Hi Marcel, Is this the patch you are referring to? https://patchwork.kernel.org/patch/9976233/ If not can you kindly point us to the patch that has been accepted in the mainline to address this vulnerability. Kind Regards Asim NXP PSIRT -----Original Message----- From: Marcel Holtmann <marcel@xxxxxxxxxxxx> Sent: Tuesday, August 28, 2018 4:56 AM To: Andy Duan <fugang.duan@xxxxxxx> Cc: rtatiya@xxxxxxxxxxxxxx; Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>; Johan Hedberg <johan.hedberg@xxxxxxxxx>; Asim Zaidi <asim.zaidi@xxxxxxx>; linux-bluetooth@xxxxxxxxxxxxxxx Subject: Re: BlueZ: How to avoid fixed Coordinate Invalid Curve Attack Hi Andy, > Do you have patches for BlueZ to avoid Bluetooth curve attack ? > > As I know, Many vendors supply Android Flueride host fixes & Firmware fixes to avoid the curve attack, but BlueZ community doesn’t have the topic. Does there have plan to fix the hole ? the Linux kernel crypto subsystem and its ECDH support has a patch to ensure that the public key is validated before calculating the shared secret. Regards Marcel
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
