Import Debian changes 5.66-1+deb12u1

5b97731e · Salvatore Bonaccorso · Dylan Aïssi · 2a155ca6 · 5b97731e · 5b97731e
Commit 5b97731e authored 1 year ago by Salvatore Bonaccorso Committed by Dylan Aïssi 1 year ago
--- a/debian/changelog
+++ b/debian/changelog
+bluez (5.66-1+deb12u1) bookworm-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * input.conf: Change default of ClassicBondedOnly (CVE-2023-45866)
+    (Closes: #1057914)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sun, 10 Dec 2023 17:57:24 +0100
+
 bluez (5.66-1) unstable; urgency=medium

  * Update to 5.66.

--- a/debian/patches/input.conf-Change-default-of-ClassicBondedOnly.patch
+++ b/debian/patches/input.conf-Change-default-of-ClassicBondedOnly.patch
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Tue, 10 Oct 2023 13:03:12 -0700
+Subject: input.conf: Change default of ClassicBondedOnly
+Origin: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=25a471a83e02e1effb15d5a488b3f0085eaeb675
+Bug-Debian: https://bugs.debian.org/1057914
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-45866
+
+This changes the default of ClassicBondedOnly since defaulting to false
+is not inline with HID specification which mandates the of Security Mode
+4:
+
+BLUETOOTH SPECIFICATION Page 84 of 123
+Human Interface Device (HID) Profile:
+
+  5.4.3.4.2 Security Modes
+  Bluetooth HID Hosts shall use Security Mode 4 when interoperating with
+  Bluetooth HID devices that are compliant to the Bluetooth Core
+  Specification v2.1+EDR[6].
+---
+ profiles/input/device.c   | 2 +-
+ profiles/input/input.conf | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/profiles/input/device.c b/profiles/input/device.c
+index 4a50ea9921a9..4310dd192e11 100644
+--- a/profiles/input/device.c
+++ b/profiles/input/device.c
+@@ -81,7 +81,7 @@ struct input_device {
+ 
+ static int idle_timeout = 0;
+ static bool uhid_enabled = false;
+-static bool classic_bonded_only = false;
+static bool classic_bonded_only = true;
+ 
+ void input_set_idle_timeout(int timeout)
+ {
+diff --git a/profiles/input/input.conf b/profiles/input/input.conf
+index 4c70bc561f05..d8645f3dd664 100644
+--- a/profiles/input/input.conf
+++ b/profiles/input/input.conf
+@@ -17,7 +17,7 @@
+ # platforms may want to make sure that input connections only come from bonded
+ # device connections. Several older mice have been known for not supporting
+ # pairing/encryption.
+-# Defaults to false to maximize device compatibility.
+# Defaults to true for security.
+ #ClassicBondedOnly=true
+ 
+ # LE upgrade security
+-- 
+2.43.0
+
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -11,3 +11,4 @@ shared-gatt-client-Fix-segfault-after-PIN-entry.patch
 main.conf-Add-more-details-Closes-904212.patch
 headers-use-releative-symlinks.patch
 Change-shebang-from-usr-bin-python-to-usr-bin-python.patch
+input.conf-Change-default-of-ClassicBondedOnly.patch