Bug#863633: unblock: mosquitto/1.4.10-3
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package mosquitto
Version 1.4.10-2 currently in testing has a security issue
CVE-2017-7650. This upload fixes that issue.
This upload also fixes #857759, which is a regression against Jessie.
unblock mosquitto/1.4.10-3
-- System Information:
Debian Release: stretch/sid
APT prefers xenial-updates
APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500, 'xenial'), (100, 'xenial-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.4.0-71-generic (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
*** /home/roger/mosquitto.debdiff
diff -Nru mosquitto-1.4.10/debian/changelog mosquitto-1.4.10/debian/changelog
--- mosquitto-1.4.10/debian/changelog 2016-11-03 22:38:51.000000000 +0000
+++ mosquitto-1.4.10/debian/changelog 2017-05-29 14:38:36.000000000 +0100
@@ -1,3 +1,16 @@
+mosquitto (1.4.10-3) unstable; urgency=high
+
+ * SECURITY UPDATE: Pattern ACL can be bypassed by using a username/client id
+ set to '+' or '#'.
+ - debian/patches/mosquitto-0.15_cve-2017-7650.patch: Reject send/receive
+ of messages to/from clients with a '+', '#' or '/' in their
+ username/client id.
+ - CVE-2017-7650
+ * New patch debian/patches/allow_ipv6_bridges.patch allows bridges to make
+ IPv6 connections when using TLS (closes: #857759).
+
+ -- Roger A. Light <roger@atchoo.org> Mon, 29 May 2017 13:43:29 +0100
+
mosquitto (1.4.10-2) unstable; urgency=medium
* Bumped standards version to 3.9.8. No changes needed.
diff -Nru mosquitto-1.4.10/debian/patches/allow_ipv6_bridges.patch mosquitto-1.4.10/debian/patches/allow_ipv6_bridges.patch
--- mosquitto-1.4.10/debian/patches/allow_ipv6_bridges.patch 1970-01-01 01:00:00.000000000 +0100
+++ mosquitto-1.4.10/debian/patches/allow_ipv6_bridges.patch 2017-05-29 13:50:12.000000000 +0100
@@ -0,0 +1,22 @@
+Description: Allow bridges to make IPv6 connections when using TLS.
+Author: Roger Light <roger@atchoo.org>
+Forwarded: not-needed
+Origin: upstream, https://github.com/eclipse/mosquitto/commit/98ea68490626b1d18aee2004b411294c85e62212
+--- a/lib/net_mosq.c
++++ b/lib/net_mosq.c
+@@ -281,14 +281,7 @@
+
+ *sock = INVALID_SOCKET;
+ memset(&hints, 0, sizeof(struct addrinfo));
+-#ifdef WITH_TLS
+- if(mosq->tls_cafile || mosq->tls_capath || mosq->tls_psk){
+- hints.ai_family = PF_INET;
+- }else
+-#endif
+- {
+- hints.ai_family = PF_UNSPEC;
+- }
++ hints.ai_family = PF_UNSPEC;
+ hints.ai_flags = AI_ADDRCONFIG;
+ hints.ai_socktype = SOCK_STREAM;
+
diff -Nru mosquitto-1.4.10/debian/patches/mosquitto-1.4.10_cve-2017-7650.patch mosquitto-1.4.10/debian/patches/mosquitto-1.4.10_cve-2017-7650.patch
--- mosquitto-1.4.10/debian/patches/mosquitto-1.4.10_cve-2017-7650.patch 1970-01-01 01:00:00.000000000 +0100
+++ mosquitto-1.4.10/debian/patches/mosquitto-1.4.10_cve-2017-7650.patch 2017-05-28 23:10:06.000000000 +0100
@@ -0,0 +1,61 @@
+Description: Fix for CVE-207-7650.
+Author: Roger Light <roger@atchoo.org>
+Forwarded: not-needed
+Origin: upstream, https://mosquitto.org/files/cve/2017-7650/mosquitto-1.4.x_cve-2017-7650.patch
+diff --git a/src/security.c b/src/security.c
+index 6ae9fb9..37ce32b 100644
+--- src/security.c
++++ b/src/security.c
+@@ -233,6 +233,21 @@
+ {
+ username = context->username;
+ }
++
++ /* Check whether the client id or username contains a +, # or / and if
++ * so deny access.
++ *
++ * Do this check for every message regardless, we have to protect the
++ * plugins against possible pattern based attacks.
++ */
++ if(username && strpbrk(username, "+#/")){
++ _mosquitto_log_printf(NULL, MOSQ_LOG_NOTICE, "ACL denying access to client with dangerous username \"%s\"", username);
++ return MOSQ_ERR_ACL_DENIED;
++ }
++ if(context->id && strpbrk(context->id, "+#/")){
++ _mosquitto_log_printf(NULL, MOSQ_LOG_NOTICE, "ACL denying access to client with dangerous client id \"%s\"", context->id);
++ return MOSQ_ERR_ACL_DENIED;
++ }
+ return db->auth_plugin.acl_check(db->auth_plugin.user_data, context->id, username, topic, access);
+ }
+ }
+diff --git a/src/security_default.c b/src/security_default.c
+index 64ca846..a41c21f 100644
+--- src/security_default.c
++++ b/src/security_default.c
+@@ -261,6 +261,26 @@ int mosquitto_acl_check_default(struct mosquitto_db *db, struct mosquitto *conte
+ }
+
+ acl_root = db->acl_patterns;
++
++ if(acl_root){
++ /* We are using pattern based acls. Check whether the username or
++ * client id contains a +, # or / and if so deny access.
++ *
++ * Without this, a malicious client may configure its username/client
++ * id to bypass ACL checks (or have a username/client id that cannot
++ * publish or receive messages to its own place in the hierarchy).
++ */
++ if(context->username && strpbrk(context->username, "+#/")){
++ _mosquitto_log_printf(NULL, MOSQ_LOG_NOTICE, "ACL denying access to client with dangerous username \"%s\"", context->username);
++ return MOSQ_ERR_ACL_DENIED;
++ }
++
++ if(context->id && strpbrk(context->id, "+#/")){
++ _mosquitto_log_printf(NULL, MOSQ_LOG_NOTICE, "ACL denying access to client with dangerous client id \"%s\"", context->id);
++ return MOSQ_ERR_ACL_DENIED;
++ }
++ }
++
+ /* Loop through all pattern ACLs. */
+ clen = strlen(context->id);
+ while(acl_root){
diff -Nru mosquitto-1.4.10/debian/patches/series mosquitto-1.4.10/debian/patches/series
--- mosquitto-1.4.10/debian/patches/series 2016-11-03 22:36:53.000000000 +0000
+++ mosquitto-1.4.10/debian/patches/series 2017-05-29 13:47:08.000000000 +0100
@@ -6,3 +6,5 @@
libdir.patch
build-timestamp.patch
hurd-errno.patch
+mosquitto-1.4.10_cve-2017-7650.patch
+allow_ipv6_bridges.patch
Reply to: