diff options
| author | Wootak Jung <wootak.jung@samsung.com> | 2023-11-28 14:51:49 +0900 |
|---|---|---|
| committer | Wootak Jung <wootak.jung@samsung.com> | 2023-11-29 10:18:22 +0900 |
| commit | a1e210e40256d9994b854b536cef5a6633a4af9e (patch) | |
| tree | 94a134f4ac46a633ce5ddb77d45cc754ca770abb | |
| parent | 06b14835a973b759205e92f19fa9f66596e066a7 (diff) | |
| download | bluez-a1e210e40256d9994b854b536cef5a6633a4af9e.tar.gz bluez-a1e210e40256d9994b854b536cef5a6633a4af9e.tar.bz2 bluez-a1e210e40256d9994b854b536cef5a6633a4af9e.zip | |
Fix the security vulnerability issue
A variant of this attack works when bluetoothctl shows that bluetooth is
discoverable, pariable, and discovering (only a subset may be necessary). On
Ubuntu 22.04 Desktop this becomes true when the GNOME panel for
bluetooth settings is opened.
BlueZ's setting ClassicBondedOnly=true prevents this attack.
This parameter is not enabled in CVE-2020-0556 patches and all distros
I checked have not opted into this setting. Most members of the distros list
are likely affected.
Change-Id: Ib4883d1766d314bcd415308a9e4805e196462f3a
Signed-off-by: Wootak Jung <wootak.jung@samsung.com>
| -rwxr-xr-x | profiles/input/input.conf | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/profiles/input/input.conf b/profiles/input/input.conf index 2c18fa1c..227b00af 100755 --- a/profiles/input/input.conf +++ b/profiles/input/input.conf @@ -18,7 +18,7 @@ # device connections. Several older mice have been known for not supporting # pairing/encryption. # Defaults to false to maximize device compatibility. -#ClassicBondedOnly=true +ClassicBondedOnly=true #ifndef TIZEN_FEATURE_BLUEZ_MODIFY # LE upgrade security |