Control: tag -1 moreinfo On Fri, Dec 22, 2017 at 23:47:34 +0000, Roger A. Light wrote:
> +Description: Fix for CVE-207-9868. > +Author: Roger Light <ro...@atchoo.org> > +Forwarded: not-needed > +Origin: upstream, > https://mosquitto.org/files/cve/2017-9868/mosquitto-1.4.x_cve-2017-9868.patch > +--- a/src/persist.c > ++++ b/src/persist.c > +@@ -362,6 +362,10 @@ > + _mosquitto_log_printf(NULL, MOSQ_LOG_INFO, "Error saving > in-memory database, out of memory."); > + return MOSQ_ERR_NOMEM; > + } > ++ > ++ /* Restrict access to persistence file. */ > ++ umask(0077); > ++ > + snprintf(outfile, len, "%s.new", db->config->persistence_filepath); > + outfile[len] = '\0'; > + Is this likely to negatively affect other files the application might create? Cheers, Julien
