This small bug affects sarge too so I'm cc'ing security. Attached patches restrict the permissions for sarge and etch/sid so that non-root users can not read the default pin value used in Bluetooth authentication. The postinst script was manually tested with fresh installs and upgrades on both sarge and etch installations.
For the record, both upstream[1] and Fedora[2] have these pin files in mode 600, so I see no reason for this Debian specific behaviour. -Mikko [1] $ grep -A 1 BlueZ bluez-utils-2.15/hcid/Makefile.am echo "BlueZ" > $(DESTDIR)$(pinfile); \ chmod 600 $(DESTDIR)$(pinfile) [2] $ rpm2cpio bluez-utils-2.25-12.i386.rpm | cpio -vt | grep bluetooth\/pin -rw------- 1 root root 6 Jul 19 22:12 ./etc/bluetooth/pin
diff -u bluez-utils-2.15/debian/bluez-utils.postinst bluez-utils-2.15/debian/bluez-utils.postinst --- bluez-utils-2.15/debian/bluez-utils.postinst +++ bluez-utils-2.15/debian/bluez-utils.postinst @@ -3,6 +3,14 @@ set -e case "$1" in configure) + # sarge specific minor security fix: + # bluez-utils shipped with /etc/bluetooth/pin readable by + # others so resetting its permissions + if [ -e /etc/bluetooth/pin ] && [ 'foo'$( find /etc/bluetooth/pin -perm +go=rwx ) != 'foo' ]; then + echo "Security update: removing group and other permissions from file /etc/bluetooth/pin" + chmod u=rw,go= /etc/bluetooth/pin + fi + # remove bluez-sdpd init, if present if [ -f /etc/init.d/bluez-sdp ]; then /usr/sbin/update-rc.d -f bluez-sdp remove diff -u bluez-utils-2.15/debian/changelog bluez-utils-2.15/debian/changelog --- bluez-utils-2.15/debian/changelog +++ bluez-utils-2.15/debian/changelog @@ -1,3 +1,9 @@ +bluez-utils (2.15-1.1.0sarge.mcf01) stable-security; urgency=low + + * Try to set tighter /etc/bluetooth/pin permissions + + -- Mikko Rapeli <[EMAIL PROTECTED]> Fri, 29 Sep 2006 11:26:08 +0300 + bluez-utils (2.15-1.1) stable-security; urgency=high * Fix command injection insecurity in hcid. See CAN-2005-2547. diff -u bluez-utils-2.15/debian/rules bluez-utils-2.15/debian/rules --- bluez-utils-2.15/debian/rules +++ bluez-utils-2.15/debian/rules @@ -10,6 +10,8 @@ DEB_CONFIGURE_EXTRA_FLAGS := --enable-pcmcia --enable-dbus --enable-cups --enable-hid2hci --enable-bcm203x +DEB_FIXPERMS_EXCLUDE := etc/bluetooth/pin + install/bluez-utils:: # modutils config file install -D -m 0644 debian/modutils \ @@ -31,6 +33,7 @@ # have a sensible pin default, the upstream one 'BlueZ' # cannot be typed on a phone keypad! echo "1234" > $(DEB_DESTDIR)/etc/bluetooth/pin + chmod u=rw,go= $(DEB_DESTDIR)/etc/bluetooth/pin install/bluez-pcmcia-support:: chmod a+x $(DEB_DESTDIR)/etc/pcmcia/bluetooth
diff -u bluez-utils-3.5/debian/bluez-utils.postinst bluez-utils-3.5/debian/bluez-utils.postinst --- bluez-utils-3.5/debian/bluez-utils.postinst +++ bluez-utils-3.5/debian/bluez-utils.postinst @@ -15,6 +15,19 @@ set -e case "$1" in configure) + # bluez-utils shipped with /etc/bluetooth/hcid.conf and + # /etc/bluetooth/passkey readable by others so resetting + # its permissions + if [ -e /etc/bluetooth/hcid.conf ] && [ 'foo'$( find /etc/bluetooth/hcid.conf -perm +go=rwx ) != 'foo' ]; then + echo "Security update: removing group and other permissions from file /etc/bluetooth/hcid.conf" + chmod u=rw,go= /etc/bluetooth/hcid.conf + fi + + if [ -e /etc/bluetooth/passkeys ] && [ 'foo'$( find /etc/bluetooth/passkeys -maxdepth 0 -perm +go=rwx ) != 'foo' ]; then + echo "Security update: removing group and other permissions from /etc/bluetooth/passkeys*" + chmod -R u=rw,go= /etc/bluetooth/passkeys + fi + # remove bluez-sdpd init, if present if [ -f /etc/init.d/bluez-sdp ]; then /usr/sbin/update-rc.d -f bluez-sdp remove diff -u bluez-utils-3.5/debian/rules bluez-utils-3.5/debian/rules --- bluez-utils-3.5/debian/rules +++ bluez-utils-3.5/debian/rules @@ -13,6 +13,7 @@ # removed --enable-pcmcia --enable-dbus DEB_CONFIGURE_EXTRA_FLAGS := --disable-initscripts --enable-obex --enable-cups --enable-hid2hci DEB_DESTDIR := $(CURDIR)/debian/tmp +DEB_FIXPERMS_EXCLUDE := etc/bluetooth/* build/bluez-utils:: $(CC) `pkg-config --libs --cflags dbus-1` -DDBUS_API_SUBJECT_TO_CHANGE -o $(CURDIR)/debian/add-passkey $(CURDIR)/debian/add-passkey.c @@ -43,6 +44,10 @@ # have a sensible pin default, the upstream one 'BlueZ' # cannot be typed on a phone keypad! echo "1234" > $(CURDIR)/debian/bluez-utils/etc/bluetooth/passkeys/default + chmod u=rw,go= $(CURDIR)/debian/bluez-utils/etc/bluetooth/passkeys/default + # tighten pin/passkey file and directory permissions + chmod u=rw,go= $(DEB_DESTDIR)/etc/bluetooth/hcid.conf + chmod u=rwx,go= $(CURDIR)/debian/bluez-utils/etc/bluetooth/passkeys binary-install/bluez-pcmcia-support:: #chmod a+x $(DEB_DESTDIR)/etc/pcmcia/bluetooth diff -u bluez-utils-3.5/debian/changelog bluez-utils-3.5/debian/changelog --- bluez-utils-3.5/debian/changelog +++ bluez-utils-3.5/debian/changelog @@ -1,3 +1,9 @@ +bluez-utils (3.5-1.0etch.mcf01) unstable; urgency=low + + * Try tighten passkey permissions for upgrades and new installs + + -- Mikko Rapeli <[EMAIL PROTECTED]> Fri, 29 Sep 2006 17:11:04 +0300 + bluez-utils (3.5-1) unstable; urgency=medium * New upstream release (closes: #384379)