Hi I based my conclusion on the fact that hog.c does not seem to have the concept of bonded at all. This is what I mean with "does not seem to need". But I'm new to this code so I could very well be wrong.
I hope this helps. // Ola On Sun, 10 May 2020 at 23:54, Brian May <[email protected]> wrote: > > I am a bit puzzled by the following comment from dla-needed.txtfor bluez: > > NOTE: 20200503: Looking at the four patches included in the stretch update > it looks like it > NOTE: 20200503: can be applied as is. What will fail is hog.c but that file > do not seem to > NOTE: 20200503: need an update. (Ola) > > As far as i can tell, the first commit fixes the security flaw, and the > only file it touches in hog.c. If true that hog.c does not need an > update, does this means the package is not vulnerable? I suspect not. > > https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=8cdbd3b09f29da29374e2f83369df24228da0ad1 > - fix vulnerability. > > https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3cccdbab2324086588df4ccf5f892fb3ce1f1787 > - make security posture configurable to support newer devices. > > https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=35d8d895cd0b724e58129374beb0bb4a2edf9519 > https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=f2778f5877d20696d68a452b26e4accb91bfb19e > - fix potential regressions. > > The patch patches the hog_accept function, which is a callback set as > part of the hog_profile: > > static struct btd_profile hog_profile = { > .name = "input-hog", > .remote_uuid = HOG_UUID, > .device_probe = hog_probe, > .device_remove = hog_remove, > .accept = hog_accept, > .disconnect = hog_disconnect, > .auto_connect = true, > }; > > Unfortunately the version in Jessie doesn't even have an accept entry: > > static struct btd_profile hog_profile = { > .name = "input-hog", > .remote_uuid = HOG_UUID, > .device_probe = hog_probe, > .device_remove = hog_remove, > }; > > Looking at commit > https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=7d9718cfcc11eaa9d8059e721301cdc00ef8c82e, > it looks like maybe we should be patching the attio_connected_cb() > function instead. But this function doesn't appear to have any way to > return an error indicating it failed, which seems to be required by the > patch. It might be sufficient just to ignore the error and return > without immediately if device is not bonded. Not sure how much I can > trust this however. > > My gut feeling to fix this we should backport version 5.43-2+deb9u2 from > stretch to Jessie. Yes, this might break stuff, but I suspect just the > very basic idea of this security fix - rejecting unbonded connections - > could break stuff also. > -- > Brian May <[email protected]> > https://linuxpenguins.xyz/brian/ > -- --- Inguza Technology AB --- MSc in Information Technology ---- | [email protected] [email protected] | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
