @@ -0,0 +1,121 @@ +From: Luiz Augusto von Dentz +Date: Wed, 11 Mar 2020 11:43:21 -0700 +Subject: input: Add LEAutoSecurity setting to input.conf +Origin: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit?id=f2778f5877d20696d68a452b26e4accb91bfb19e + +LEAutoSecurity can be used to enable/disable automatic upgrades of +security for LE devices, by default it is enabled so existing devices +that did not require security and were not bonded will automatically +upgrade the security. + +Note: Platforms disabling this setting would require users to manually +bond the device which may require changes to the user interface to +always force bonding for input devices as APIs such as Device.Connect +will no longer work which maybe perceived as a regression. +--- + profiles/input/device.h | 1 + + profiles/input/hog.c | 13 +++++++++++-- + profiles/input/input.conf | 5 +++++ + profiles/input/manager.c | 11 ++++++++++- + 4 files changed, 27 insertions(+), 3 deletions(-) + +diff --git a/profiles/input/device.h b/profiles/input/device.h +index 3044db67332c..5a077f92a82c 100644 +--- a/profiles/input/device.h ++++ b/profiles/input/device.h +@@ -30,6 +30,7 @@ struct input_conn; + void input_set_idle_timeout(int timeout); + void input_enable_userspace_hid(bool state); + void input_set_classic_bonded_only(bool state); ++void input_set_auto_sec(bool state); + + int input_device_register(struct btd_service *service); + void input_device_unregister(struct btd_service *service); +diff --git a/profiles/input/hog.c b/profiles/input/hog.c +index f0226ebbd1ba..327a1d1c3c2b 100644 +--- a/profiles/input/hog.c ++++ b/profiles/input/hog.c +@@ -53,6 +53,7 @@ + #include "src/shared/gatt-client.h" + #include "src/plugin.h" + ++#include "device.h" + #include "suspend.h" + #include "attrib/att.h" + #include "attrib/gattrib.h" +@@ -67,8 +68,14 @@ struct hog_device { + }; + + static gboolean suspend_supported = FALSE; ++static bool auto_sec = true; + static struct queue *devices = NULL; + ++void input_set_auto_sec(bool state) ++{ ++ auto_sec = state; ++} ++ + static void hog_device_accept(struct hog_device *dev, struct gatt_db *db) + { + char name[248]; +@@ -192,11 +199,13 @@ static int hog_accept(struct btd_service *service) + if (!device_is_bonded(device, btd_device_get_bdaddr_type(device))) { + struct bt_gatt_client *client; + ++ if (!auto_sec) ++ return -ECONNREFUSED; ++ + client = btd_device_get_gatt_client(device); + if (!bt_gatt_client_set_security(client, +- BT_ATT_SECURITY_MEDIUM)) { ++ BT_ATT_SECURITY_MEDIUM)) + return -ECONNREFUSED; +- } + } + + /* TODO: Replace GAttrib with bt_gatt_client */ +diff --git a/profiles/input/input.conf b/profiles/input/input.conf +index 166aff4a43b2..4c70bc561f05 100644 +--- a/profiles/input/input.conf ++++ b/profiles/input/input.conf +@@ -19,3 +19,8 @@ + # pairing/encryption. + # Defaults to false to maximize device compatibility. + #ClassicBondedOnly=true ++ ++# LE upgrade security ++# Enables upgrades of security automatically if required. ++# Defaults to true to maximize device compatibility. ++#LEAutoSecurity=true +diff --git a/profiles/input/manager.c b/profiles/input/manager.c +index 5cd27b8396b8..bf4acb4ed583 100644 +--- a/profiles/input/manager.c ++++ b/profiles/input/manager.c +@@ -96,7 +96,7 @@ static int input_init(void) + config = load_config_file(CONFIGDIR "/input.conf"); + if (config) { + int idle_timeout; +- gboolean uhid_enabled, classic_bonded_only; ++ gboolean uhid_enabled, classic_bonded_only, auto_sec; + + idle_timeout = g_key_file_get_integer(config, "General", + "IdleTimeout", &err); +@@ -125,6 +125,15 @@ static int input_init(void) + } else + g_clear_error(&err); + ++ auto_sec = g_key_file_get_boolean(config, "General", ++ "LEAutoSecurity", &err); ++ if (!err) { ++ DBG("input.conf: LEAutoSecurity=%s", ++ auto_sec ? "true" : "false"); ++ input_set_auto_sec(auto_sec); ++ } else ++ g_clear_error(&err); ++ + } + + btd_profile_register(&input_profile); +-- +2.20.1 + diff -Nru bluez-5.50/debian/patches/input-hog-Attempt-to-set-security-level-if-not-bonde.patch bluez-5.50/debian/patches/input-hog-Attempt-to-set-security-level-if-not-bonde.patch --- bluez-5.50/debian/patches/input-hog-Attempt-to-set-security-level-if-not-bonde.patch 1970-01-01 00:00:00.000000000 +0000 +++ bluez-5.50/debian/patches/input-hog-Attempt-to-set-security-level-if-not-bonde.patch 2020-03-22 09:55:38.000000000 +0000 @@ -0,0 +1,48 @@ +From: Luiz Augusto von Dentz +Date: Tue, 10 Mar 2020 09:59:07 -0700 +Subject: input: hog: Attempt to set security level if not bonded +Origin: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit?id=35d8d895cd0b724e58129374beb0bb4a2edf9519 + +This attempts to set the security if the device is not bonded, the +kernel will block any communication on the ATT socket while bumping +the security and if that fails the device will be disconnected which +is better than having the device dangling around without being able to +communicate with it until it is properly bonded. +--- + profiles/input/hog.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/profiles/input/hog.c b/profiles/input/hog.c +index dfac689219a0..f0226ebbd1ba 100644 +--- a/profiles/input/hog.c ++++ b/profiles/input/hog.c +@@ -49,6 +49,8 @@ + #include "src/shared/util.h" + #include "src/shared/uhid.h" + #include "src/shared/queue.h" ++#include "src/shared/att.h" ++#include "src/shared/gatt-client.h" + #include "src/plugin.h" + + #include "suspend.h" +@@ -187,8 +189,15 @@ static int hog_accept(struct btd_service *service) + } + + /* HOGP 1.0 Section 6.1 requires bonding */ +- if (!device_is_bonded(device, btd_device_get_bdaddr_type(device))) +- return -ECONNREFUSED; ++ if (!device_is_bonded(device, btd_device_get_bdaddr_type(device))) { ++ struct bt_gatt_client *client; ++ ++ client = btd_device_get_gatt_client(device); ++ if (!bt_gatt_client_set_security(client, ++ BT_ATT_SECURITY_MEDIUM)) { ++ return -ECONNREFUSED; ++ } ++ } + + /* TODO: Replace GAttrib with bt_gatt_client */ + bt_hog_attach(dev->hog, attrib); +-- +2.20.1 + diff -Nru bluez-5.50/debian/patches/series bluez-5.50/debian/patches/series --- bluez-5.50/debian/patches/series 2018-07-29 02:46:24.000000000 +0000 +++ bluez-5.50/debian/patches/series 2020-03-22 09:55:38.000000000 +0000 @@ -9,3 +9,7 @@ Fix-typo.patch shared-gatt-client-Fix-segfault-after-PIN-entry.patch main.conf-Add-more-details-Closes-904212.patch +HOGP-must-only-accept-data-from-bonded-devices.patch +HID-accepts-bonded-device-connections-only.patch +input-hog-Attempt-to-set-security-level-if-not-bonde.patch +input-Add-LEAutoSecurity-setting-to-input.conf.patch