7 files changed, 523 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch
new file mode 100644
index 0000000000..b39730dc10
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch
@@ -0,0 +1,109 @@
+From 00da0fb4972cf59e1c075f313da81ea549cb8738 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Tue, 2 Mar 2021 11:38:33 -0800
+Subject: shared/gatt-server: Fix not properly checking for secure flags
+When passing the mask to check_permissions all valid permissions for
+the operation must be set including BT_ATT_PERM_SECURE flags.
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/patch/?id=00da0fb4972cf59e1c075f313da81ea549cb8738]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+CVE: CVE-2021-0129
+---
+ src/shared/att-types.h   |  8 ++++++++
+ src/shared/gatt-server.c | 25 +++++++------------------
+ 2 files changed, 15 insertions(+), 18 deletions(-)
+diff --git a/src/shared/att-types.h b/src/shared/att-types.h
+index 7108b4e94..3adc05d9e 100644
+--- a/src/shared/att-types.h
+++ b/src/shared/att-types.h
+@@ -129,6 +129,14 @@ struct bt_att_pdu_error_rsp {
+ #define BT_ATT_PERM_WRITE_SECURE       0x0200
+ #define BT_ATT_PERM_SECURE             (BT_ATT_PERM_READ_SECURE | \
+                                        BT_ATT_PERM_WRITE_SECURE)
+#define BT_ATT_PERM_READ_MASK          (BT_ATT_PERM_READ | \
+                                       BT_ATT_PERM_READ_AUTHEN | \
+                                       BT_ATT_PERM_READ_ENCRYPT | \
+                                       BT_ATT_PERM_READ_SECURE)
+#define BT_ATT_PERM_WRITE_MASK         (BT_ATT_PERM_WRITE | \
+                                       BT_ATT_PERM_WRITE_AUTHEN | \
+                                       BT_ATT_PERM_WRITE_ENCRYPT | \
+                                       BT_ATT_PERM_WRITE_SECURE)
+ 
+ /* GATT Characteristic Properties Bitfield values */
+ #define BT_GATT_CHRC_PROP_BROADCAST                    0x01
+diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c
+index b5f7de7dc..970c35f94 100644
+--- a/src/shared/gatt-server.c
+++ b/src/shared/gatt-server.c
+@@ -444,9 +444,7 @@ static void process_read_by_type(struct async_read_op *op)
+                return;
+        }
+ 
+-       ecode = check_permissions(server, attr, BT_ATT_PERM_READ |
+-                                               BT_ATT_PERM_READ_AUTHEN |
+-                                               BT_ATT_PERM_READ_ENCRYPT);
+       ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK);
+        if (ecode)
+                goto error;
+ 
+@@ -811,9 +809,7 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
+                                (opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd",
+                                handle);
+ 
+-       ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE |
+-                                               BT_ATT_PERM_WRITE_AUTHEN |
+-                                               BT_ATT_PERM_WRITE_ENCRYPT);
+       ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
+        if (ecode)
+                goto error;
+ 
+@@ -913,9 +909,7 @@ static void handle_read_req(struct bt_att_chan *chan,
+                        opcode == BT_ATT_OP_READ_BLOB_REQ ? "Blob " : "",
+                        handle);
+ 
+-       ecode = check_permissions(server, attr, BT_ATT_PERM_READ |
+-                                               BT_ATT_PERM_READ_AUTHEN |
+-                                               BT_ATT_PERM_READ_ENCRYPT);
+       ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK);
+        if (ecode)
+                goto error;
+ 
+@@ -1051,9 +1045,8 @@ static void read_multiple_complete_cb(struct gatt_db_attribute *attr, int err,
+                goto error;
+        }
+ 
+-       ecode = check_permissions(data->server, next_attr, BT_ATT_PERM_READ |
+-                                               BT_ATT_PERM_READ_AUTHEN |
+-                                               BT_ATT_PERM_READ_ENCRYPT);
+       ecode = check_permissions(data->server, next_attr,
+                                               BT_ATT_PERM_READ_MASK);
+        if (ecode)
+                goto error;
+ 
+@@ -1129,9 +1122,7 @@ static void read_multiple_cb(struct bt_att_chan *chan, uint8_t opcode,
+                goto error;
+        }
+ 
+-       ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ |
+-                                               BT_ATT_PERM_READ_AUTHEN |
+-                                               BT_ATT_PERM_READ_ENCRYPT);
+       ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ_MASK);
+        if (ecode)
+                goto error;
+ 
+@@ -1308,9 +1299,7 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode,
+        util_debug(server->debug_callback, server->debug_data,
+                                "Prep Write Req - handle: 0x%04x", handle);
+ 
+-       ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE |
+-                                               BT_ATT_PERM_WRITE_AUTHEN |
+-                                               BT_ATT_PERM_WRITE_ENCRYPT);
+       ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
+        if (ecode)
+                goto error;
+ 
+-- 
+cgit 1.2.3-1.el7
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch
new file mode 100644
index 0000000000..f52ff47a06
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch
@@ -0,0 +1,34 @@
+From 3a40bef49305f8327635b81ac8be52a3ca063d5a Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Mon, 4 Jan 2021 10:38:31 -0800
+Subject: [PATCH] gatt: Fix potential buffer out-of-bound
+When client features is read check if the offset is within the cli_feat
+bounds.
+Fixes: https://github.com/bluez/bluez/issues/70
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3a40bef49305f8327635b81ac8be52a3ca063d5a]
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+CVE: CVE-2021-3588
+---
+ src/gatt-database.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+diff --git a/src/gatt-database.c b/src/gatt-database.c
+index 90cc4bade..f2d7b5821 100644
+--- a/src/gatt-database.c
+++ b/src/gatt-database.c
+@@ -1075,6 +1075,11 @@ static void cli_feat_read_cb(struct gatt_db_attribute *attrib,
+                goto done;
+        }
+ 
+       if (offset >= sizeof(state->cli_feat)) {
+               ecode = BT_ATT_ERROR_INVALID_OFFSET;
+               goto done;
+       }
+
+        len = sizeof(state->cli_feat) - offset;
+        value = len ? &state->cli_feat[offset] : NULL;
+ 
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3658.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3658.patch
new file mode 100644
index 0000000000..1738ca13da
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3658.patch
@@ -0,0 +1,95 @@
+From b497b5942a8beb8f89ca1c359c54ad67ec843055 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Thu, 24 Jun 2021 16:32:04 -0700
+Subject: [PATCH] adapter: Fix storing discoverable setting
+discoverable setting shall only be store when changed via Discoverable
+property and not when discovery client set it as that be considered
+temporary just for the lifetime of the discovery.
+Upstream-Status: Backport [https://github.com/bluez/bluez/commit/b497b5942a8beb8f89ca1c359c54ad67ec843055]
+Signed-off-by:Minjae Kim <flowergom@gmail.com>
+---
+ src/adapter.c | 35 ++++++++++++++++++++++-------------
+ 1 file changed, 22 insertions(+), 13 deletions(-)
+diff --git a/src/adapter.c b/src/adapter.c
+index 12e4ff5c0..663b778e4 100644
+--- a/src/adapter.c
+++ b/src/adapter.c
+@@ -560,7 +560,11 @@ static void settings_changed(struct btd_adapter *adapter, uint32_t settings)
+        if (changed_mask & MGMT_SETTING_DISCOVERABLE) {
+                g_dbus_emit_property_changed(dbus_conn, adapter->path,
+                                        ADAPTER_INTERFACE, "Discoverable");
+-               store_adapter_info(adapter);
+               /* Only persist discoverable setting if it was not set
+                * temporarily by discovery.
+                */
+               if (!adapter->discovery_discoverable)
+                       store_adapter_info(adapter);
+                btd_adv_manager_refresh(adapter->adv_manager);
+        }
+ 
+@@ -2162,8 +2166,6 @@ static bool filters_equal(struct mgmt_cp_start_service_discovery *a,
+ static int update_discovery_filter(struct btd_adapter *adapter)
+ {
+        struct mgmt_cp_start_service_discovery *sd_cp;
+-       GSList *l;
+-
+ 
+        DBG("");
+ 
+@@ -2173,17 +2175,24 @@ static int update_discovery_filter(struct btd_adapter *adapter)
+                return -ENOMEM;
+        }
+ 
+-       for (l = adapter->discovery_list; l; l = g_slist_next(l)) {
+-               struct discovery_client *client = l->data;
+       /* Only attempt to overwrite current discoverable setting when not
+        * discoverable.
+        */
+       if (!(adapter->current_settings & MGMT_OP_SET_DISCOVERABLE)) {
+               GSList *l;
+ 
+-               if (!client->discovery_filter)
+-                       continue;
+               for (l = adapter->discovery_list; l; l = g_slist_next(l)) {
+                       struct discovery_client *client = l->data;
+ 
+-               if (client->discovery_filter->discoverable)
+-                       break;
+-       }
+                       if (!client->discovery_filter)
+                               continue;
+ 
+-       set_discovery_discoverable(adapter, l ? true : false);
+                       if (client->discovery_filter->discoverable) {
+                               set_discovery_discoverable(adapter, true);
+                               break;
+                       }
+               }
+       }
+ 
+        /*
+         * If filters are equal, then don't update scan, except for when
+@@ -2216,8 +2225,7 @@ static int discovery_stop(struct discovery_client *client)
+                return 0;
+        }
+ 
+-       if (adapter->discovery_discoverable)
+-               set_discovery_discoverable(adapter, false);
+       set_discovery_discoverable(adapter, false);
+ 
+        /*
+         * In the idle phase of a discovery, there is no need to stop it
+@@ -6913,6 +6921,7 @@ static void adapter_stop(struct btd_adapter *adapter)
+        g_free(adapter->current_discovery_filter);
+        adapter->current_discovery_filter = NULL;
+ 
+       set_discovery_discoverable(adapter, false);
+        adapter->discovering = false;
+ 
+        while (adapter->connections) {
+-- 
+2.25.1
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch
new file mode 100644
index 0000000000..646b5ddfc8
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch
@@ -0,0 +1,66 @@
+From 0d328fdf6564b67fc2ec3533e3da201ebabcc9e3 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Tue, 8 Jun 2021 16:46:49 -0700
+Subject: [PATCH] shared/gatt-server: Fix heap overflow when appending prepare
+ writes
+The code shall check if the prepare writes would append more the
+allowed maximum attribute length.
+Fixes https://github.com/bluez/bluez/security/advisories/GHSA-479m-xcq5-9g2q
+Upstream-Status: Backport [https://github.com/bluez/bluez/commit/591c546c536b42bef696d027f64aa22434f8c3f0]
+Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
+CVE: CVE-2022-0204
+---
+ src/shared/gatt-server.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c
+index 0c25a97..20e14bc 100644
+--- a/src/shared/gatt-server.c
+++ b/src/shared/gatt-server.c
+@@ -816,6 +816,20 @@ static uint8_t authorize_req(struct bt_gatt_server *server,
+                                                server->authorize_data);
+ }
+ 
+static uint8_t check_length(uint16_t length, uint16_t offset)
+{
+       if (length > BT_ATT_MAX_VALUE_LEN)
+               return BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN;
+
+       if (offset > BT_ATT_MAX_VALUE_LEN)
+               return BT_ATT_ERROR_INVALID_OFFSET;
+
+       if (length + offset > BT_ATT_MAX_VALUE_LEN)
+               return BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN;
+
+       return 0;
+}
+
+ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
+                                        uint16_t length, void *user_data)
+ {
+@@ -846,6 +860,10 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
+                                (opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd",
+                                handle);
+ 
+       ecode = check_length(length, 0);
+       if (ecode)
+               goto error;
+
+        ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
+        if (ecode)
+                goto error;
+@@ -1353,6 +1371,10 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode,
+        util_debug(server->debug_callback, server->debug_data,
+                                "Prep Write Req - handle: 0x%04x", handle);
+ 
+       ecode = check_length(length, offset);
+       if (ecode)
+               goto error;
+
+        ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
+        if (ecode)
+                goto error;
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-3637.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-3637.patch
new file mode 100644
index 0000000000..4ca60f99d5
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-3637.patch
@@ -0,0 +1,39 @@
+From b808b2852a0b48c6f9dbb038f932613cea3126c2 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Thu, 27 Oct 2022 09:51:27 +0530
+Subject: [PATCH] CVE-2022-3637
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/monitor/jlink.c?id=1d6cfb8e625a944010956714c1802bc1e1fc6c4f]
+CVE: CVE-2022-3637
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+monitor: Fix crash when using RTT backend
+This fix regression introduced by "monitor: Fix memory leaks".
+J-Link shared library is in use if jlink_init() returns 0 and thus
+handle shall not be closed.
+---
+ monitor/jlink.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+diff --git a/monitor/jlink.c b/monitor/jlink.c
+index afa9d93..5bd4aed 100644
+--- a/monitor/jlink.c
+++ b/monitor/jlink.c
+@@ -120,9 +120,12 @@ int jlink_init(void)
+                        !jlink.tif_select || !jlink.setspeed ||
+                        !jlink.connect || !jlink.getsn ||
+                        !jlink.emu_getproductname ||
+-                       !jlink.rtterminal_control || !jlink.rtterminal_read)
+                       !jlink.rtterminal_control || !jlink.rtterminal_read) {
+               dlclose(so);
+                return -EIO;
+       }
+ 
+       /* don't dlclose(so) here cause symbols from it are in use now */
+        return 0;
+ }
+ 
+-- 
+2.25.1
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-39176.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-39176.patch
new file mode 100644
index 0000000000..7bd1f5f80f
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-39176.patch
@@ -0,0 +1,126 @@
+From 752c7f707c3cc1eb12eadc13bc336a5c484d4bdf Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Wed, 28 Sep 2022 10:45:53 +0530
+Subject: [PATCH] CVE-2022-39176
+Upstream-Status: Backport [https://launchpad.net/ubuntu/+source/bluez/5.53-0ubuntu3.6]
+CVE: CVE-2022-39176
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ profiles/audio/avdtp.c | 56 +++++++++++++++++++++++++++---------------
+ profiles/audio/avrcp.c |  8 ++++++
+ 2 files changed, 44 insertions(+), 20 deletions(-)
+diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c
+index 782268c..0adf413 100644
+--- a/profiles/audio/avdtp.c
+++ b/profiles/audio/avdtp.c
+@@ -1261,43 +1261,53 @@ struct avdtp_remote_sep *avdtp_find_remote_sep(struct avdtp *session,
+        return NULL;
+ }
+ 
+-static GSList *caps_to_list(uint8_t *data, int size,
+static GSList *caps_to_list(uint8_t *data, size_t size,
+                                struct avdtp_service_capability **codec,
+                                gboolean *delay_reporting)
+ {
+       struct avdtp_service_capability *cap;
+        GSList *caps;
+-       int processed;
+ 
+        if (delay_reporting)
+                *delay_reporting = FALSE;
+ 
+-       for (processed = 0, caps = NULL; processed + 2 <= size;) {
+-               struct avdtp_service_capability *cap;
+-               uint8_t length, category;
+       if (size < sizeof(*cap))
+               return NULL;
+
+       for (caps = NULL; size >= sizeof(*cap);) {
+               struct avdtp_service_capability *cpy;
+ 
+-               category = data[0];
+-               length = data[1];
+               cap = (struct avdtp_service_capability *)data;
+ 
+-               if (processed + 2 + length > size) {
+               if (sizeof(*cap) + cap->length > size) {
+                        error("Invalid capability data in getcap resp");
