[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#885028: jessie-pu: package mosquitto/1.3.4-2+deb8u2

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

This patch fixes CVE-2017-9868 for mosquitto. The security team believes
it is not worthy of a DSA and should be fixed by a point release
instead.

-- System Information:
Debian Release: stretch/sid
  APT prefers xenial-updates
  APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500, 'xenial'), (100, 'xenial-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.4.0-97-generic (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

diff -Nru mosquitto-1.3.4/debian/changelog mosquitto-1.3.4/debian/changelog
--- mosquitto-1.3.4/debian/changelog	2017-05-23 22:14:40.000000000 +0100
+++ mosquitto-1.3.4/debian/changelog	2017-12-22 23:12:38.000000000 +0000
@@ -1,3 +1,13 @@
+mosquitto (1.3.4-2+deb8u2) jessie; urgency=medium
+
+  * SECURITY UPDATE: Mosquitto persistence file is world readable.
+    - debian/patches/mosquitto-1.3.4_cve-2017-9868.patch: Set umask to limit
+      read permissions.
+    - CVE-2017-9868
+    (closes: #865959)
+
+ -- Roger A. Light <roger@atchoo.org>  Fri, 22 Dec 2017 21:44:30 +0000
+
 mosquitto (1.3.4-2+deb8u1) jessie-security; urgency=high
 
   * SECURITY UPDATE: Pattern ACL can be bypassed by using a username/client id
diff -Nru mosquitto-1.3.4/debian/patches/mosquitto-1.3.4_cve-2017-9868.patch mosquitto-1.3.4/debian/patches/mosquitto-1.3.4_cve-2017-9868.patch
--- mosquitto-1.3.4/debian/patches/mosquitto-1.3.4_cve-2017-9868.patch	1970-01-01 01:00:00.000000000 +0100
+++ mosquitto-1.3.4/debian/patches/mosquitto-1.3.4_cve-2017-9868.patch	2017-06-26 09:38:24.000000000 +0100
@@ -0,0 +1,17 @@
+Description: Fix for CVE-207-9868.
+Author: Roger Light <roger@atchoo.org>
+Forwarded: not-needed
+Origin: upstream, https://mosquitto.org/files/cve/2017-9868/mosquitto-1.3.4_cve-2017-9868.patch
+--- a/src/persist.c
++++ b/src/persist.c
+@@ -379,6 +379,10 @@
+ 		_mosquitto_log_printf(NULL, MOSQ_LOG_INFO, "Error saving in-memory database, out of memory.");
+ 		return MOSQ_ERR_NOMEM;
+ 	}
++
++	/* Restrict access to persistence file. */
++	umask(0077);
++
+ 	snprintf(outfile, len, "%s.new", db->config->persistence_filepath);
+ 	db_fptr = _mosquitto_fopen(outfile, "wb");
+ 	if(db_fptr == NULL){
diff -Nru mosquitto-1.3.4/debian/patches/series mosquitto-1.3.4/debian/patches/series
--- mosquitto-1.3.4/debian/patches/series	2017-05-23 22:14:40.000000000 +0100
+++ mosquitto-1.3.4/debian/patches/series	2017-12-22 21:47:21.000000000 +0000
@@ -5,3 +5,4 @@
 pynomake.patch
 disable-in-tree-uthash.patch
 mosquitto-1.3.4_cve-2017-7650.patch
+mosquitto-1.3.4_cve-2017-9868.patch
Reply to: