In the mean time, can it be migated with ClassicBondedOnly in input.conf ?

CC: (none) => geex+mageia

The URL describes the flaw, and has the link to the Linux patch:

https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/profiles/input?id=25a471a83e02e1effb15d5a488b3f0085eaeb675

which is just a boolean change as noted in the previous comment:
"input.conf: Change default of ClassicBondedOnly
This changes the default of ClassicBondedOnly"

Assigning to DavidG who currently updates bluez.

Assignee: bugsquad => geiger.david68210
URL: (none) => https://github.com/skysafe/reblog/tree/main/cve-2023-45866

Fixed for Cauldron!


Assigning to QA,


Package in 9/Core/Updates_testing:
=====================
libbluez-devel-5.70-1.mga9
lib64bluez-devel-5.70-1.mga9
bluez-mesh-5.70-1.mga9
libbluez3-5.70-1.mga9
lib64bluez3-5.70-1.mga9
bluez-hid2hci-5.70-1.mga9
bluez-5.70-1.mga9
bluez-cups-5.70-1.mga9

From SRPMS:
bluez-5.70-1.mga9.src.rpm

Assignee: geiger.david68210 => qa-bugs
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9

Advisory with SRPM from comment 3 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"

Keywords: (none) => advisory

MGA9-64 on HP-Pavillion
No isntallation issues.
Ref bug 31018 for testing:
restart bluetooth after installation: OK
Using bluetooth device maneger I can see my Nokia 1 smartphone (old device, bluetooth always on) and connect.
Sending file from laptop fails: connection reset by peer (104). Googling does not make me any wiser, but basically it seems to work.
I will agree with the OK if someone has a more complete test

CC: (none) => herman.viaene

Adding bluetooth audio test to Herman's check.  I have a bluetooth printer but had too much trouble on another occasion to try connect it just now.
Updated after removing the 32-bit libraries from the list.

Restarted bluetooth from the Blueman applet by switching bluetooth off and on.
$ sudo systemctl status bluetooth
to check that it had restarted OK.
Switched on audio device in bluetooth mode and it connected almost immediately and the applet showed the BT symbol in green.  Checked a Youtube video in Firefox.  Sound is fine.

Backing up the OK.

CC: (none) => tarazed25
Whiteboard: (none) => MGA9-64-OK

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

@Herman Viaene, @Len Lawrence : If I understood correctly, it affects only input / HID protocol. It isn't about file transfers or audio.

Maybe we could test with two USB dongles, with one simulating an unbounded HID device. Not sure there is a POC for that yet.

Or try with one of the devices (mouse, keyboard) that required that option is not set, then check it doesn't work ?

I tried to connect an unbounded keyboard :

déc. 14 08:30:49 x2.local bluetoothd[1241261]: src/agent.c:pincode_reply() Agent /org/gnome/bluetooth/settings replied with an error: org.bluez.Error.Rejected, Missing information for /org/bluez/hci0/dev_00_11_67_00_03_85

I had to set temporarily the option to false to bind the keyboard.

Once the keyboard is bounded, I returned to the default, and the keyboard can still connect / works as expected.

Is this the intended behavior ?

Removing the validation until the questions of comment 8 and comment 9 are answered.

Keywords: validated_update => (none)

I have tested again with kernel 6.5.13, and this time it asked for the PIN code without changing the option. It asked several times, before bonding worked, but maybe it's the batteries.

MGA9 64 GNOME

Updated with QA Repo.
After reboot, my keyboard Logitech K380 still working well. No issues with it.
I tried to pair my Samsung Galaxy A14, I don't have some issues after entering the code, communication is good.

CC: (none) => guillaume.royer

Validating again.

Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0353.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED