From c455a79a814fb828225afe072a15b9134bd8c8ca Mon Sep 17 00:00:00 2001
From: Wootak Jung <wootak.jung@samsung.com>
Date: Tue, 28 Nov 2023 14:51:49 +0900
Subject: [PATCH] Fix the security vulnerability issue

A variant of this attack works when bluetoothctl shows that bluetooth is
discoverable, pariable, and discovering (only a subset may be necessary). On
Ubuntu 22.04 Desktop this becomes true when the GNOME panel for
bluetooth settings is opened.

BlueZ's setting ClassicBondedOnly=true prevents this attack.
This parameter is not enabled in CVE-2020-0556 patches and all distros
I checked have not opted into this setting. Most members of the distros list
are likely affected.

Change-Id: Ib4883d1766d314bcd415308a9e4805e196462f3a
Signed-off-by: Wootak Jung <wootak.jung@samsung.com>
---
 profiles/input/input.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/profiles/input/input.conf b/profiles/input/input.conf
index 2c18fa1..227b00a 100755
--- a/profiles/input/input.conf
+++ b/profiles/input/input.conf
@@ -18,7 +18,7 @@
 # device connections. Several older mice have been known for not supporting
 # pairing/encryption.
 # Defaults to false to maximize device compatibility.
-#ClassicBondedOnly=true
+ClassicBondedOnly=true
 
 #ifndef TIZEN_FEATURE_BLUEZ_MODIFY
 # LE upgrade security
-- 
2.7.4