microsoft
diff --git a/‎SPECS/bluez/CVE-2023-45866.patch‎
Lines changed: 50 additions & 0 deletions b/‎SPECS/bluez/CVE-2023-45866.patch‎
Lines changed: 50 additions & 0 deletions
diff --git a/‎SPECS/bluez/bluez.spec‎
Lines changed: 5 additions & 1 deletion b/‎SPECS/bluez/bluez.spec‎
Lines changed: 5 additions & 1 deletion
@@ -0,0 +1,50 @@
+From 61522c4a6b3ccf667bd89925477ae866715f110e Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Tue, 10 Oct 2023 13:03:12 -0700
+Subject: [PATCH] input.conf: Change default of ClassicBondedOnly
+
+This changes the default of ClassicBondedOnly since defaulting to false
+is not inline with HID specification which mandates the of Security Mode
+4:
+
+BLUETOOTH SPECIFICATION Page 84 of 123
+Human Interface Device (HID) Profile:
+
+  5.4.3.4.2 Security Modes
+  Bluetooth HID Hosts shall use Security Mode 4 when interoperating with
+  Bluetooth HID devices that are compliant to the Bluetooth Core
+  Specification v2.1+EDR[6].
+---
+ profiles/input/device.c   | 2 +-
+ profiles/input/input.conf | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/profiles/input/device.c b/profiles/input/device.c
+index 0138992..156f9f1 100644
+--- a/profiles/input/device.c
++++ b/profiles/input/device.c
+@@ -81,7 +81,7 @@ struct input_device {
+ 
+ static int idle_timeout = 0;
+ static bool uhid_enabled = false;
+-static bool classic_bonded_only = false;
++static bool classic_bonded_only = true;
+ 
+ void input_set_idle_timeout(int timeout)
+ {
+diff --git a/profiles/input/input.conf b/profiles/input/input.conf
+index 4c70bc5..d8645f3 100644
+--- a/profiles/input/input.conf
++++ b/profiles/input/input.conf
+@@ -17,7 +17,7 @@
+ # platforms may want to make sure that input connections only come from bonded
+ # device connections. Several older mice have been known for not supporting
+ # pairing/encryption.
+-# Defaults to false to maximize device compatibility.
++# Defaults to true for security.
+ #ClassicBondedOnly=true
+ 
+ # LE upgrade security
+-- 
+2.38.1
+
@@ -1,7 +1,7 @@
 Summary:        Bluetooth utilities
 Name:           bluez
 Version:        5.63
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        GPLv2+ AND LGPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -25,6 +25,7 @@ Patch7:         0001-hog-Fix-read-order-of-attributes-rediffed.patch
 Patch8:         0002-hog-Add-input-queue-while-uhid-device-has-not-been-c-rediffed.patch
 Patch9:         CVE-2022-3563.patch
 Patch10:        CVE-2023-50229-CVE-2023-50230.patch
+Patch11:        CVE-2023-45866.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 # For printing
@@ -273,6 +274,9 @@ install emulator/btvirt %{buildroot}/%{_libexecdir}/bluetooth/
 %{_userunitdir}/obex.service
 
 %changelog
+* Wed Oct 30 2024 Pawel Winogrodzki <pawelwi@microsoft.com> - 5.63-6
+- Patched CVE-2023-45866.
+
 * Fri Jun 21 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 5.63-5
 - Patch CVE-2023-50229 and CVE-2023-50230