Import Debian changes 5.50-1.2~deb10u1

bluez (5.50-1.2~deb10u1) buster-security; urgency=high * Non-maintainer upload by the Security Team. * Rebuild for buster-security. bluez (5.50-1.2) unstable; urgency=medium * Non-maintainer upload. * input: hog: Attempt to set security level if not bonded * input: Add LEAutoSecurity setting to input.conf bluez (5.50-1.1) unstable; urgency=high * Non-maintainer upload. * Address INTEL-SA-00352 (CVE-2020-0556) (Closes: #953770) - HOGP must only accept data from bonded devices - HID accepts bonded device connections only

Import Debian changes 5.50-1.2~deb10u1
275e8f65 · Salvatore Bonaccorso · d5ad05fd · 275e8f65 · 275e8f65 · 275e8f65
Commit 275e8f65 authored 5 years ago by Salvatore Bonaccorso
--- a/debian/changelog
+++ b/debian/changelog
+bluez (5.50-1.2~deb10u1) buster-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Rebuild for buster-security.
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sun, 22 Mar 2020 10:55:38 +0100
+
+bluez (5.50-1.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * input: hog: Attempt to set security level if not bonded
+  * input: Add LEAutoSecurity setting to input.conf
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Fri, 20 Mar 2020 21:19:01 +0100
+
+bluez (5.50-1.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Address INTEL-SA-00352 (CVE-2020-0556) (Closes: #953770)
+    - HOGP must only accept data from bonded devices
+    - HID accepts bonded device connections only
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Fri, 13 Mar 2020 21:31:22 +0100
+
 bluez (5.50-1) unstable; urgency=medium

  * Update to 5.50.

--- a/debian/patches/HID-accepts-bonded-device-connections-only.patch
+++ b/debian/patches/HID-accepts-bonded-device-connections-only.patch
+From: Alain Michaud <alainm@chromium.org>
+Date: Tue, 10 Mar 2020 02:35:18 +0000
+Subject: HID accepts bonded device connections only.
+Origin: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit?id=3cccdbab2324086588df4ccf5f892fb3ce1f1787
+Bug-Debian: https://bugs.debian.org/953770
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-0556
+
+This change adds a configuration for platforms to choose a more secure
+posture for the HID profile.  While some older mice are known to not
+support pairing or encryption, some platform may choose a more secure
+posture by requiring the device to be bonded  and require the
+connection to be encrypted when bonding is required.
+
+Reference:
+https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html
+---
+ profiles/input/device.c   | 23 ++++++++++++++++++++++-
+ profiles/input/device.h   |  1 +
+ profiles/input/input.conf |  8 ++++++++
+ profiles/input/manager.c  | 13 ++++++++++++-
+ 4 files changed, 43 insertions(+), 2 deletions(-)
+
+diff --git a/profiles/input/device.c b/profiles/input/device.c
+index 2cb3811c8d46..d89da2d7ccac 100644
+--- a/profiles/input/device.c
+++ b/profiles/input/device.c
+@@ -92,6 +92,7 @@ struct input_device {
+ 
+ static int idle_timeout = 0;
+ static bool uhid_enabled = false;
+static bool classic_bonded_only = false;
+ 
+ void input_set_idle_timeout(int timeout)
+ {
+@@ -103,6 +104,11 @@ void input_enable_userspace_hid(bool state)
+ 	uhid_enabled = state;
+ }
+ 
+void input_set_classic_bonded_only(bool state)
+{
+	classic_bonded_only = state;
+}
+
+ static void input_device_enter_reconnect_mode(struct input_device *idev);
+ static int connection_disconnect(struct input_device *idev, uint32_t flags);
+ 
+@@ -970,8 +976,18 @@ static int hidp_add_connection(struct input_device *idev)
+ 	if (device_name_known(idev->device))
+ 		device_get_name(idev->device, req->name, sizeof(req->name));
+ 
+	/* Make sure the device is bonded if required */
+	if (classic_bonded_only && !device_is_bonded(idev->device,
+				btd_device_get_bdaddr_type(idev->device))) {
+		error("Rejected connection from !bonded device %s", dst_addr);
+		goto cleanup;
+	}
+
+ 	/* Encryption is mandatory for keyboards */
+-	if (req->subclass & 0x40) {
+	/* Some platforms may choose to require encryption for all devices */
+	/* Note that this only matters for pre 2.1 devices as otherwise the */
+	/* device is encrypted by default by the lower layers */
+	if (classic_bonded_only || req->subclass & 0x40) {
+ 		if (!bt_io_set(idev->intr_io, &gerr,
+ 					BT_IO_OPT_SEC_LEVEL, BT_IO_SEC_MEDIUM,
+ 					BT_IO_OPT_INVALID)) {
+@@ -1203,6 +1219,11 @@ static void input_device_enter_reconnect_mode(struct input_device *idev)
+ 	DBG("path=%s reconnect_mode=%s", idev->path,
+ 				reconnect_mode_to_string(idev->reconnect_mode));
+ 
+	/* Make sure the device is bonded if required */
+	if (classic_bonded_only && !device_is_bonded(idev->device,
+				btd_device_get_bdaddr_type(idev->device)))
+		return;
+
+ 	/* Only attempt an auto-reconnect when the device is required to
+ 	 * accept reconnections from the host.
+ 	 */
+diff --git a/profiles/input/device.h b/profiles/input/device.h
+index 51a9aee181ab..3044db67332c 100644
+--- a/profiles/input/device.h
+++ b/profiles/input/device.h
+@@ -29,6 +29,7 @@ struct input_conn;
+ 
+ void input_set_idle_timeout(int timeout);
+ void input_enable_userspace_hid(bool state);
+void input_set_classic_bonded_only(bool state);
+ 
+ int input_device_register(struct btd_service *service);
+ void input_device_unregister(struct btd_service *service);
+diff --git a/profiles/input/input.conf b/profiles/input/input.conf
+index 3e1d65aaefee..166aff4a43b2 100644
+--- a/profiles/input/input.conf
+++ b/profiles/input/input.conf
+@@ -11,3 +11,11 @@
+ # Enable HID protocol handling in userspace input profile
+ # Defaults to false (HIDP handled in HIDP kernel module)
+ #UserspaceHID=true
+
+# Limit HID connections to bonded devices
+# The HID Profile does not specify that devices must be bonded, however some
+# platforms may want to make sure that input connections only come from bonded
+# device connections. Several older mice have been known for not supporting
+# pairing/encryption.
+# Defaults to false to maximize device compatibility.
+#ClassicBondedOnly=true
+diff --git a/profiles/input/manager.c b/profiles/input/manager.c
+index 1d31b065298e..5cd27b8396b8 100644
+--- a/profiles/input/manager.c
+++ b/profiles/input/manager.c
+@@ -96,7 +96,7 @@ static int input_init(void)
+ 	config = load_config_file(CONFIGDIR "/input.conf");
+ 	if (config) {
+ 		int idle_timeout;
+-		gboolean uhid_enabled;
+		gboolean uhid_enabled, classic_bonded_only;
+ 
+ 		idle_timeout = g_key_file_get_integer(config, "General",
+ 							"IdleTimeout", &err);
+@@ -114,6 +114,17 @@ static int input_init(void)
+ 			input_enable_userspace_hid(uhid_enabled);
+ 		} else
+ 			g_clear_error(&err);
+
+		classic_bonded_only = g_key_file_get_boolean(config, "General",
+						"ClassicBondedOnly", &err);
+
+		if (!err) {
+			DBG("input.conf: ClassicBondedOnly=%s",
+					classic_bonded_only ? "true" : "false");
+			input_set_classic_bonded_only(classic_bonded_only);
+		} else
+			g_clear_error(&err);
+
+ 	}
+ 
+ 	btd_profile_register(&input_profile);
+-- 
+2.25.1
+
--- a/debian/patches/HOGP-must-only-accept-data-from-bonded-devices.patch
+++ b/debian/patches/HOGP-must-only-accept-data-from-bonded-devices.patch
+From: Alain Michaud <alainm@chromium.org>
+Date: Tue, 10 Mar 2020 02:35:16 +0000
+Subject: HOGP must only accept data from bonded devices.
+Origin: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit?id=8cdbd3b09f29da29374e2f83369df24228da0ad1
+Bug-Debian: https://bugs.debian.org/953770
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-0556
+
+HOGP 1.0 Section 6.1 establishes that the HOGP must require bonding.
