Ubuntu has issued an advisory on December 7: https://ubuntu.com/security/notices/USN-6540-1 Mageia 9 is also affected.
Source RPM: (none) => bluez-5.70-1.mga10.src.rpmWhiteboard: (none) => MGA9TOOStatus comment: (none) => Patch available from upstream
In the mean time, can it be migated with ClassicBondedOnly in input.conf ?
CC: (none) => geex+mageia
The URL describes the flaw, and has the link to the Linux patch: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/profiles/input?id=25a471a83e02e1effb15d5a488b3f0085eaeb675 which is just a boolean change as noted in the previous comment: "input.conf: Change default of ClassicBondedOnly This changes the default of ClassicBondedOnly" Assigning to DavidG who currently updates bluez.
Assignee: bugsquad => geiger.david68210URL: (none) => https://github.com/skysafe/reblog/tree/main/cve-2023-45866
Fixed for Cauldron! Assigning to QA, Package in 9/Core/Updates_testing: ===================== libbluez-devel-5.70-1.mga9 lib64bluez-devel-5.70-1.mga9 bluez-mesh-5.70-1.mga9 libbluez3-5.70-1.mga9 lib64bluez3-5.70-1.mga9 bluez-hid2hci-5.70-1.mga9 bluez-5.70-1.mga9 bluez-cups-5.70-1.mga9 From SRPMS: bluez-5.70-1.mga9.src.rpm
Assignee: geiger.david68210 => qa-bugsWhiteboard: MGA9TOO => (none)Version: Cauldron => 9
CC: (none) => marja11CVE: (none) => CVE-2023-45866
Advisory with SRPM from comment 3 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"
Keywords: (none) => advisory
MGA9-64 on HP-Pavillion No isntallation issues. Ref bug 31018 for testing: restart bluetooth after installation: OK Using bluetooth device maneger I can see my Nokia 1 smartphone (old device, bluetooth always on) and connect. Sending file from laptop fails: connection reset by peer (104). Googling does not make me any wiser, but basically it seems to work. I will agree with the OK if someone has a more complete test
CC: (none) => herman.viaene
Adding bluetooth audio test to Herman's check. I have a bluetooth printer but had too much trouble on another occasion to try connect it just now. Updated after removing the 32-bit libraries from the list. Restarted bluetooth from the Blueman applet by switching bluetooth off and on. $ sudo systemctl status bluetooth to check that it had restarted OK. Switched on audio device in bluetooth mode and it connected almost immediately and the applet showed the BT symbol in green. Checked a Youtube video in Firefox. Sound is fine. Backing up the OK.
CC: (none) => tarazed25Whiteboard: (none) => MGA9-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
@Herman Viaene, @Len Lawrence : If I understood correctly, it affects only input / HID protocol. It isn't about file transfers or audio. Maybe we could test with two USB dongles, with one simulating an unbounded HID device. Not sure there is a POC for that yet. Or try with one of the devices (mouse, keyboard) that required that option is not set, then check it doesn't work ?
I tried to connect an unbounded keyboard : déc. 14 08:30:49 x2.local bluetoothd[1241261]: src/agent.c:pincode_reply() Agent /org/gnome/bluetooth/settings replied with an error: org.bluez.Error.Rejected, Missing information for /org/bluez/hci0/dev_00_11_67_00_03_85 I had to set temporarily the option to false to bind the keyboard. Once the keyboard is bounded, I returned to the default, and the keyboard can still connect / works as expected. Is this the intended behavior ?
Removing the validation until the questions of comment 8 and comment 9 are answered.
Keywords: validated_update => (none)
I have tested again with kernel 6.5.13, and this time it asked for the PIN code without changing the option. It asked several times, before bonding worked, but maybe it's the batteries.
MGA9 64 GNOME Updated with QA Repo. After reboot, my keyboard Logitech K380 still working well. No issues with it. I tried to pair my Samsung Galaxy A14, I don't have some issues after entering the code, communication is good.
CC: (none) => guillaume.royer
Validating again.
Keywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0353.html
Status: NEW => RESOLVEDResolution: (none) => FIXED