Bug#885027: stretch-pu: package mosquitto/1.4.10-3+deb9u1
Control: tag -1 moreinfo
On Fri, Dec 22, 2017 at 23:47:34 +0000, Roger A. Light wrote:
> +Description: Fix for CVE-207-9868.
> +Author: Roger Light <roger@atchoo.org>
> +Forwarded: not-needed
> +Origin: upstream, https://mosquitto.org/files/cve/2017-9868/mosquitto-1.4.x_cve-2017-9868.patch
> +--- a/src/persist.c
> ++++ b/src/persist.c
> +@@ -362,6 +362,10 @@
> + _mosquitto_log_printf(NULL, MOSQ_LOG_INFO, "Error saving in-memory database, out of memory.");
> + return MOSQ_ERR_NOMEM;
> + }
> ++
> ++ /* Restrict access to persistence file. */
> ++ umask(0077);
> ++
> + snprintf(outfile, len, "%s.new", db->config->persistence_filepath);
> + outfile[len] = '\0';
> +
Is this likely to negatively affect other files the application might
create?
Cheers,
Julien
Reply to: