From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 5BB80158015 for ; Sat, 9 Dec 2023 18:11:11 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 8E26D2BC056; Sat, 9 Dec 2023 18:11:09 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 4E37E2BC056 for ; Sat, 9 Dec 2023 18:11:09 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 55072342FB9 for ; Sat, 9 Dec 2023 18:11:08 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 803701499 for ; Sat, 9 Dec 2023 18:11:05 +0000 (UTC) From: "Sam James" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sam James" Message-ID: <1702145162.26f32e2abe9e0c412c98898f61b144a3f6e5fb76.sam@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: net-wireless/bluez/files/, net-wireless/bluez/ X-VCS-Repository: repo/gentoo X-VCS-Files: net-wireless/bluez/bluez-5.70-r1.ebuild net-wireless/bluez/files/bluez-5.70-CVE-2023-45866.patch X-VCS-Directories: net-wireless/bluez/files/ net-wireless/bluez/ X-VCS-Committer: sam X-VCS-Committer-Name: Sam James X-VCS-Revision: 26f32e2abe9e0c412c98898f61b144a3f6e5fb76 X-VCS-Branch: master Date: Sat, 9 Dec 2023 18:11:05 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 1a3d959b-38f1-43ef-a6e5-79521a2b92c2 X-Archives-Hash: e80827b9e278e43271447d2a6dcb336a commit: 26f32e2abe9e0c412c98898f61b144a3f6e5fb76 Author: Sam James gentoo org> AuthorDate: Sat Dec 9 18:05:05 2023 +0000 Commit: Sam James gentoo org> CommitDate: Sat Dec 9 18:06:02 2023 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=26f32e2a net-wireless/bluez: backport CVE-2023-45866 fix Signed-off-by: Sam James gentoo.org> net-wireless/bluez/bluez-5.70-r1.ebuild | 288 +++++++++++++++++++++ .../bluez/files/bluez-5.70-CVE-2023-45866.patch | 43 +++ 2 files changed, 331 insertions(+) diff --git a/net-wireless/bluez/bluez-5.70-r1.ebuild b/net-wireless/bluez/bluez-5.70-r1.ebuild new file mode 100644 index 000000000000..756654822561 --- /dev/null +++ b/net-wireless/bluez/bluez-5.70-r1.ebuild @@ -0,0 +1,288 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 +PYTHON_COMPAT=( python3_{9..12} ) + +inherit autotools linux-info python-single-r1 systemd udev multilib-minimal #readme.gentoo-r1 + +DESCRIPTION="Bluetooth Tools and System Daemons for Linux" +HOMEPAGE="http://www.bluez.org https://github.com/bluez/bluez" +SRC_URI="https://www.kernel.org/pub/linux/bluetooth/${P}.tar.xz" + +LICENSE="GPL-2+ LGPL-2.1+" +SLOT="0/3" +KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~loong ~mips ~ppc ~ppc64 ~riscv ~x86" +IUSE="btpclient cups doc debug deprecated extra-tools experimental +mesh midi +obex +readline selinux systemd test test-programs +udev" + +# Since this release all remaining extra-tools need readline support, but this could +# change in the future, hence, this REQUIRED_USE constraint could be dropped +# again in the future. +# btpclient needs mesh, bug #790587 +REQUIRED_USE=" + btpclient? ( mesh ) + extra-tools? ( deprecated readline ) + test? ( ${PYTHON_REQUIRED_USE} ) + test-programs? ( ${PYTHON_REQUIRED_USE} ) +" + +TEST_DEPS="${PYTHON_DEPS} + $(python_gen_cond_dep ' + >=dev-python/dbus-python-1[${PYTHON_USEDEP}] + dev-python/pygobject:3[${PYTHON_USEDEP}] + ') +" +BDEPEND=" + dev-python/docutils + virtual/pkgconfig + test? ( ${TEST_DEPS} ) +" +DEPEND=" + >=dev-libs/glib-2.28:2[${MULTILIB_USEDEP}] + btpclient? ( >=dev-libs/ell-0.39 ) + cups? ( net-print/cups:= ) + mesh? ( + >=dev-libs/ell-0.39 + >=dev-libs/json-c-0.13:= + sys-libs/readline:0= + ) + midi? ( media-libs/alsa-lib ) + obex? ( dev-libs/libical:= ) + readline? ( sys-libs/readline:0= ) + systemd? ( sys-apps/systemd ) + >=sys-apps/dbus-1.6:= + udev? ( >=virtual/udev-172 ) +" +RDEPEND="${DEPEND} + selinux? ( sec-policy/selinux-bluetooth ) + test-programs? ( ${TEST_DEPS} ) +" + +RESTRICT="!test? ( test )" + +PATCHES=( + # Try both udevadm paths to cover udev/systemd vs. eudev locations (#539844) + # http://www.spinics.net/lists/linux-bluetooth/msg58739.html + # https://bugs.gentoo.org/539844 + # https://github.com/bluez/bluez/issues/268 + "${FILESDIR}"/${PN}-udevadm-path-r1.patch + + # Fedora patches + # https://lore.kernel.org/linux-bluetooth/20220901110719.176944-1-hadess@hadess.net/T/#m9c08d004cd5422783ee1d93154f42303bba9169f + "${FILESDIR}"/${PN}-5.66-power-state-adapter-property.patch + + # Backport CVE-2023-45866 fix (bug #919383) + "${FILESDIR}"/${PN}-5.70-CVE-2023-45866.patch +) + +pkg_setup() { + # From http://www.linuxfromscratch.org/blfs/view/svn/general/bluez.html + # to prevent bugs like: + # https://bugzilla.kernel.org/show_bug.cgi?id=196621 + CONFIG_CHECK="~NET ~BT ~BT_RFCOMM ~BT_RFCOMM_TTY ~BT_BNEP ~BT_BNEP_MC_FILTER + ~BT_BNEP_PROTO_FILTER ~BT_HIDP ~CRYPTO_USER_API_HASH ~CRYPTO_USER_API_SKCIPHER + ~UHID ~RFKILL" + # https://bugzilla.kernel.org/show_bug.cgi?id=196621 + # https://bugzilla.kernel.org/show_bug.cgi?id=206815 + if use mesh || use test; then + CONFIG_CHECK="${CONFIG_CHECK} ~CRYPTO_USER + ~CRYPTO_USER_API ~CRYPTO_USER_API_AEAD ~CRYPTO_AES ~CRYPTO_CCM ~CRYPTO_AEAD ~CRYPTO_CMAC + ~CRYPTO_MD5 ~CRYPTO_SHA1 ~KEY_DH_OPERATIONS" + fi + linux-info_pkg_setup + + if use test || use test-programs; then + python-single-r1_pkg_setup + fi + + if ! use udev; then + ewarn + ewarn "You are installing ${PN} with USE=-udev. This means various bluetooth" + ewarn "devices and adapters from Apple, Dell, Logitech etc. will not work," + ewarn "and hid2hci will not be available." + ewarn + fi +} + +src_prepare() { + default + + # http://www.spinics.net/lists/linux-bluetooth/msg38490.html + if ! use systemd; then + eapply "${FILESDIR}"/0001-Allow-using-obexd-without-systemd-in-the-user-session-r2.patch + fi + + eautoreconf + + if use cups; then + # Only not .am to not need to run eautoreconf only because of this + sed -i \ + -e "s:cupsdir = \$(libdir)/cups:cupsdir = $(cups-config --serverbin):" \ + Makefile.{in,tools} || die + fi + + multilib_copy_sources +} + +multilib_src_configure() { + local myconf=( + # readline is automagic when client is enabled + # --enable-client always needs readline, bug #504038 + # --enable-mesh is handled in the same way + ac_cv_header_readline_readline_h=$(multilib_native_usex readline) + ac_cv_header_readline_readline_h=$(multilib_native_usex mesh) + ) + + if ! multilib_is_native_abi; then + myconf+=( + # deps not used for the library + {DBUS,GLIB}_{CFLAGS,LIBS}=' ' + ) + fi + + econf \ + --localstatedir=/var \ + --disable-android \ + --enable-datafiles \ + --enable-optimization \ + $(use_enable debug) \ + --enable-pie \ + --enable-threads \ + --enable-library \ + --enable-tools \ + --enable-manpages \ + --enable-monitor \ + --with-systemdsystemunitdir="$(systemd_get_systemunitdir)" \ + --with-systemduserunitdir="$(systemd_get_userunitdir)" \ + $(multilib_native_use_enable btpclient) \ + $(multilib_native_use_enable btpclient external-ell) \ + $(multilib_native_use_enable cups) \ + $(multilib_native_use_enable deprecated) \ + $(multilib_native_use_enable experimental) \ + $(multilib_native_use_enable mesh) \ + $(multilib_native_use_enable mesh external-ell) \ + $(multilib_native_use_enable midi) \ + $(multilib_native_use_enable obex) \ + $(multilib_native_use_enable readline client) \ + $(multilib_native_use_enable systemd) \ + $(multilib_native_use_enable test-programs test) \ + $(multilib_native_use_enable udev) \ + $(multilib_native_use_enable udev hid2hci) \ + $(multilib_native_use_enable udev sixaxis) +} + +multilib_src_compile() { + if multilib_is_native_abi; then + default + else + emake -f Makefile -f - libs \ + <<<'libs: $(lib_LTLIBRARIES)' + fi +} + +multilib_src_test() { + multilib_is_native_abi && default +} + +multilib_src_install() { + if multilib_is_native_abi; then + emake DESTDIR="${D}" install + + # Only install extra-tools when relevant USE flag is enabled + if use extra-tools; then + ewarn "Upstream doesn't support using this tools and their bugs are" + ewarn "likely to be ignored forever, also they can break without" + ewarn "previous announcement." + ewarn "Upstream also states all this tools are not really needed," + ewarn "then, if you still need to rely on them, you must ask them" + ewarn "to either install that tool by default or add the needed" + ewarn "functionality to the existing 'official' tools." + ewarn "Please report this issues to:" + ewarn "http://www.bluez.org/development/lists/" + + # Upstream doesn't install this, bug #524640 + # http://permalink.gmane.org/gmane.linux.bluez.kernel/53115 + # http://comments.gmane.org/gmane.linux.bluez.kernel/54564 + dobin tools/btmgmt + # gatttool is only built with readline, bug #530776 + # https://bugzilla.redhat.com/show_bug.cgi?id=1141909 + # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720486 + # https://bugs.archlinux.org/task/37686 + dobin attrib/gatttool + # https://bugzilla.redhat.com/show_bug.cgi?id=1699680 + dobin tools/avinfo + fi + + # Not installed by default after being built, bug #666756 + use btpclient && dobin tools/btpclient + + # Unittests are not that useful once installed, so make them optional + if use test-programs; then + # Drop python2 only test tools + # https://bugzilla.kernel.org/show_bug.cgi?id=206819 + rm "${ED}"/usr/$(get_libdir)/bluez/test/simple-player || die + # https://bugzilla.kernel.org/show_bug.cgi?id=206821 + rm "${ED}"/usr/$(get_libdir)/bluez/test/test-hfp || die + # https://bugzilla.kernel.org/show_bug.cgi?id=206823 + rm "${ED}"/usr/$(get_libdir)/bluez/test/test-sap-server || die + + python_fix_shebang "${ED}"/usr/$(get_libdir)/bluez/test + + for i in $(find "${ED}"/usr/$(get_libdir)/bluez/test -maxdepth 1 -type f ! -name "*.*"); do + dosym "${i}" /usr/bin/bluez-"${i##*/}" + done + fi + else + emake DESTDIR="${D}" \ + install-pkgincludeHEADERS \ + install-libLTLIBRARIES \ + install-pkgconfigDATA + fi +} + +multilib_src_install_all() { + # We need to ensure obexd can be spawned automatically by systemd + # when user-session is enabled: + # http://marc.info/?l=linux-bluetooth&m=148096094716386&w=2 + # https://bugs.gentoo.org/show_bug.cgi?id=577842 + # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804908 + # https://bugs.archlinux.org/task/45816 + # https://bugzilla.redhat.com/show_bug.cgi?id=1318441 + # https://bugzilla.redhat.com/show_bug.cgi?id=1389347 + if use systemd; then + dosym obex.service /usr/lib/systemd/user/dbus-org.bluez.obex.service + fi + + find "${D}" -name '*.la' -type f -delete || die + + keepdir /var/lib/bluetooth + + # Upstream don't want people to play with them + # But we keep installing them due to 'historical' reasons + insinto /etc/bluetooth + local d + for d in input network; do + doins profiles/${d}/${d}.conf + done + # Setup auto enable as Fedora does for allowing to use + # keyboards/mouse as soon as possible + sed -i 's/#\[Policy\]$/\[Policy\]/; s/#AutoEnable=false/AutoEnable=true/' src/main.conf || die + doins src/main.conf + + newinitd "${FILESDIR}"/bluetooth-init.d-r5 bluetooth + newconfd "${FILESDIR}"/bluetooth-conf.d bluetooth + + einstalldocs + use doc && dodoc doc/*.txt +} + +pkg_postinst() { + use udev && udev_reload + systemd_reenable bluetooth.service + + has_version net-dialup/ppp || elog "To use dial up networking you must install net-dialup/ppp" +} + +pkg_postrm() { + use udev && udev_reload +} diff --git a/net-wireless/bluez/files/bluez-5.70-CVE-2023-45866.patch b/net-wireless/bluez/files/bluez-5.70-CVE-2023-45866.patch new file mode 100644 index 000000000000..6e5ac253585c --- /dev/null +++ b/net-wireless/bluez/files/bluez-5.70-CVE-2023-45866.patch @@ -0,0 +1,43 @@ +https://bugs.gentoo.org/919383 +https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=25a471a83e02e1effb15d5a488b3f0085eaeb675 + +From 25a471a83e02e1effb15d5a488b3f0085eaeb675 Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Tue, 10 Oct 2023 13:03:12 -0700 +Subject: input.conf: Change default of ClassicBondedOnly + +This changes the default of ClassicBondedOnly since defaulting to false +is not inline with HID specification which mandates the of Security Mode +4: + +BLUETOOTH SPECIFICATION Page 84 of 123 +Human Interface Device (HID) Profile: + + 5.4.3.4.2 Security Modes + Bluetooth HID Hosts shall use Security Mode 4 when interoperating with + Bluetooth HID devices that are compliant to the Bluetooth Core + Specification v2.1+EDR[6]. +--- a/profiles/input/device.c ++++ b/profiles/input/device.c +@@ -81,7 +81,7 @@ struct input_device { + + static int idle_timeout = 0; + static bool uhid_enabled = false; +-static bool classic_bonded_only = false; ++static bool classic_bonded_only = true; + + void input_set_idle_timeout(int timeout) + { +--- a/profiles/input/input.conf ++++ b/profiles/input/input.conf +@@ -17,7 +17,7 @@ + # platforms may want to make sure that input connections only come from bonded + # device connections. Several older mice have been known for not supporting + # pairing/encryption. +-# Defaults to false to maximize device compatibility. ++# Defaults to true for security. + #ClassicBondedOnly=true + + # LE upgrade security +-- +cgit 1.2.3-korg