+
+Reference:
+https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.htm
+---
+ profiles/input/hog.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/profiles/input/hog.c b/profiles/input/hog.c
+index 83c017dcb717..dfac689219a0 100644
+--- a/profiles/input/hog.c
+++ b/profiles/input/hog.c
+@@ -186,6 +186,10 @@ static int hog_accept(struct btd_service *service)
+ 			return -EINVAL;
+ 	}
+ 
+	/* HOGP 1.0 Section 6.1 requires bonding */
+	if (!device_is_bonded(device, btd_device_get_bdaddr_type(device)))
+		return -ECONNREFUSED;
+
+ 	/* TODO: Replace GAttrib with bt_gatt_client */
+ 	bt_hog_attach(dev->hog, attrib);
+ 
+-- 
+2.25.1
+
--- a/debian/patches/input-Add-LEAutoSecurity-setting-to-input.conf.patch
+++ b/debian/patches/input-Add-LEAutoSecurity-setting-to-input.conf.patch
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Wed, 11 Mar 2020 11:43:21 -0700
+Subject: input: Add LEAutoSecurity setting to input.conf
+Origin: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit?id=f2778f5877d20696d68a452b26e4accb91bfb19e
+
+LEAutoSecurity can be used to enable/disable automatic upgrades of
+security for LE devices, by default it is enabled so existing devices
+that did not require security and were not bonded will automatically
+upgrade the security.
+
+Note: Platforms disabling this setting would require users to manually
+bond the device which may require changes to the user interface to
+always force bonding for input devices as APIs such as Device.Connect
+will no longer work which maybe perceived as a regression.
+---
+ profiles/input/device.h   |  1 +
+ profiles/input/hog.c      | 13 +++++++++++--
+ profiles/input/input.conf |  5 +++++
+ profiles/input/manager.c  | 11 ++++++++++-
+ 4 files changed, 27 insertions(+), 3 deletions(-)
+
+diff --git a/profiles/input/device.h b/profiles/input/device.h
+index 3044db67332c..5a077f92a82c 100644
+--- a/profiles/input/device.h
+++ b/profiles/input/device.h
+@@ -30,6 +30,7 @@ struct input_conn;
+ void input_set_idle_timeout(int timeout);
+ void input_enable_userspace_hid(bool state);
+ void input_set_classic_bonded_only(bool state);
+void input_set_auto_sec(bool state);
+ 
+ int input_device_register(struct btd_service *service);
+ void input_device_unregister(struct btd_service *service);
+diff --git a/profiles/input/hog.c b/profiles/input/hog.c
+index f0226ebbd1ba..327a1d1c3c2b 100644
+--- a/profiles/input/hog.c
+++ b/profiles/input/hog.c
+@@ -53,6 +53,7 @@
+ #include "src/shared/gatt-client.h"
+ #include "src/plugin.h"
+ 
+#include "device.h"
+ #include "suspend.h"
+ #include "attrib/att.h"
+ #include "attrib/gattrib.h"
+@@ -67,8 +68,14 @@ struct hog_device {
+ };
+ 
+ static gboolean suspend_supported = FALSE;
+static bool auto_sec = true;
+ static struct queue *devices = NULL;
+ 
+void input_set_auto_sec(bool state)
+{
+	auto_sec = state;
+}
+
+ static void hog_device_accept(struct hog_device *dev, struct gatt_db *db)
+ {
+ 	char name[248];
+@@ -192,11 +199,13 @@ static int hog_accept(struct btd_service *service)
+ 	if (!device_is_bonded(device, btd_device_get_bdaddr_type(device))) {
+ 		struct bt_gatt_client *client;
+ 
+		if (!auto_sec)
+			return -ECONNREFUSED;
+
+ 		client = btd_device_get_gatt_client(device);
+ 		if (!bt_gatt_client_set_security(client,
+-						BT_ATT_SECURITY_MEDIUM)) {
+						BT_ATT_SECURITY_MEDIUM))
+ 			return -ECONNREFUSED;
+-		}
+ 	}
+ 
+ 	/* TODO: Replace GAttrib with bt_gatt_client */
+diff --git a/profiles/input/input.conf b/profiles/input/input.conf
+index 166aff4a43b2..4c70bc561f05 100644
+--- a/profiles/input/input.conf
+++ b/profiles/input/input.conf
+@@ -19,3 +19,8 @@
+ # pairing/encryption.
