Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
This patch fixes CVE-2017-9868 for mosquitto. The security team believes
it is not worthy of a DSA and should be fixed by a point release
instead.
-- System Information:
Debian Release: stretch/sid
APT prefers xenial-updates
APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500,
'xenial'), (100, 'xenial-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.4.0-97-generic (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
diff -Nru mosquitto-1.3.4/debian/changelog mosquitto-1.3.4/debian/changelog
--- mosquitto-1.3.4/debian/changelog 2017-05-23 22:14:40.0 +0100
+++ mosquitto-1.3.4/debian/changelog 2017-12-22 23:12:38.0 +
@@ -1,3 +1,13 @@
+mosquitto (1.3.4-2+deb8u2) jessie; urgency=medium
+
+ * SECURITY UPDATE: Mosquitto persistence file is world readable.
+- debian/patches/mosquitto-1.3.4_cve-2017-9868.patch: Set umask to limit
+ read permissions.
+- CVE-2017-9868
+(closes: #865959)
+
+ -- Roger A. Light Fri, 22 Dec 2017 21:44:30 +
+
mosquitto (1.3.4-2+deb8u1) jessie-security; urgency=high
* SECURITY UPDATE: Pattern ACL can be bypassed by using a username/client id
diff -Nru mosquitto-1.3.4/debian/patches/mosquitto-1.3.4_cve-2017-9868.patch mosquitto-1.3.4/debian/patches/mosquitto-1.3.4_cve-2017-9868.patch
--- mosquitto-1.3.4/debian/patches/mosquitto-1.3.4_cve-2017-9868.patch 1970-01-01 01:00:00.0 +0100
+++ mosquitto-1.3.4/debian/patches/mosquitto-1.3.4_cve-2017-9868.patch 2017-06-26 09:38:24.0 +0100
@@ -0,0 +1,17 @@
+Description: Fix for CVE-207-9868.
+Author: Roger Light
+Forwarded: not-needed
+Origin: upstream, https://mosquitto.org/files/cve/2017-9868/mosquitto-1.3.4_cve-2017-9868.patch
+--- a/src/persist.c
b/src/persist.c
+@@ -379,6 +379,10 @@
+ _mosquitto_log_printf(NULL, MOSQ_LOG_INFO, "Error saving in-memory database, out of memory.");
+ return MOSQ_ERR_NOMEM;
+ }
++
++ /* Restrict access to persistence file. */
++ umask(0077);
++
+ snprintf(outfile, len, "%s.new", db->config->persistence_filepath);
+ db_fptr = _mosquitto_fopen(outfile, "wb");
+ if(db_fptr == NULL){
diff -Nru mosquitto-1.3.4/debian/patches/series mosquitto-1.3.4/debian/patches/series
--- mosquitto-1.3.4/debian/patches/series 2017-05-23 22:14:40.0 +0100
+++ mosquitto-1.3.4/debian/patches/series 2017-12-22 21:47:21.0 +
@@ -5,3 +5,4 @@
pynomake.patch
disable-in-tree-uthash.patch
mosquitto-1.3.4_cve-2017-7650.patch
+mosquitto-1.3.4_cve-2017-9868.patch