Bug#885027: stretch-pu: package mosquitto/1.4.10-3+deb9u1
Control: tag -1 - moreinfo
Control: tag -1 confirmed
OK, go ahead and upload then.
Cheers,
Julien
On Sat, Feb 10, 2018 at 11:13:06 +0000, Roger Light wrote:
> Thanks for taking a look at this.
>
> The application only creates this file and log files, so I don't
> believe it should have any other impact.
>
> Regards,
>
> Roger
>
>
> On 10 February 2018 at 09:07, Julien Cristau <jcristau@debian.org> wrote:
> > Control: tag -1 moreinfo
> >
> > On Fri, Dec 22, 2017 at 23:47:34 +0000, Roger A. Light wrote:
> >
> >> +Description: Fix for CVE-207-9868.
> >> +Author: Roger Light <roger@atchoo.org>
> >> +Forwarded: not-needed
> >> +Origin: upstream, https://mosquitto.org/files/cve/2017-9868/mosquitto-1.4.x_cve-2017-9868.patch
> >> +--- a/src/persist.c
> >> ++++ b/src/persist.c
> >> +@@ -362,6 +362,10 @@
> >> + _mosquitto_log_printf(NULL, MOSQ_LOG_INFO, "Error saving in-memory database, out of memory.");
> >> + return MOSQ_ERR_NOMEM;
> >> + }
> >> ++
> >> ++ /* Restrict access to persistence file. */
> >> ++ umask(0077);
> >> ++
> >> + snprintf(outfile, len, "%s.new", db->config->persistence_filepath);
> >> + outfile[len] = '\0';
> >> +
> >
> > Is this likely to negatively affect other files the application might
> > create?
> >
> > Cheers,
> > Julien
>
Reply to: