Cve-2023-45866 + CVE-2020-0556

nklopgijyhnhomhadgbc · 10 December 2023 15:32

REPRODUCIBILITY:
OS VERSION: ALL
HARDWARE: ALL
UI LANGUAGE: ALL
REGRESSION:

DESCRIPTION:

cve-2023-45866
CVE-2020-0556

Sailfish use bluez5 with disabled fix for these two CVE.

sailfishos/bluez5/blob/master/profiles/input/device.c

// SPDX-License-Identifier: GPL-2.0-or-later
/*
 *
 *  BlueZ - Bluetooth protocol stack for Linux
 *
 *  Copyright (C) 2004-2010  Marcel Holtmann <marcel@holtmann.org>
 *  Copyright (C) 2014       Google Inc.
 *
 *
 */

#ifdef HAVE_CONFIG_H
#include <config.h>
#endif

#define _GNU_SOURCE
#include <stdlib.h>
#include <stdbool.h>
#include <errno.h>
#include <fcntl.h>

This file has been truncated. show original

Fix:

https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/profiles/input?id=25a471a83e02e1effb15d5a488b3f0085eaeb675

PRECONDITIONS:

STEPS TO REPRODUCE:

EXPECTED RESULT:

ACTUAL RESULT:

MODIFICATIONS:

ADDITIONAL INFORMATION:

voidanix · 10 December 2023 16:44

It honestly irritates me how this has been around for months yet nobody cared until the December security bulletin came out…

Either case, this will take a long time until it makes its way into SFOS, either by a 5.71 Bluez5 tag or a cherry-pick (with the former being more likely): I invite you to publish a PR with this patch as the latter so the Jolla guys can decide whether to merge this now or wait it out.

nklopgijyhnhomhadgbc · 10 December 2023 17:26

vlagged · 10 December 2023 17:36

exploitation on Linux/BlueZ requires that Bluetooth is discoverable/connectable

According to https://www.darkreading.com/vulnerabilities-threats/critical-bluetooth-flaw-exposes-android-apple-and-linux-devices-to-keystroke-injection-attack

attah · 10 December 2023 17:41

The proper way to do a PR for this is to apply the upstream commit.
That way appropriate credit is given, and comments/reason is not lost like with this version.

poetaster · 10 December 2023 20:38

For those not following on github, looks like it’s in the works from a comment by mal: Update device.c by acfbhytuiltyghrth · Pull Request #10 · sailfishos/bluez5 · GitHub

nephros · 11 December 2023 07:33

Do I read input.conf: Change default of ClassicBondedOnly - bluez.git - Bluetooth protocol stack for Linux correctly that the vuln can be mitigated without recompiling/updating by setting the config value ClassicBondedOnly to true in input.conf?

poetaster · 11 December 2023 17:50

Yes, you read that correctly. Now, if that actually mitigates the issue, I have no idea. EDIT: as far as I can tell this IS the mitigation so just change the input profile config, maybe just add

ClassicBondedOnly=true

to /etc/bluez5/bluetooth/input.conf

If you’re feeling nervous.

mal · 14 December 2023 15:17

There is now PR to update bluez5 to latest version which includes the fix Update to 5.71 by mlehtima · Pull Request #11 · sailfishos/bluez5 · GitHub