~alfonsosanchezbeato/snappy-hwe-snaps/+git/bluez:cve-2020-0556

Branch merges

Propose for merging

Merged into ~snappy-hwe-team/snappy-hwe-snaps/+git/bluez:bluez/5.49 at revision 9c39c49824f60febc02d9104e73e5633ce9dbf1b

System Enablement Bot: Approve (continuous-integration) on 2020-03-31

Diff: 181 lines (+80/-2)

5 files modified

profiles/input/device.c (+22/-1)
profiles/input/device.h (+2/-0)
profiles/input/hog.c (+22/-0)
profiles/input/input.conf (+13/-0)
profiles/input/manager.c (+21/-1)

api

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

8c340d9... by Luiz Augusto von Dentz <email address hidden> on 2020-03-11

input: Add LEAutoSecurity setting to input.conf

LEAutoSecurity can be used to enable/disable automatic upgrades of
security for LE devices, by default it is enabled so existing devices
that did not require security and were not bonded will automatically
upgrade the security.

Note: Platforms disabling this setting would require users to manually
bond the device which may require changes to the user interface to
always force bonding for input devices as APIs such as Device.Connect
will no longer work which maybe perceived as a regression.

7027df9... by Luiz Augusto von Dentz <email address hidden> on 2020-03-10

input: hog: Attempt to set security level if not bonded

This attempts to set the security if the device is not bonded, the
kernel will block any communication on the ATT socket while bumping
the security and if that fails the device will be disconnected which
is better than having the device dangling around without being able to
communicate with it until it is properly bonded.

61ea1b7... by Alain Michaud <email address hidden> on 2020-03-10

HID accepts bonded device connections only.

This change adds a configuration for platforms to choose a more secure
posture for the HID profile. While some older mice are known to not
support pairing or encryption, some platform may choose a more secure
posture by requiring the device to be bonded and require the
connection to be encrypted when bonding is required.

Reference:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html

31ffdb7... by Alain Michaud <email address hidden> on 2020-03-10

HOGP must only accept data from bonded devices.

HOGP 1.0 Section 6.1 establishes that the HOGP must require bonding.

Reference:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.htm

39503d9... by System Enablement CI Bot <email address hidden> on 2018-03-19

Merge remote tracking branch feature/bluez/5.49/core-patches-2

Merge-Proposal: https://code.launchpad.net/~kzapalowicz/snappy-hwe-snaps/+git/bluez/+merge/341635

Author: Konrad Zapałowicz <email address hidden>

fix compilation issues

a2e35cb... by =?utf-8?q?Konrad_Zapa=C5=82owicz?= <email address hidden> on 2018-03-19

fix compilation issues

357000f... by System Enablement CI Bot <email address hidden> on 2018-03-16

Merge remote tracking branch feature/bluez/5.49/core-patches

Merge-Proposal: https://code.launchpad.net/~kzapalowicz/snappy-hwe-snaps/+git/bluez/+merge/341516

Author: Konrad Zapałowicz <email address hidden>

add snappy patches

7fd673b... by =?utf-8?q?Konrad_Zapa=C5=82owicz?= <email address hidden> on 2017-04-03

Disable spread tests on this branch

22b3317... by =?utf-8?q?Konrad_Zapa=C5=82owicz?= <email address hidden> on 2017-08-17

Install btmgmt tool

0d09cc3... by =?utf-8?q?Konrad_Zapa=C5=82owicz?= <email address hidden> on 2017-04-04

Fix hciattach on RPi3

This patch fixes the hciattach on Raspberry Pi 3 by applying the
following changes:

* don't set UART speed before loading firmware (thanks to
  https://github.com/MilhouseVH)
* change FIRMWARE_DIR to /lib/formware

These changes originated from LP: #1674509