--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package mosquitto/1.3.4-2+deb8u2
- From: "Roger A. Light" <roger@atchoo.org>
- Date: Fri, 22 Dec 2017 23:44:22 +0000
- Message-id: <151398626296.22250.583327913259113940.reportbug@ks.ral.me>
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
This patch fixes CVE-2017-9868 for mosquitto. The security team believes
it is not worthy of a DSA and should be fixed by a point release
instead.
-- System Information:
Debian Release: stretch/sid
APT prefers xenial-updates
APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500, 'xenial'), (100, 'xenial-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.4.0-97-generic (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
diff -Nru mosquitto-1.3.4/debian/changelog mosquitto-1.3.4/debian/changelog
--- mosquitto-1.3.4/debian/changelog 2017-05-23 22:14:40.000000000 +0100
+++ mosquitto-1.3.4/debian/changelog 2017-12-22 23:12:38.000000000 +0000
@@ -1,3 +1,13 @@
+mosquitto (1.3.4-2+deb8u2) jessie; urgency=medium
+
+ * SECURITY UPDATE: Mosquitto persistence file is world readable.
+ - debian/patches/mosquitto-1.3.4_cve-2017-9868.patch: Set umask to limit
+ read permissions.
+ - CVE-2017-9868
+ (closes: #865959)
+
+ -- Roger A. Light <roger@atchoo.org> Fri, 22 Dec 2017 21:44:30 +0000
+
mosquitto (1.3.4-2+deb8u1) jessie-security; urgency=high
* SECURITY UPDATE: Pattern ACL can be bypassed by using a username/client id
diff -Nru mosquitto-1.3.4/debian/patches/mosquitto-1.3.4_cve-2017-9868.patch mosquitto-1.3.4/debian/patches/mosquitto-1.3.4_cve-2017-9868.patch
--- mosquitto-1.3.4/debian/patches/mosquitto-1.3.4_cve-2017-9868.patch 1970-01-01 01:00:00.000000000 +0100
+++ mosquitto-1.3.4/debian/patches/mosquitto-1.3.4_cve-2017-9868.patch 2017-06-26 09:38:24.000000000 +0100
@@ -0,0 +1,17 @@
+Description: Fix for CVE-207-9868.
+Author: Roger Light <roger@atchoo.org>
+Forwarded: not-needed
+Origin: upstream, https://mosquitto.org/files/cve/2017-9868/mosquitto-1.3.4_cve-2017-9868.patch
+--- a/src/persist.c
++++ b/src/persist.c
+@@ -379,6 +379,10 @@
+ _mosquitto_log_printf(NULL, MOSQ_LOG_INFO, "Error saving in-memory database, out of memory.");
+ return MOSQ_ERR_NOMEM;
+ }
++
++ /* Restrict access to persistence file. */
++ umask(0077);
++
+ snprintf(outfile, len, "%s.new", db->config->persistence_filepath);
+ db_fptr = _mosquitto_fopen(outfile, "wb");
+ if(db_fptr == NULL){
diff -Nru mosquitto-1.3.4/debian/patches/series mosquitto-1.3.4/debian/patches/series
--- mosquitto-1.3.4/debian/patches/series 2017-05-23 22:14:40.000000000 +0100
+++ mosquitto-1.3.4/debian/patches/series 2017-12-22 21:47:21.000000000 +0000
@@ -5,3 +5,4 @@
pynomake.patch
disable-in-tree-uthash.patch
mosquitto-1.3.4_cve-2017-7650.patch
+mosquitto-1.3.4_cve-2017-9868.patch
--- End Message ---
--- Begin Message ---
- To: "Roger A. Light" <roger@atchoo.org>, 885028-done@bugs.debian.org
- Subject: Re: Bug#885028: jessie-pu: package mosquitto/1.3.4-2+deb8u2
- From: Jonathan Wiltshire <jmw@debian.org>
- Date: Sun, 17 Jun 2018 19:09:22 +0100
- Message-id: <20180617180922.bp7tbpjjm3ib7rc2@powdarrmonkey.net>
- In-reply-to: <151398626296.22250.583327913259113940.reportbug@ks.ral.me>
- References: <151398626296.22250.583327913259113940.reportbug@ks.ral.me>
Hi,
This request was approved and tagged 'confirmed', but no upload was
subsequently made. With the final point release for Jessie now being
prepared, it's unfortunately too late for this package to be updated.
Thanks,
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
--- End Message ---