Control: tags 1052983 + pending Control: tags 1056996 + pending Control: tags 1057914 + patch Control: tags 1057914 + pending
Dear maintainer, I've prepared an NMU for bluez (versioned as 5.70-1.1~exp0) and uploaded it to DELAYED/2 (targetting experimental to expose the UsrMerge parts first by the dumat tool). Please feel free to tell me if I should delay it longer. Regards, Salvatore
diff -Nru bluez-5.70/debian/bluez-meshd.install bluez-5.70/debian/bluez-meshd.install --- bluez-5.70/debian/bluez-meshd.install 2023-10-24 08:17:00.000000000 +0200 +++ bluez-5.70/debian/bluez-meshd.install 2023-12-14 22:32:44.000000000 +0100 @@ -1,5 +1,5 @@ usr/share/dbus-1/system.d/bluetooth-mesh.conf -lib/systemd/system/bluetooth-mesh.service +${env:deb_systemdsystemunitdir}/bluetooth-mesh.service usr/bin/mesh-cfgclient usr/bin/mesh-cfgtest usr/bin/meshctl diff -Nru bluez-5.70/debian/bluez.install bluez-5.70/debian/bluez.install --- bluez-5.70/debian/bluez.install 2023-10-24 08:17:00.000000000 +0200 +++ bluez-5.70/debian/bluez.install 2023-12-14 22:32:44.000000000 +0100 @@ -7,7 +7,7 @@ usr/bin/btattach usr/bin/btmon usr/bin/hciattach -usr/bin/hciconfig bin/ +usr/bin/hciconfig usr/bin/hcitool usr/bin/sdptool usr/bin/rctest @@ -20,11 +20,11 @@ usr/bin/mpris-proxy tools/btmgmt usr/bin tools/obexctl usr/bin -lib/udev/hid2hci -lib/udev/rules.d/97-hid2hci.rules +${env:deb_udevdir}/hid2hci +${env:deb_udevdir}/rules.d/97-hid2hci.rules attrib/gatttool usr/bin #-- for systemd -lib/systemd/system/bluetooth.service +${env:deb_systemdsystemunitdir}/bluetooth.service usr/share/dbus-1/system.d/bluetooth.conf usr/share/dbus-1/system-services/org.bluez.service usr/share/zsh/site-functions/_bluetoothctl diff -Nru bluez-5.70/debian/changelog bluez-5.70/debian/changelog --- bluez-5.70/debian/changelog 2023-10-24 08:17:00.000000000 +0200 +++ bluez-5.70/debian/changelog 2023-12-14 22:32:44.000000000 +0100 @@ -1,3 +1,20 @@ +bluez (5.70-1.1~exp0) experimental; urgency=medium + + * Non-maintainer upload. + + [ Helmut Grohne ] + * Fix FTBFS when systemd.pc changes systemdsystemunitdir (Closes: #1052983) + + [ Chris Hofstaedtler ] + * Defer udev file placement to udev's pkg-config data (Closes: #1056996) + * Install hciconfig into /usr/bin instead of /bin + + [ Salvatore Bonaccorso ] + * input.conf: Change default of ClassicBondedOnly (CVE-2023-45866) + (Closes: #1057914) + + -- Salvatore Bonaccorso <car...@debian.org> Thu, 14 Dec 2023 22:32:44 +0100 + bluez (5.70-1) unstable; urgency=medium * Update to 5.70. diff -Nru bluez-5.70/debian/control bluez-5.70/debian/control --- bluez-5.70/debian/control 2023-10-24 08:17:00.000000000 +0200 +++ bluez-5.70/debian/control 2023-12-14 22:32:44.000000000 +0100 @@ -18,7 +18,8 @@ python3-docutils, udev, check <!nocheck>, - systemd + systemd, + systemd-dev, Standards-Version: 4.6.1 Rules-Requires-Root: no Vcs-Browser: https://salsa.debian.org/bluetooth-team/bluez diff -Nru bluez-5.70/debian/patches/input.conf-Change-default-of-ClassicBondedOnly.patch bluez-5.70/debian/patches/input.conf-Change-default-of-ClassicBondedOnly.patch --- bluez-5.70/debian/patches/input.conf-Change-default-of-ClassicBondedOnly.patch 1970-01-01 01:00:00.000000000 +0100 +++ bluez-5.70/debian/patches/input.conf-Change-default-of-ClassicBondedOnly.patch 2023-12-14 22:32:44.000000000 +0100 @@ -0,0 +1,52 @@ +From: Luiz Augusto von Dentz <luiz.von.de...@intel.com> +Date: Tue, 10 Oct 2023 13:03:12 -0700 +Subject: input.conf: Change default of ClassicBondedOnly +Origin: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit?id=25a471a83e02e1effb15d5a488b3f0085eaeb675 +Bug-Debian: https://bugs.debian.org/1057914 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-45866 + +This changes the default of ClassicBondedOnly since defaulting to false +is not inline with HID specification which mandates the of Security Mode +4: + +BLUETOOTH SPECIFICATION Page 84 of 123 +Human Interface Device (HID) Profile: + + 5.4.3.4.2 Security Modes + Bluetooth HID Hosts shall use Security Mode 4 when interoperating with + Bluetooth HID devices that are compliant to the Bluetooth Core + Specification v2.1+EDR[6]. +--- + profiles/input/device.c | 2 +- + profiles/input/input.conf | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/profiles/input/device.c b/profiles/input/device.c +index 4a50ea9921a9..4310dd192e11 100644 +--- a/profiles/input/device.c ++++ b/profiles/input/device.c +@@ -81,7 +81,7 @@ struct input_device { + + static int idle_timeout = 0; + static bool uhid_enabled = false; +-static bool classic_bonded_only = false; ++static bool classic_bonded_only = true; + + void input_set_idle_timeout(int timeout) + { +diff --git a/profiles/input/input.conf b/profiles/input/input.conf +index 4c70bc561f05..d8645f3dd664 100644 +--- a/profiles/input/input.conf ++++ b/profiles/input/input.conf +@@ -17,7 +17,7 @@ + # platforms may want to make sure that input connections only come from bonded + # device connections. Several older mice have been known for not supporting + # pairing/encryption. +-# Defaults to false to maximize device compatibility. ++# Defaults to true for security. + #ClassicBondedOnly=true + + # LE upgrade security +-- +2.43.0 + diff -Nru bluez-5.70/debian/patches/series bluez-5.70/debian/patches/series --- bluez-5.70/debian/patches/series 2023-10-24 08:17:00.000000000 +0200 +++ bluez-5.70/debian/patches/series 2023-12-14 22:32:44.000000000 +0100 @@ -12,3 +12,4 @@ headers-use-releative-symlinks.patch Change-shebang-from-usr-bin-python-to-usr-bin-python.patch Add-HCI_TO_STR-macro-for-FIRMWARE_DIR.patch +input.conf-Change-default-of-ClassicBondedOnly.patch diff -Nru bluez-5.70/debian/rules bluez-5.70/debian/rules --- bluez-5.70/debian/rules 2023-10-24 08:17:00.000000000 +0200 +++ bluez-5.70/debian/rules 2023-12-14 22:32:44.000000000 +0100 @@ -41,6 +41,9 @@ skip_packages = -Nbluez-cups endif +export deb_systemdsystemunitdir = $(shell pkg-config --variable=systemdsystemunitdir systemd | sed s,^/,,) +export deb_udevdir = $(shell pkg-config --variable=udevdir udev | sed s,^/,,) + %: dh $@ --exclude=.la