[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#988936: marked as done (buster-pu: package mqtt-client/1.14-1)

Your message dated Sat, 19 Jun 2021 10:56:39 +0100
with message-id <5c65c3ad2ac9b1b1f78bf73b1cf073041e619b51.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 10.10 point release
has caused the Debian Bug report #988936,
regarding buster-pu: package mqtt-client/1.14-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
988936: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988936
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: anbe@debian.org

Hello Stable release team,

I would like to update mqtt-client in buster for fixing CVE-2019-0222. 
It is fixed in stretch, bullseye and sid. Right now stretch-security 
has a newer version(1.14-1+9u1) than buster, breaking clean upgrades 
to buster. CVE-2019-0222 is no-dsa thus using pu. Vcs field URL also 
updated.

Debdiff is attached. Please allow to upload this fix to Buster.   


--abhijith

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 5.9.0-4-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8), LANGUAGE=en_IN:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru mqtt-client-1.14/debian/changelog mqtt-client-1.14/debian/changelog
--- mqtt-client-1.14/debian/changelog	2016-07-19 13:30:10.000000000 +0530
+++ mqtt-client-1.14/debian/changelog	2021-05-21 21:59:49.000000000 +0530
@@ -1,3 +1,13 @@
+mqtt-client (1.14-1+deb10u1) buster; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2019-0222: unmarshalling corrupt MQTT frame can lead to
+    broker Out of Memory exception making it unresponsive.
+    (Closes: #988109)
+  * Update Vcs-* URL in d/control.
+
+ -- Abhijith PA <abhijith@debian.org>  Fri, 21 May 2021 21:59:49 +0530
+
 mqtt-client (1.14-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru mqtt-client-1.14/debian/control mqtt-client-1.14/debian/control
--- mqtt-client-1.14/debian/control	2016-07-19 13:28:53.000000000 +0530
+++ mqtt-client-1.14/debian/control	2021-05-21 21:59:49.000000000 +0530
@@ -10,8 +10,8 @@
                libmaven-bundle-plugin-java,
                maven-debian-helper (>= 1.5)
 Standards-Version: 3.9.8
-Vcs-Git: https://anonscm.debian.org/git/pkg-java/mqtt-client.git
-Vcs-Browser: https://anonscm.debian.org/cgit/pkg-java/mqtt-client.git
+Vcs-Git: https://salsa.debian.org/java-team/mqtt-client.git
+Vcs-Browser: https://salsa.debian.org/java-team/mqtt-client
 Homepage: http://mqtt-client.fusesource.org
 
 Package: libmqtt-client-java
diff -Nru mqtt-client-1.14/debian/patches/CVE-2019-0222.patch mqtt-client-1.14/debian/patches/CVE-2019-0222.patch
--- mqtt-client-1.14/debian/patches/CVE-2019-0222.patch	1970-01-01 05:30:00.000000000 +0530
+++ mqtt-client-1.14/debian/patches/CVE-2019-0222.patch	2021-05-21 21:59:02.000000000 +0530
@@ -0,0 +1,21 @@
+Description: CVE-2019-0222
+
+ unmarshalling corrupt MQTT frame can lead
+ to broker Out of Memory exception making it unresponsive.
+
+Author: Abhijith PA <abhijith@debian.org>
+
+diff --git a/mqtt-client/src/main/java/org/fusesource/mqtt/codec/MessageSupport.java b/mqtt-client/src/main/java/org/fusesource/mqtt/codec/MessageSupport.java
+index 08fb8391abbbdb365310cda08373b3a7e4befc3e..a0a5e8ee4cec70d37b9c451e9f2bd02010107dfa 100644
+--- a/mqtt-client/src/main/java/org/fusesource/mqtt/codec/MessageSupport.java
++++ b/mqtt-client/src/main/java/org/fusesource/mqtt/codec/MessageSupport.java
+@@ -62,6 +62,9 @@ public final class MessageSupport {
+ 
+     static protected UTF8Buffer readUTF(DataByteArrayInputStream is) throws ProtocolException {
+         int size = is.readUnsignedShort();
++        if (size < 0) {
++            throw new ProtocolException("Invalid message encoding");
++        }
+         Buffer buffer = is.readBuffer(size);
+         if (buffer == null || buffer.length != size) {
+             throw new ProtocolException("Invalid message encoding");
diff -Nru mqtt-client-1.14/debian/patches/series mqtt-client-1.14/debian/patches/series
--- mqtt-client-1.14/debian/patches/series	1970-01-01 05:30:00.000000000 +0530
+++ mqtt-client-1.14/debian/patches/series	2021-05-21 21:59:02.000000000 +0530
@@ -0,0 +1 @@
+CVE-2019-0222.patch

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.10

Hi,

Each of the updates referenced in these bugs was included in the 10.10
point release today.

Regards,

Adam

--- End Message ---
Reply to: