Package: release.debian.org Severity: normal Tags: buster User: release.debian.org@packages.debian.org Usertags: pu X-Debbugs-Cc: anbe@debian.org Hello Stable release team, I would like to update mqtt-client in buster for fixing CVE-2019-0222. It is fixed in stretch, bullseye and sid. Right now stretch-security has a newer version(1.14-1+9u1) than buster, breaking clean upgrades to buster. CVE-2019-0222 is no-dsa thus using pu. Vcs field URL also updated. Debdiff is attached. Please allow to upload this fix to Buster. --abhijith -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 5.9.0-4-amd64 (SMP w/4 CPU threads) Kernel taint flags: TAINT_WARN Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8), LANGUAGE=en_IN:en Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff -Nru mqtt-client-1.14/debian/changelog mqtt-client-1.14/debian/changelog --- mqtt-client-1.14/debian/changelog 2016-07-19 13:30:10.000000000 +0530 +++ mqtt-client-1.14/debian/changelog 2021-05-21 21:59:49.000000000 +0530 @@ -1,3 +1,13 @@ +mqtt-client (1.14-1+deb10u1) buster; urgency=medium + + * Non-maintainer upload. + * Fix CVE-2019-0222: unmarshalling corrupt MQTT frame can lead to + broker Out of Memory exception making it unresponsive. + (Closes: #988109) + * Update Vcs-* URL in d/control. + + -- Abhijith PA <abhijith@debian.org> Fri, 21 May 2021 21:59:49 +0530 + mqtt-client (1.14-1) unstable; urgency=medium * New upstream release diff -Nru mqtt-client-1.14/debian/control mqtt-client-1.14/debian/control --- mqtt-client-1.14/debian/control 2016-07-19 13:28:53.000000000 +0530 +++ mqtt-client-1.14/debian/control 2021-05-21 21:59:49.000000000 +0530 @@ -10,8 +10,8 @@ libmaven-bundle-plugin-java, maven-debian-helper (>= 1.5) Standards-Version: 3.9.8 -Vcs-Git: https://anonscm.debian.org/git/pkg-java/mqtt-client.git -Vcs-Browser: https://anonscm.debian.org/cgit/pkg-java/mqtt-client.git +Vcs-Git: https://salsa.debian.org/java-team/mqtt-client.git +Vcs-Browser: https://salsa.debian.org/java-team/mqtt-client Homepage: http://mqtt-client.fusesource.org Package: libmqtt-client-java diff -Nru mqtt-client-1.14/debian/patches/CVE-2019-0222.patch mqtt-client-1.14/debian/patches/CVE-2019-0222.patch --- mqtt-client-1.14/debian/patches/CVE-2019-0222.patch 1970-01-01 05:30:00.000000000 +0530 +++ mqtt-client-1.14/debian/patches/CVE-2019-0222.patch 2021-05-21 21:59:02.000000000 +0530 @@ -0,0 +1,21 @@ +Description: CVE-2019-0222 + + unmarshalling corrupt MQTT frame can lead + to broker Out of Memory exception making it unresponsive. + +Author: Abhijith PA <abhijith@debian.org> + +diff --git a/mqtt-client/src/main/java/org/fusesource/mqtt/codec/MessageSupport.java b/mqtt-client/src/main/java/org/fusesource/mqtt/codec/MessageSupport.java +index 08fb8391abbbdb365310cda08373b3a7e4befc3e..a0a5e8ee4cec70d37b9c451e9f2bd02010107dfa 100644 +--- a/mqtt-client/src/main/java/org/fusesource/mqtt/codec/MessageSupport.java ++++ b/mqtt-client/src/main/java/org/fusesource/mqtt/codec/MessageSupport.java +@@ -62,6 +62,9 @@ public final class MessageSupport { + + static protected UTF8Buffer readUTF(DataByteArrayInputStream is) throws ProtocolException { + int size = is.readUnsignedShort(); ++ if (size < 0) { ++ throw new ProtocolException("Invalid message encoding"); ++ } + Buffer buffer = is.readBuffer(size); + if (buffer == null || buffer.length != size) { + throw new ProtocolException("Invalid message encoding"); diff -Nru mqtt-client-1.14/debian/patches/series mqtt-client-1.14/debian/patches/series --- mqtt-client-1.14/debian/patches/series 1970-01-01 05:30:00.000000000 +0530 +++ mqtt-client-1.14/debian/patches/series 2021-05-21 21:59:02.000000000 +0530 @@ -0,0 +1 @@ +CVE-2019-0222.patch
Attachment:
signature.asc
Description: PGP signature