Bug#885027: stretch-pu: package mosquitto/1.4.10-3+deb9u1

To: "Roger A. Light" <roger@atchoo.org>, 885027@bugs.debian.org
Subject: Bug#885027: stretch-pu: package mosquitto/1.4.10-3+deb9u1
From: Julien Cristau <jcristau@debian.org>
Date: Sat, 10 Feb 2018 10:07:30 +0100
Message-id: <[🔎] 20180210090730.fzsm3m76xxq2wb7u@betterave.cristau.org>
Reply-to: Julien Cristau <jcristau@debian.org>, 885027@bugs.debian.org
In-reply-to: <151398645426.23851.2011369204425040667.reportbug@ks.ral.me>
References: <151398645426.23851.2011369204425040667.reportbug@ks.ral.me> <151398645426.23851.2011369204425040667.reportbug@ks.ral.me>

Control: tag -1 moreinfo

On Fri, Dec 22, 2017 at 23:47:34 +0000, Roger A. Light wrote:

> +Description: Fix for CVE-207-9868.
> +Author: Roger Light <roger@atchoo.org>
> +Forwarded: not-needed
> +Origin: upstream, https://mosquitto.org/files/cve/2017-9868/mosquitto-1.4.x_cve-2017-9868.patch
> +--- a/src/persist.c
> ++++ b/src/persist.c
> +@@ -362,6 +362,10 @@
> + 		_mosquitto_log_printf(NULL, MOSQ_LOG_INFO, "Error saving in-memory database, out of memory.");
> + 		return MOSQ_ERR_NOMEM;
> + 	}
> ++
> ++	/* Restrict access to persistence file. */
> ++	umask(0077);
> ++
> + 	snprintf(outfile, len, "%s.new", db->config->persistence_filepath);
> + 	outfile[len] = '\0';
> + 

Is this likely to negatively affect other files the application might
create?

Cheers,
Julien

Reply to:

Follow-Ups:
- Bug#885027: stretch-pu: package mosquitto/1.4.10-3+deb9u1
  - From: Roger Light <roger@atchoo.org>

Prev by Date: Processed: Re: Bug#885027: stretch-pu: package mosquitto/1.4.10-3+deb9u1
Next by Date: Bug#885069: stretch-pu: package open-iscsi/2.0.874-3~deb9u1
Previous by thread: Bug#884711: stretch-pu: package dpdk/16.11.4-1+deb9u1
Next by thread: Processed: Re: Bug#885027: stretch-pu: package mosquitto/1.4.10-3+deb9u1
Index(es):
- Date
- Thread