+ # Defaults to false to maximize device compatibility.
+ #ClassicBondedOnly=true
+
+# LE upgrade security
+# Enables upgrades of security automatically if required.
+# Defaults to true to maximize device compatibility.
+#LEAutoSecurity=true
+diff --git a/profiles/input/manager.c b/profiles/input/manager.c
+index 5cd27b8396b8..bf4acb4ed583 100644
+--- a/profiles/input/manager.c
+++ b/profiles/input/manager.c
+@@ -96,7 +96,7 @@ static int input_init(void)
+ 	config = load_config_file(CONFIGDIR "/input.conf");
+ 	if (config) {
+ 		int idle_timeout;
+-		gboolean uhid_enabled, classic_bonded_only;
+		gboolean uhid_enabled, classic_bonded_only, auto_sec;
+ 
+ 		idle_timeout = g_key_file_get_integer(config, "General",
+ 							"IdleTimeout", &err);
+@@ -125,6 +125,15 @@ static int input_init(void)
+ 		} else
+ 			g_clear_error(&err);
+ 
+		auto_sec = g_key_file_get_boolean(config, "General",
+						"LEAutoSecurity", &err);
+		if (!err) {
+			DBG("input.conf: LEAutoSecurity=%s",
+					auto_sec ? "true" : "false");
+			input_set_auto_sec(auto_sec);
+		} else
+			g_clear_error(&err);
+
+ 	}
+ 
+ 	btd_profile_register(&input_profile);
+-- 
+2.20.1
+
--- a/debian/patches/input-hog-Attempt-to-set-security-level-if-not-bonde.patch
+++ b/debian/patches/input-hog-Attempt-to-set-security-level-if-not-bonde.patch
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Tue, 10 Mar 2020 09:59:07 -0700
+Subject: input: hog: Attempt to set security level if not bonded
+Origin: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit?id=35d8d895cd0b724e58129374beb0bb4a2edf9519
+
+This attempts to set the security if the device is not bonded, the
+kernel will block any communication on the ATT socket while bumping
+the security and if that fails the device will be disconnected which
+is better than having the device dangling around without being able to
+communicate with it until it is properly bonded.
+---
+ profiles/input/hog.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/profiles/input/hog.c b/profiles/input/hog.c
+index dfac689219a0..f0226ebbd1ba 100644
+--- a/profiles/input/hog.c
+++ b/profiles/input/hog.c
+@@ -49,6 +49,8 @@
+ #include "src/shared/util.h"
+ #include "src/shared/uhid.h"
+ #include "src/shared/queue.h"
+#include "src/shared/att.h"
+#include "src/shared/gatt-client.h"
+ #include "src/plugin.h"
+ 
+ #include "suspend.h"
+@@ -187,8 +189,15 @@ static int hog_accept(struct btd_service *service)
+ 	}
+ 
+ 	/* HOGP 1.0 Section 6.1 requires bonding */
+-	if (!device_is_bonded(device, btd_device_get_bdaddr_type(device)))
+-		return -ECONNREFUSED;
+	if (!device_is_bonded(device, btd_device_get_bdaddr_type(device))) {
+		struct bt_gatt_client *client;
+
+		client = btd_device_get_gatt_client(device);
+		if (!bt_gatt_client_set_security(client,
+						BT_ATT_SECURITY_MEDIUM)) {
+			return -ECONNREFUSED;
+		}
+	}
+ 
+ 	/* TODO: Replace GAttrib with bt_gatt_client */
+ 	bt_hog_attach(dev->hog, attrib);
+-- 
+2.20.1
+
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,3 +9,7 @@ org.bluez.obex.service.in.patch
 Fix-typo.patch
 shared-gatt-client-Fix-segfault-after-PIN-entry.patch
 main.conf-Add-more-details-Closes-904212.patch
+HOGP-must-only-accept-data-from-bonded-devices.patch
+HID-accepts-bonded-device-connections-only.patch
+input-hog-Attempt-to-set-security-level-if-not-bonde.patch
+input-Add-LEAutoSecurity-setting-to-input.conf.patch