Mosquitto / CVE-2017-7654

To: debian-lts@lists.debian.org
Subject: Mosquitto / CVE-2017-7654
From: Brian May <brian@linuxpenguins.xyz>
Date: Thu, 16 Aug 2018 17:33:36 +1000
Message-id: <[🔎] 87efeyg3zj.fsf@silverfish.pri>

Looking at the upstream bug report I see that there are two potential
patches given. For the purposes of LTS and KISS, I prefer the simpler
patch. The other patch completely removes the need for dynamic memory
allocation in the first place. It is probably more suitable for
upstream. However upstream has not used either patch either yet.

https://bugs.eclipse.org/bugs/show_bug.cgi?id=533493

So my suggested fix for Jessie is the following one line patch.

--- mosquitto-1.3.4.orig/src/read_handle_server.c
+++ mosquitto-1.3.4/src/read_handle_server.c
@@ -89,6 +89,7 @@
        }
        if(_mosquitto_read_byte(&context->in_packet, &protocol_version)){
                mqtt3_context_disconnect(db, context);
+               _mosquitto_free(protocol_name);
                return 1;
        }
        if(!strcmp(protocol_name, PROTOCOL_NAME_v31)){

-- 
Brian May <brian@linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/

Reply to:

Follow-Ups:
- Re: Mosquitto / CVE-2017-7653
  - From: Brian May <bam@debian.org>

Prev by Date: Re: Getting phpldapadmin (CVE-2018-12869) fixed
Next by Date: Re: Apache2 CVE-2016-4975
Previous by thread: Re: Getting phpldapadmin (CVE-2018-12869) fixed
Next by thread: Re: Mosquitto / CVE-2017-7653
Index(es):
- Date
- Thread