Fix the security vulnerability issue

A variant of this attack works when bluetoothctl shows that bluetooth is
discoverable, pariable, and discovering (only a subset may be necessary). On
Ubuntu 22.04 Desktop this becomes true when the GNOME panel for
bluetooth settings is opened.

BlueZ's setting ClassicBondedOnly=true prevents this attack.
This parameter is not enabled in CVE-2020-0556 patches and all distros
I checked have not opted into this setting. Most members of the distros list
are likely affected.

Change-Id: Ib4883d1766d314bcd415308a9e4805e196462f3a
Signed-off-by: Wootak Jung <wootak.jung@samsung.com>

diff --git a/profiles/input/input.conf b/profiles/input/input.conf
index 2c18fa1..227b00a 100755 (executable)
--- a/profiles/input/input.conf
+++ b/profiles/input/input.conf
@@ -18,7 +18,7 @@
 # device connections. Several older mice have been known for not supporting
 # pairing/encryption.
 # Defaults to false to maximize device compatibility.
-#ClassicBondedOnly=true
+ClassicBondedOnly=true
 
 #ifndef TIZEN_FEATURE_BLUEZ_MODIFY
 # LE upgrade security