A bug in Bluez may allow for the Bluetooth Discoverable state being set to on when no Bluetooth agent is registered with the system. This situation could lead to the unauthorized pairing of certain Bluetooth devices without any form of authentication.
A bug in bluez prevents the disabling of Bluetooth discoverability. In certain situations, this flaw could potentially lead to the unauthorized pairing of Bluetooth devices.
Upstream workaround in gnome-bluetooth: https://gitlab.gnome.org/GNOME/gnome-bluetooth/commit/6b5086d42ea64d46277f3c93b43984f331d12f89
Note that the actual bug is not in gnome-bluetooth.
RHEL is not affected as RHEL-7 is running Gnome 3.26, which is not impacted.
Created bluez tracking bugs for this issue:
Affects: fedora-all [bug 1606371]
Name: Chris Marchesi
It appears that a fix was merged upstream and may be available in a future release of BlueZ 5.51. gnome-bluetooth-3.28.2 will take advantage of this fix.