+                        break;
+                }
+ 
+-               cap = g_malloc(sizeof(struct avdtp_service_capability) +
+-                                       length);
+-               memcpy(cap, data, 2 + length);
+               if (cap->category == AVDTP_MEDIA_CODEC &&
+                                       cap->length < sizeof(**codec)) {
+                       error("Invalid codec data in getcap resp");
+                       break;
+               }
+
+               cpy = btd_malloc(sizeof(*cpy) + cap->length);
+               memcpy(cpy, cap, sizeof(*cap) + cap->length);
+ 
+-               processed += 2 + length;
+-               data += 2 + length;
+               size -= sizeof(*cap) + cap->length;
+               data += sizeof(*cap) + cap->length;
+ 
+-               caps = g_slist_append(caps, cap);
+               caps = g_slist_append(caps, cpy);
+ 
+-               if (category == AVDTP_MEDIA_CODEC &&
+-                               length >=
+-                               sizeof(struct avdtp_media_codec_capability))
+-                       *codec = cap;
+-               else if (category == AVDTP_DELAY_REPORTING && delay_reporting)
+-                       *delay_reporting = TRUE;
+               switch (cap->category) {
+               case AVDTP_MEDIA_CODEC:
+                       if (codec)
+                               *codec = cpy;
+                       break;
+               case AVDTP_DELAY_REPORTING:
+                       if (delay_reporting)
+                               *delay_reporting = TRUE;
+                       break;
+               }
+        }
+ 
+        return caps;
+@@ -1494,6 +1504,12 @@ static gboolean avdtp_setconf_cmd(struct avdtp *session, uint8_t transaction,
+                                        &stream->codec,
+                                        &stream->delay_reporting);
+ 
+       if (!stream->caps || !stream->codec) {
+               err = AVDTP_UNSUPPORTED_CONFIGURATION;
+               category = 0x00;
+               goto failed_stream;
+       }
+
+        /* Verify that the Media Transport capability's length = 0. Reject otherwise */
+        for (l = stream->caps; l != NULL; l = g_slist_next(l)) {
+                struct avdtp_service_capability *cap = l->data;
+diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
+index d9471c0..0233d53 100644
+--- a/profiles/audio/avrcp.c
+++ b/profiles/audio/avrcp.c
+@@ -1916,6 +1916,14 @@ static size_t handle_vendordep_pdu(struct avctp *conn, uint8_t transaction,
+                goto err_metadata;
+        }
+ 
+       operands += sizeof(*pdu);
+       operand_count -= sizeof(*pdu);
+
+       if (pdu->params_len != operand_count) {
+               DBG("AVRCP PDU parameters length don't match");
+               pdu->params_len = operand_count;
+       }
+
+        for (handler = session->control_handlers; handler->pdu_id; handler++) {
+                if (handler->pdu_id == pdu->pdu_id)
+                        break;
+-- 
+2.25.1
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2023-45866.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2023-45866.patch
new file mode 100644
index 0000000000..43670ab2b3
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2023-45866.patch
@@ -0,0 +1,54 @@
+From 25a471a83e02e1effb15d5a488b3f0085eaeb675 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Tue, 10 Oct 2023 13:03:12 -0700
+Subject: input.conf: Change default of ClassicBondedOnly
+This changes the default of ClassicBondedOnly since defaulting to false
+is not inline with HID specification which mandates the of Security Mode
+4:
+BLUETOOTH SPECIFICATION Page 84 of 123
+Human Interface Device (HID) Profile:
+5.4.3.4.2 Security Modes
+Bluetooth HID Hosts shall use Security Mode 4 when interoperating with
+Bluetooth HID devices that are compliant to the Bluetooth Core
+Specification v2.1+EDR[6].
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=25a471a83e02e1effb15d5a488b3f0085eaeb675]
+CVE: CVE-2023-45866
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ profiles/input/device.c   | 2 +-
+ profiles/input/input.conf | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+diff --git a/profiles/input/device.c b/profiles/input/device.c
+index 375314e..0236488 100644
+--- a/profiles/input/device.c
+++ b/profiles/input/device.c
+@@ -93,7 +93,7 @@ struct input_device {
+ 
+ static int idle_timeout = 0;
+ static bool uhid_enabled = false;
+-static bool classic_bonded_only = false;
+static bool classic_bonded_only = true;
+ 
+ void input_set_idle_timeout(int timeout)
+ {
+diff --git a/profiles/input/input.conf b/profiles/input/input.conf
+index 4c70bc5..d8645f3 100644
+--- a/profiles/input/input.conf
+++ b/profiles/input/input.conf
+@@ -17,7 +17,7 @@
+ # platforms may want to make sure that input connections only come from bonded
+ # device connections. Several older mice have been known for not supporting
+ # pairing/encryption.
+-# Defaults to false to maximize device compatibility.
+# Defaults to true for security.
+ #ClassicBondedOnly=true
+ 
+ # LE upgrade security
+-- 
+2.25.1

diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch new file mode 100644 index 0000000000..b39730dc10 --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch
@@ -0,0 +1,109 @@
	1	From 00da0fb4972cf59e1c075f313da81ea549cb8738 Mon Sep 17 00:00:00 2001
	2	From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
	3	Date: Tue, 2 Mar 2021 11:38:33 -0800
	4	Subject: shared/gatt-server: Fix not properly checking for secure flags
	5
	6	When passing the mask to check_permissions all valid permissions for
	7	the operation must be set including BT_ATT_PERM_SECURE flags.
	8
	9	Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/patch/?id=00da0fb4972cf59e1c075f313da81ea549cb8738]
	10	Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
	11	CVE: CVE-2021-0129
	12	---
	13	src/shared/att-types.h \| 8 ++++++++
	14	src/shared/gatt-server.c \| 25 +++++++------------------
	15	2 files changed, 15 insertions(+), 18 deletions(-)
	16
	17	diff --git a/src/shared/att-types.h b/src/shared/att-types.h
	18	index 7108b4e94..3adc05d9e 100644
	19	--- a/src/shared/att-types.h
	20	+++ b/src/shared/att-types.h
	21	@@ -129,6 +129,14 @@ struct bt_att_pdu_error_rsp {
	22	#define BT_ATT_PERM_WRITE_SECURE 0x0200
	23	#define BT_ATT_PERM_SECURE (BT_ATT_PERM_READ_SECURE \| \
	24	BT_ATT_PERM_WRITE_SECURE)
	25	+#define BT_ATT_PERM_READ_MASK (BT_ATT_PERM_READ \| \
	26	+ BT_ATT_PERM_READ_AUTHEN \| \
	27	+ BT_ATT_PERM_READ_ENCRYPT \| \
	28	+ BT_ATT_PERM_READ_SECURE)
	29	+#define BT_ATT_PERM_WRITE_MASK (BT_ATT_PERM_WRITE \| \
	30	+ BT_ATT_PERM_WRITE_AUTHEN \| \
	31	+ BT_ATT_PERM_WRITE_ENCRYPT \| \
	32	+ BT_ATT_PERM_WRITE_SECURE)
	33
	34	/* GATT Characteristic Properties Bitfield values */
	35	#define BT_GATT_CHRC_PROP_BROADCAST 0x01
	36	diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c
	37	index b5f7de7dc..970c35f94 100644
	38	--- a/src/shared/gatt-server.c
	39	+++ b/src/shared/gatt-server.c
	40	@@ -444,9 +444,7 @@ static void process_read_by_type(struct async_read_op *op)
	41	return;
	42	}
	43
	44	- ecode = check_permissions(server, attr, BT_ATT_PERM_READ \|
	45	- BT_ATT_PERM_READ_AUTHEN \|
	46	- BT_ATT_PERM_READ_ENCRYPT);
	47	+ ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK);
	48	if (ecode)
	49	goto error;
	50
	51	@@ -811,9 +809,7 @@ static void write_cb(struct bt_att_chan chan, uint8_t opcode, const void pdu,
	52	(opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd",
	53	handle);
	54
	55	- ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE \|
	56	- BT_ATT_PERM_WRITE_AUTHEN \|
	57	- BT_ATT_PERM_WRITE_ENCRYPT);
	58	+ ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
	59	if (ecode)
	60	goto error;
	61
	62	@@ -913,9 +909,7 @@ static void handle_read_req(struct bt_att_chan *chan,
	63	opcode == BT_ATT_OP_READ_BLOB_REQ ? "Blob " : "",
	64	handle);
	65
	66	- ecode = check_permissions(server, attr, BT_ATT_PERM_READ \|
	67	- BT_ATT_PERM_READ_AUTHEN \|
	68	- BT_ATT_PERM_READ_ENCRYPT);
	69	+ ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK);
	70	if (ecode)
	71	goto error;
	72
	73	@@ -1051,9 +1045,8 @@ static void read_multiple_complete_cb(struct gatt_db_attribute *attr, int err,
	74	goto error;
	75	}
	76
	77	- ecode = check_permissions(data->server, next_attr, BT_ATT_PERM_READ \|
	78	- BT_ATT_PERM_READ_AUTHEN \|
	79	- BT_ATT_PERM_READ_ENCRYPT);
	80	+ ecode = check_permissions(data->server, next_attr,
	81	+ BT_ATT_PERM_READ_MASK);
	82	if (ecode)
	83	goto error;
	84
	85	@@ -1129,9 +1122,7 @@ static void read_multiple_cb(struct bt_att_chan *chan, uint8_t opcode,
	86	goto error;
	87	}
	88
	89	- ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ \|
	90	- BT_ATT_PERM_READ_AUTHEN \|
	91	- BT_ATT_PERM_READ_ENCRYPT);
	92	+ ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ_MASK);
	93	if (ecode)
	94	goto error;
	95
	96	@@ -1308,9 +1299,7 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode,
	97	util_debug(server->debug_callback, server->debug_data,
	98	"Prep Write Req - handle: 0x%04x", handle);
	99
	100	- ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE \|
	101	- BT_ATT_PERM_WRITE_AUTHEN \|
	102	- BT_ATT_PERM_WRITE_ENCRYPT);
	103	+ ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
	104	if (ecode)
	105	goto error;
	106
	107	--
	108	cgit 1.2.3-1.el7
	109


diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch new file mode 100644 index 0000000000..f52ff47a06 --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch
@@ -0,0 +1,34 @@
	1	From 3a40bef49305f8327635b81ac8be52a3ca063d5a Mon Sep 17 00:00:00 2001
	2	From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
	3	Date: Mon, 4 Jan 2021 10:38:31 -0800
	4	Subject: [PATCH] gatt: Fix potential buffer out-of-bound
	5
	6	When client features is read check if the offset is within the cli_feat
	7	bounds.
	8
	9	Fixes: https://github.com/bluez/bluez/issues/70
	10
	11	+Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3a40bef49305f8327635b81ac8be52a3ca063d5a]
	12	+Signed-off-by: Steve Sakoman <steve@sakoman.com>
	13	+CVE: CVE-2021-3588
	14
	15	---
	16	src/gatt-database.c \| 5 +++++
	17	1 file changed, 5 insertions(+)
	18
	19	diff --git a/src/gatt-database.c b/src/gatt-database.c
	20	index 90cc4bade..f2d7b5821 100644
	21	--- a/src/gatt-database.c
	22	+++ b/src/gatt-database.c
	23	@@ -1075,6 +1075,11 @@ static void cli_feat_read_cb(struct gatt_db_attribute *attrib,
	24	goto done;
	25	}
	26
	27	+ if (offset >= sizeof(state->cli_feat)) {
	28	+ ecode = BT_ATT_ERROR_INVALID_OFFSET;
	29	+ goto done;
	30	+ }
	31	+
	32	len = sizeof(state->cli_feat) - offset;
	33	value = len ? &state->cli_feat[offset] : NULL;
	34


diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3658.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3658.patch new file mode 100644 index 0000000000..1738ca13da --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3658.patch
@@ -0,0 +1,95 @@
	1	From b497b5942a8beb8f89ca1c359c54ad67ec843055 Mon Sep 17 00:00:00 2001
	2	From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
	3	Date: Thu, 24 Jun 2021 16:32:04 -0700
	4	Subject: [PATCH] adapter: Fix storing discoverable setting
	5
	6	discoverable setting shall only be store when changed via Discoverable
	7	property and not when discovery client set it as that be considered
	8	temporary just for the lifetime of the discovery.
	9
	10	Upstream-Status: Backport [https://github.com/bluez/bluez/commit/b497b5942a8beb8f89ca1c359c54ad67ec843055]
	11	Signed-off-by:Minjae Kim <flowergom@gmail.com>
	12	---
	13	src/adapter.c \| 35 ++++++++++++++++++++++-------------
	14	1 file changed, 22 insertions(+), 13 deletions(-)
	15
	16	diff --git a/src/adapter.c b/src/adapter.c
	17	index 12e4ff5c0..663b778e4 100644
	18	--- a/src/adapter.c
	19	+++ b/src/adapter.c
	20	@@ -560,7 +560,11 @@ static void settings_changed(struct btd_adapter *adapter, uint32_t settings)
	21	if (changed_mask & MGMT_SETTING_DISCOVERABLE) {
	22	g_dbus_emit_property_changed(dbus_conn, adapter->path,
	23	ADAPTER_INTERFACE, "Discoverable");
	24	- store_adapter_info(adapter);
	25	+ /* Only persist discoverable setting if it was not set
	26	+ * temporarily by discovery.
	27	+ */
	28	+ if (!adapter->discovery_discoverable)
	29	+ store_adapter_info(adapter);
	30	btd_adv_manager_refresh(adapter->adv_manager);
	31	}
	32
	33	@@ -2162,8 +2166,6 @@ static bool filters_equal(struct mgmt_cp_start_service_discovery *a,
	34	static int update_discovery_filter(struct btd_adapter *adapter)
	35	{
	36	struct mgmt_cp_start_service_discovery *sd_cp;
	37	- GSList *l;
	38	-
	39
	40	DBG("");
	41
	42	@@ -2173,17 +2175,24 @@ static int update_discovery_filter(struct btd_adapter *adapter)
	43	return -ENOMEM;
	44	}
	45
	46	- for (l = adapter->discovery_list; l; l = g_slist_next(l)) {
	47	- struct discovery_client *client = l->data;
	48	+ /* Only attempt to overwrite current discoverable setting when not
	49	+ * discoverable.
	50	+ */
	51	+ if (!(adapter->current_settings & MGMT_OP_SET_DISCOVERABLE)) {
	52	+ GSList *l;
	53
	54	- if (!client->discovery_filter)
	55	- continue;
	56	+ for (l = adapter->discovery_list; l; l = g_slist_next(l)) {
	57	+ struct discovery_client *client = l->data;
	58
	59	- if (client->discovery_filter->discoverable)
	60	- break;
	61	- }
	62	+ if (!client->discovery_filter)
	63	+ continue;
	64
	65	- set_discovery_discoverable(adapter, l ? true : false);
	66	+ if (client->discovery_filter->discoverable) {
	67	+ set_discovery_discoverable(adapter, true);
	68	+ break;
	69	+ }
	70	+ }
	71	+ }
	72
	73	/*
	74	* If filters are equal, then don't update scan, except for when
	75	@@ -2216,8 +2225,7 @@ static int discovery_stop(struct discovery_client *client)
	76	return 0;
	77	}
	78
	79	- if (adapter->discovery_discoverable)
	80	- set_discovery_discoverable(adapter, false);
	81	+ set_discovery_discoverable(adapter, false);
	82
	83	/*
	84	* In the idle phase of a discovery, there is no need to stop it
	85	@@ -6913,6 +6921,7 @@ static void adapter_stop(struct btd_adapter *adapter)
	86	g_free(adapter->current_discovery_filter);
	87	adapter->current_discovery_filter = NULL;
	88
	89	+ set_discovery_discoverable(adapter, false);
	90	adapter->discovering = false;
	91
	92	while (adapter->connections) {
	93	--
	94	2.25.1
	95


diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch new file mode 100644 index 0000000000..646b5ddfc8 --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch
@@ -0,0 +1,66 @@
	1	From 0d328fdf6564b67fc2ec3533e3da201ebabcc9e3 Mon Sep 17 00:00:00 2001
	2	From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
	3	Date: Tue, 8 Jun 2021 16:46:49 -0700
	4	Subject: [PATCH] shared/gatt-server: Fix heap overflow when appending prepare
	5	writes
	6
	7	The code shall check if the prepare writes would append more the
	8	allowed maximum attribute length.
