Control: tags 1001028 + patch Control: tags 1001028 + pending
Dear Roger, I've prepared an NMU for mosquitto (versioned as 2.0.11-1.2) and uploaded it to DELAYED/5. Please feel free to tell me if I should delay it longer. Regards, Salvatore
diff -Nru mosquitto-2.0.11/debian/changelog mosquitto-2.0.11/debian/changelog --- mosquitto-2.0.11/debian/changelog 2022-04-16 17:17:54.000000000 +0200 +++ mosquitto-2.0.11/debian/changelog 2022-12-29 13:38:30.000000000 +0100 @@ -1,3 +1,12 @@ +mosquitto (2.0.11-1.2) unstable; urgency=medium + + * Non-maintainer upload. + * Fix CONNECT performance with many user-properties (CVE-2021-41039) + (Closes: #1001028) + * debian/tests/broker: Make all test python scripts executable + + -- Salvatore Bonaccorso <[email protected]> Thu, 29 Dec 2022 13:38:30 +0100 + mosquitto (2.0.11-1.1) unstable; urgency=medium * Non-maintainer upload diff -Nru mosquitto-2.0.11/debian/patches/Fix-CONNECT-performance-with-many-user-properties.patch mosquitto-2.0.11/debian/patches/Fix-CONNECT-performance-with-many-user-properties.patch --- mosquitto-2.0.11/debian/patches/Fix-CONNECT-performance-with-many-user-properties.patch 1970-01-01 01:00:00.000000000 +0100 +++ mosquitto-2.0.11/debian/patches/Fix-CONNECT-performance-with-many-user-properties.patch 2022-12-29 13:38:30.000000000 +0100 @@ -0,0 +1,117 @@ +From: "Roger A. Light" <[email protected]> +Date: Tue, 10 Aug 2021 20:48:21 +0100 +Subject: Fix CONNECT performance with many user-properties. +Origin: https://github.com/eclipse/mosquitto/commit/9d6a73f9f72005c2f19a262f15d28327eedea91f +Bug: https://bugs.eclipse.org/bugs/show_bug.cgi?id=575314 +Bug-Debian: https://bugs.debian.org/1001028 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-41039 +Bug: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/637 + +An MQTT v5 client connecting with a large number of user-property properties +could cause excessive CPU usage, leading to a loss of performance and +possible denial of service. This has been fixed. +--- + ChangeLog.txt | 3 ++ + lib/property_mosq.c | 14 ++++----- + test/broker/01-connect-575314.py | 49 ++++++++++++++++++++++++++++++++ + test/broker/Makefile | 1 + + test/broker/test.py | 1 + + 5 files changed, 61 insertions(+), 7 deletions(-) + create mode 100755 test/broker/01-connect-575314.py + +--- a/lib/property_mosq.c ++++ b/lib/property_mosq.c +@@ -959,14 +959,14 @@ int mosquitto_property_check_all(int com + if(rc) return rc; + + /* Check for duplicates */ +- tail = p->next; +- while(tail){ +- if(p->identifier == tail->identifier +- && p->identifier != MQTT_PROP_USER_PROPERTY){ +- +- return MOSQ_ERR_DUPLICATE_PROPERTY; ++ if(p->identifier != MQTT_PROP_USER_PROPERTY){ ++ tail = p->next; ++ while(tail){ ++ if(p->identifier == tail->identifier){ ++ return MOSQ_ERR_DUPLICATE_PROPERTY; ++ } ++ tail = tail->next; + } +- tail = tail->next; + } + + p = p->next; +--- /dev/null ++++ b/test/broker/01-connect-575314.py +@@ -0,0 +1,49 @@ ++#!/usr/bin/env python3 ++ ++# Check for performance of processing user-property on CONNECT ++ ++from mosq_test_helper import * ++ ++def do_test(): ++ rc = 1 ++ props = mqtt5_props.gen_string_pair_prop(mqtt5_props.PROP_USER_PROPERTY, "key", "value") ++ for i in range(0, 20000): ++ props += mqtt5_props.gen_string_pair_prop(mqtt5_props.PROP_USER_PROPERTY, "key", "value") ++ connect_packet_slow = mosq_test.gen_connect("connect-user-property", proto_ver=5, properties=props) ++ connect_packet_fast = mosq_test.gen_connect("a"*65000, proto_ver=5) ++ connack_packet = mosq_test.gen_connack(rc=0, proto_ver=5) ++ ++ port = mosq_test.get_port() ++ broker = mosq_test.start_broker(filename=os.path.basename(__file__), port=port) ++ ++ try: ++ t_start = time.monotonic() ++ sock = mosq_test.do_client_connect(connect_packet_slow, connack_packet, port=port) ++ t_stop = time.monotonic() ++ sock.close() ++ ++ t_diff_slow = t_stop - t_start ++ ++ t_start = time.monotonic() ++ sock = mosq_test.do_client_connect(connect_packet_fast, connack_packet, port=port) ++ t_stop = time.monotonic() ++ sock.close() ++ ++ t_diff_fast = t_stop - t_start ++ # 20 is chosen as a factor that works in plain mode and running under ++ # valgrind. The slow performance manifests as a factor of >100. Fast is <10. ++ if t_diff_slow / t_diff_fast < 20: ++ rc = 0 ++ except mosq_test.TestError: ++ pass ++ finally: ++ broker.terminate() ++ broker.wait() ++ (stdo, stde) = broker.communicate() ++ if rc: ++ print(stde.decode('utf-8')) ++ exit(rc) ++ ++ ++do_test() ++exit(0) +--- a/test/broker/Makefile ++++ b/test/broker/Makefile +@@ -20,6 +20,7 @@ ptest : test-compile + test : test-compile 01 02 03 04 05 06 07 08 09 10 11 12 13 14 + + 01 : ++ ./01-connect-575314.py + ./01-connect-allow-anonymous.py + ./01-connect-bad-packet.py + ./01-connect-connack-2163.py +--- a/test/broker/test.py ++++ b/test/broker/test.py +@@ -5,6 +5,7 @@ import ptest + + tests = [ + #(ports required, 'path'), ++ (1, './01-connect-575314.py'), + (1, './01-connect-allow-anonymous.py'), + (1, './01-connect-bad-packet.py'), + (1, './01-connect-connack-2163.py'), diff -Nru mosquitto-2.0.11/debian/patches/series mosquitto-2.0.11/debian/patches/series --- mosquitto-2.0.11/debian/patches/series 2022-04-16 17:17:09.000000000 +0200 +++ mosquitto-2.0.11/debian/patches/series 2022-12-29 13:38:30.000000000 +0100 @@ -3,3 +3,4 @@ deb-test.patch missing-test.patch ssl-sslcontext-wrap_socket.patch +Fix-CONNECT-performance-with-many-user-properties.patch diff -Nru mosquitto-2.0.11/debian/tests/broker mosquitto-2.0.11/debian/tests/broker --- mosquitto-2.0.11/debian/tests/broker 2021-06-09 14:54:33.000000000 +0200 +++ mosquitto-2.0.11/debian/tests/broker 2022-12-29 13:38:30.000000000 +0100 @@ -1 +1,6 @@ +# test/broker/01-connect-575314.py is added by +# d/p/Fix-CONNECT-performance-with-many-user-properties.patch +# not executable. As workaround until rebaing to new upstream +# version, make all py files executable +chmod -c 755 -- test/broker/*.py make -C test/broker test
