Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
This patch fixes CVE-2017-9868 for mosquitto. The security team believes it is not worthy of a DSA and should be fixed by a point release instead. -- System Information: Debian Release: stretch/sid APT prefers xenial-updates APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500, 'xenial'), (100, 'xenial-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.4.0-97-generic (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: systemd (via /run/systemd/system)
diff -Nru mosquitto-1.3.4/debian/changelog mosquitto-1.3.4/debian/changelog --- mosquitto-1.3.4/debian/changelog 2017-05-23 22:14:40.000000000 +0100 +++ mosquitto-1.3.4/debian/changelog 2017-12-22 23:12:38.000000000 +0000 @@ -1,3 +1,13 @@ +mosquitto (1.3.4-2+deb8u2) jessie; urgency=medium + + * SECURITY UPDATE: Mosquitto persistence file is world readable. + - debian/patches/mosquitto-1.3.4_cve-2017-9868.patch: Set umask to limit + read permissions. + - CVE-2017-9868 + (closes: #865959) + + -- Roger A. Light <ro...@atchoo.org> Fri, 22 Dec 2017 21:44:30 +0000 + mosquitto (1.3.4-2+deb8u1) jessie-security; urgency=high * SECURITY UPDATE: Pattern ACL can be bypassed by using a username/client id diff -Nru mosquitto-1.3.4/debian/patches/mosquitto-1.3.4_cve-2017-9868.patch mosquitto-1.3.4/debian/patches/mosquitto-1.3.4_cve-2017-9868.patch --- mosquitto-1.3.4/debian/patches/mosquitto-1.3.4_cve-2017-9868.patch 1970-01-01 01:00:00.000000000 +0100 +++ mosquitto-1.3.4/debian/patches/mosquitto-1.3.4_cve-2017-9868.patch 2017-06-26 09:38:24.000000000 +0100 @@ -0,0 +1,17 @@ +Description: Fix for CVE-207-9868. +Author: Roger Light <ro...@atchoo.org> +Forwarded: not-needed +Origin: upstream, https://mosquitto.org/files/cve/2017-9868/mosquitto-1.3.4_cve-2017-9868.patch +--- a/src/persist.c ++++ b/src/persist.c +@@ -379,6 +379,10 @@ + _mosquitto_log_printf(NULL, MOSQ_LOG_INFO, "Error saving in-memory database, out of memory."); + return MOSQ_ERR_NOMEM; + } ++ ++ /* Restrict access to persistence file. */ ++ umask(0077); ++ + snprintf(outfile, len, "%s.new", db->config->persistence_filepath); + db_fptr = _mosquitto_fopen(outfile, "wb"); + if(db_fptr == NULL){ diff -Nru mosquitto-1.3.4/debian/patches/series mosquitto-1.3.4/debian/patches/series --- mosquitto-1.3.4/debian/patches/series 2017-05-23 22:14:40.000000000 +0100 +++ mosquitto-1.3.4/debian/patches/series 2017-12-22 21:47:21.000000000 +0000 @@ -5,3 +5,4 @@ pynomake.patch disable-in-tree-uthash.patch mosquitto-1.3.4_cve-2017-7650.patch +mosquitto-1.3.4_cve-2017-9868.patch