	9
	10	Fixes https://github.com/bluez/bluez/security/advisories/GHSA-479m-xcq5-9g2q
	11
	12	Upstream-Status: Backport [https://github.com/bluez/bluez/commit/591c546c536b42bef696d027f64aa22434f8c3f0]
	13	Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
	14	CVE: CVE-2022-0204
	15
	16	---
	17	src/shared/gatt-server.c \| 22 ++++++++++++++++++++++
	18	1 file changed, 22 insertions(+)
	19
	20	diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c
	21	index 0c25a97..20e14bc 100644
	22	--- a/src/shared/gatt-server.c
	23	+++ b/src/shared/gatt-server.c
	24	@@ -816,6 +816,20 @@ static uint8_t authorize_req(struct bt_gatt_server *server,
	25	server->authorize_data);
	26	}
	27
	28	+static uint8_t check_length(uint16_t length, uint16_t offset)
	29	+{
	30	+ if (length > BT_ATT_MAX_VALUE_LEN)
	31	+ return BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN;
	32	+
	33	+ if (offset > BT_ATT_MAX_VALUE_LEN)
	34	+ return BT_ATT_ERROR_INVALID_OFFSET;
	35	+
	36	+ if (length + offset > BT_ATT_MAX_VALUE_LEN)
	37	+ return BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN;
	38	+
	39	+ return 0;
	40	+}
	41	+
	42	static void write_cb(struct bt_att_chan chan, uint8_t opcode, const void pdu,
	43	uint16_t length, void *user_data)
	44	{
	45	@@ -846,6 +860,10 @@ static void write_cb(struct bt_att_chan chan, uint8_t opcode, const void pdu,
	46	(opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd",
	47	handle);
	48
	49	+ ecode = check_length(length, 0);
	50	+ if (ecode)
	51	+ goto error;
	52	+
	53	ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
	54	if (ecode)
	55	goto error;
	56	@@ -1353,6 +1371,10 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode,
	57	util_debug(server->debug_callback, server->debug_data,
	58	"Prep Write Req - handle: 0x%04x", handle);
	59
	60	+ ecode = check_length(length, offset);
	61	+ if (ecode)
	62	+ goto error;
	63	+
	64	ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
	65	if (ecode)
	66	goto error;


diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-3637.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-3637.patch new file mode 100644 index 0000000000..4ca60f99d5 --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-3637.patch
@@ -0,0 +1,39 @@
	1	From b808b2852a0b48c6f9dbb038f932613cea3126c2 Mon Sep 17 00:00:00 2001
	2	From: Hitendra Prajapati <hprajapati@mvista.com>
	3	Date: Thu, 27 Oct 2022 09:51:27 +0530
	4	Subject: [PATCH] CVE-2022-3637
	5
	6	Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/monitor/jlink.c?id=1d6cfb8e625a944010956714c1802bc1e1fc6c4f]
	7	CVE: CVE-2022-3637
	8	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
	9
	10	monitor: Fix crash when using RTT backend
	11
	12	This fix regression introduced by "monitor: Fix memory leaks".
	13	J-Link shared library is in use if jlink_init() returns 0 and thus
	14	handle shall not be closed.
	15	---
	16	monitor/jlink.c \| 5 ++++-
	17	1 file changed, 4 insertions(+), 1 deletion(-)
	18
	19	diff --git a/monitor/jlink.c b/monitor/jlink.c
	20	index afa9d93..5bd4aed 100644
	21	--- a/monitor/jlink.c
	22	+++ b/monitor/jlink.c
	23	@@ -120,9 +120,12 @@ int jlink_init(void)
	24	!jlink.tif_select \|\| !jlink.setspeed \|\|
	25	!jlink.connect \|\| !jlink.getsn \|\|
	26	!jlink.emu_getproductname \|\|
	27	- !jlink.rtterminal_control \|\| !jlink.rtterminal_read)
	28	+ !jlink.rtterminal_control \|\| !jlink.rtterminal_read) {
	29	+ dlclose(so);
	30	return -EIO;
	31	+ }
	32
	33	+ /* don't dlclose(so) here cause symbols from it are in use now */
	34	return 0;
	35	}
	36
	37	--
	38	2.25.1
	39


diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-39176.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-39176.patch new file mode 100644 index 0000000000..7bd1f5f80f --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-39176.patch
@@ -0,0 +1,126 @@
	1	From 752c7f707c3cc1eb12eadc13bc336a5c484d4bdf Mon Sep 17 00:00:00 2001
	2	From: Hitendra Prajapati <hprajapati@mvista.com>
	3	Date: Wed, 28 Sep 2022 10:45:53 +0530
	4	Subject: [PATCH] CVE-2022-39176
	5
	6	Upstream-Status: Backport [https://launchpad.net/ubuntu/+source/bluez/5.53-0ubuntu3.6]
	7	CVE: CVE-2022-39176
	8	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
	9	---
	10	profiles/audio/avdtp.c \| 56 +++++++++++++++++++++++++++---------------
	11	profiles/audio/avrcp.c \| 8 ++++++
	12	2 files changed, 44 insertions(+), 20 deletions(-)
	13
	14	diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c
	15	index 782268c..0adf413 100644
	16	--- a/profiles/audio/avdtp.c
	17	+++ b/profiles/audio/avdtp.c
	18	@@ -1261,43 +1261,53 @@ struct avdtp_remote_sep avdtp_find_remote_sep(struct avdtp session,
	19	return NULL;
	20	}
	21
	22	-static GSList caps_to_list(uint8_t data, int size,
	23	+static GSList caps_to_list(uint8_t data, size_t size,
	24	struct avdtp_service_capability **codec,
	25	gboolean *delay_reporting)
	26	{
	27	+ struct avdtp_service_capability *cap;
	28	GSList *caps;
	29	- int processed;
	30
	31	if (delay_reporting)
	32	*delay_reporting = FALSE;
	33
	34	- for (processed = 0, caps = NULL; processed + 2 <= size;) {
	35	- struct avdtp_service_capability *cap;
