snappy-hwe-snaps

~snappy-hwe-team/snappy-hwe-snaps/+git/bluez:bluez/5.49

Git
lp:~snappy-hwe-team/snappy-hwe-snaps/+git/bluez
bluez/5.49

Last commit made on 2020-03-31

Get this branch:: git clone -b bluez/5.49 https://git.launchpad.net/~snappy-hwe-team/snappy-hwe-snaps/+git/bluez

Members of Snappy HWE Team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:: bluez/5.49

Repository:: lp:~snappy-hwe-team/snappy-hwe-snaps/+git/bluez

Recent commits

9c39c49... by System Enablement CI Bot <email address hidden> on 2020-03-31

Merge remote tracking branch cve-2020-0556

Merge-Proposal: https://code.launchpad.net/~alfonsosanchezbeato/snappy-hwe-snaps/+git/bluez/+merge/381428

Author: Alfonso Sanchez-Beato <email address hidden>

Security update taken from Ubuntu package. Patches included:

bluez (5.48-0ubuntu3.4) bionic-security; urgency=medium

  * SECURITY UPDATE: privilege escalation via improper access control
    - debian/patches/CVE-2020-0556-1.patch: HOGP must only accept data from
      bonded devices in profiles/input/hog.c.
    - debian/patches/CVE-2020-0556-2.patch: HID accepts bonded device
      connections only in profiles/input/device.c, profiles/input/device.h,
      profiles/input/input.conf, profiles/input/manager.c.
    - debian/patches/CVE-2020-0556-3.patch: attempt to set security level
      if not bonded in profiles/input/hog.c.
    - debian/patches/CVE-2020-0556-4.patch: add LEAutoSecurity setting to
      input.conf in profiles/input/device.h, profiles/input/hog.c,
      profiles/input/input.conf, profiles/input/manager.c.
    - CVE-2020-0556

Merged branch ~alfonsosanchezbeato/snappy-hwe-snaps/+git/bluez:cve-2020-0556

8c340d9... by Luiz Augusto von Dentz <email address hidden> on 2020-03-11

input: Add LEAutoSecurity setting to input.conf

LEAutoSecurity can be used to enable/disable automatic upgrades of
security for LE devices, by default it is enabled so existing devices
that did not require security and were not bonded will automatically
upgrade the security.

Note: Platforms disabling this setting would require users to manually
bond the device which may require changes to the user interface to
always force bonding for input devices as APIs such as Device.Connect
will no longer work which maybe perceived as a regression.

7027df9... by Luiz Augusto von Dentz <email address hidden> on 2020-03-10

input: hog: Attempt to set security level if not bonded

This attempts to set the security if the device is not bonded, the
kernel will block any communication on the ATT socket while bumping
the security and if that fails the device will be disconnected which
is better than having the device dangling around without being able to
communicate with it until it is properly bonded.

61ea1b7... by Alain Michaud <email address hidden> on 2020-03-10

HID accepts bonded device connections only.

This change adds a configuration for platforms to choose a more secure
posture for the HID profile. While some older mice are known to not
support pairing or encryption, some platform may choose a more secure
posture by requiring the device to be bonded and require the
connection to be encrypted when bonding is required.

Reference:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html

31ffdb7... by Alain Michaud <email address hidden> on 2020-03-10