	36	- uint8_t length, category;
	37	+ if (size < sizeof(*cap))
	38	+ return NULL;
	39	+
	40	+ for (caps = NULL; size >= sizeof(*cap);) {
	41	+ struct avdtp_service_capability *cpy;
	42
	43	- category = data[0];
	44	- length = data[1];
	45	+ cap = (struct avdtp_service_capability *)data;
	46
	47	- if (processed + 2 + length > size) {
	48	+ if (sizeof(*cap) + cap->length > size) {
	49	error("Invalid capability data in getcap resp");
	50	break;
	51	}
	52
	53	- cap = g_malloc(sizeof(struct avdtp_service_capability) +
	54	- length);
	55	- memcpy(cap, data, 2 + length);
	56	+ if (cap->category == AVDTP_MEDIA_CODEC &&
	57	+ cap->length < sizeof(**codec)) {
	58	+ error("Invalid codec data in getcap resp");
	59	+ break;
	60	+ }
	61	+
	62	+ cpy = btd_malloc(sizeof(*cpy) + cap->length);
	63	+ memcpy(cpy, cap, sizeof(*cap) + cap->length);
	64
	65	- processed += 2 + length;
	66	- data += 2 + length;
	67	+ size -= sizeof(*cap) + cap->length;
	68	+ data += sizeof(*cap) + cap->length;
	69
	70	- caps = g_slist_append(caps, cap);
	71	+ caps = g_slist_append(caps, cpy);
	72
	73	- if (category == AVDTP_MEDIA_CODEC &&
	74	- length >=
	75	- sizeof(struct avdtp_media_codec_capability))
	76	- *codec = cap;
	77	- else if (category == AVDTP_DELAY_REPORTING && delay_reporting)
	78	- *delay_reporting = TRUE;
	79	+ switch (cap->category) {
	80	+ case AVDTP_MEDIA_CODEC:
	81	+ if (codec)
	82	+ *codec = cpy;
	83	+ break;
	84	+ case AVDTP_DELAY_REPORTING:
	85	+ if (delay_reporting)
	86	+ *delay_reporting = TRUE;
	87	+ break;
	88	+ }
	89	}
	90
	91	return caps;
	92	@@ -1494,6 +1504,12 @@ static gboolean avdtp_setconf_cmd(struct avdtp *session, uint8_t transaction,
	93	&stream->codec,
	94	&stream->delay_reporting);
	95
	96	+ if (!stream->caps \|\| !stream->codec) {
	97	+ err = AVDTP_UNSUPPORTED_CONFIGURATION;
	98	+ category = 0x00;
	99	+ goto failed_stream;
	100	+ }
	101	+
	102	/* Verify that the Media Transport capability's length = 0. Reject otherwise */
	103	for (l = stream->caps; l != NULL; l = g_slist_next(l)) {
	104	struct avdtp_service_capability *cap = l->data;
	105	diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
	106	index d9471c0..0233d53 100644
	107	--- a/profiles/audio/avrcp.c
	108	+++ b/profiles/audio/avrcp.c
	109	@@ -1916,6 +1916,14 @@ static size_t handle_vendordep_pdu(struct avctp *conn, uint8_t transaction,
	110	goto err_metadata;
	111	}
	112
	113	+ operands += sizeof(*pdu);
	114	+ operand_count -= sizeof(*pdu);
	115	+
	116	+ if (pdu->params_len != operand_count) {
	117	+ DBG("AVRCP PDU parameters length don't match");
	118	+ pdu->params_len = operand_count;
	119	+ }
	120	+
	121	for (handler = session->control_handlers; handler->pdu_id; handler++) {
	122	if (handler->pdu_id == pdu->pdu_id)
	123	break;
	124	--
	125	2.25.1
	126


diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2023-45866.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2023-45866.patch new file mode 100644 index 0000000000..43670ab2b3 --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2023-45866.patch
@@ -0,0 +1,54 @@
	1	From 25a471a83e02e1effb15d5a488b3f0085eaeb675 Mon Sep 17 00:00:00 2001
	2	From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
	3	Date: Tue, 10 Oct 2023 13:03:12 -0700
	4	Subject: input.conf: Change default of ClassicBondedOnly
	5
	6	This changes the default of ClassicBondedOnly since defaulting to false
	7	is not inline with HID specification which mandates the of Security Mode
	8	4:
	9
	10	BLUETOOTH SPECIFICATION Page 84 of 123
	11	Human Interface Device (HID) Profile:
	12
	13	5.4.3.4.2 Security Modes
	14	Bluetooth HID Hosts shall use Security Mode 4 when interoperating with
	15	Bluetooth HID devices that are compliant to the Bluetooth Core
	16	Specification v2.1+EDR[6].
	17
	18	Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=25a471a83e02e1effb15d5a488b3f0085eaeb675]
	19	CVE: CVE-2023-45866
	20	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
	21	---
	22	profiles/input/device.c \| 2 +-
	23	profiles/input/input.conf \| 2 +-
	24	2 files changed, 2 insertions(+), 2 deletions(-)
	25
	26	diff --git a/profiles/input/device.c b/profiles/input/device.c
	27	index 375314e..0236488 100644
	28	--- a/profiles/input/device.c
	29	+++ b/profiles/input/device.c
	30	@@ -93,7 +93,7 @@ struct input_device {
	31
	32	static int idle_timeout = 0;
	33	static bool uhid_enabled = false;
	34	-static bool classic_bonded_only = false;
	35	+static bool classic_bonded_only = true;
	36
	37	void input_set_idle_timeout(int timeout)
	38	{
	39	diff --git a/profiles/input/input.conf b/profiles/input/input.conf
	40	index 4c70bc5..d8645f3 100644
	41	--- a/profiles/input/input.conf
	42	+++ b/profiles/input/input.conf
	43	@@ -17,7 +17,7 @@
	44	# platforms may want to make sure that input connections only come from bonded
	45	# device connections. Several older mice have been known for not supporting
	46	# pairing/encryption.
	47	-# Defaults to false to maximize device compatibility.
	48	+# Defaults to true for security.
	49	#ClassicBondedOnly=true
	50
	51	# LE upgrade security
	52	--
	53	2.25.1
	54