Bug#885028: jessie-pu: package mosquitto/1.3.4-2+deb8u2

2018-06-08 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Fri, 2017-12-22 at 23:44 +, Roger A. Light wrote:
> This patch fixes CVE-2017-9868 for mosquitto. The security team
> believes
> it is not worthy of a DSA and should be fixed by a point release
> instead.
> 

Please go ahead; sorry for the delay.

Regards,

Adam

Processed: Re: Bug#885028: jessie-pu: package mosquitto/1.3.4-2+deb8u2

2018-06-08 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + confirmed
Bug #885028 [release.debian.org] jessie-pu: package mosquitto/1.3.4-2+deb8u2
Added tag(s) confirmed.

-- 
885028: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885028
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#885028: jessie-pu: package mosquitto/1.3.4-2+deb8u2

2017-12-22 Thread Roger A. Light 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

This patch fixes CVE-2017-9868 for mosquitto. The security team believes
it is not worthy of a DSA and should be fixed by a point release
instead.

-- System Information:
Debian Release: stretch/sid
  APT prefers xenial-updates
  APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500, 
'xenial'), (100, 'xenial-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.4.0-97-generic (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
diff -Nru mosquitto-1.3.4/debian/changelog mosquitto-1.3.4/debian/changelog
--- mosquitto-1.3.4/debian/changelog	2017-05-23 22:14:40.0 +0100
+++ mosquitto-1.3.4/debian/changelog	2017-12-22 23:12:38.0 +
@@ -1,3 +1,13 @@
+mosquitto (1.3.4-2+deb8u2) jessie; urgency=medium
+
+  * SECURITY UPDATE: Mosquitto persistence file is world readable.
+- debian/patches/mosquitto-1.3.4_cve-2017-9868.patch: Set umask to limit
+  read permissions.
+- CVE-2017-9868
+(closes: #865959)
+
+ -- Roger A. Light   Fri, 22 Dec 2017 21:44:30 +
+
 mosquitto (1.3.4-2+deb8u1) jessie-security; urgency=high
 
   * SECURITY UPDATE: Pattern ACL can be bypassed by using a username/client id
diff -Nru mosquitto-1.3.4/debian/patches/mosquitto-1.3.4_cve-2017-9868.patch mosquitto-1.3.4/debian/patches/mosquitto-1.3.4_cve-2017-9868.patch
--- mosquitto-1.3.4/debian/patches/mosquitto-1.3.4_cve-2017-9868.patch	1970-01-01 01:00:00.0 +0100
+++ mosquitto-1.3.4/debian/patches/mosquitto-1.3.4_cve-2017-9868.patch	2017-06-26 09:38:24.0 +0100
@@ -0,0 +1,17 @@
+Description: Fix for CVE-207-9868.
+Author: Roger Light 
+Forwarded: not-needed
+Origin: upstream, https://mosquitto.org/files/cve/2017-9868/mosquitto-1.3.4_cve-2017-9868.patch
+--- a/src/persist.c
 b/src/persist.c
+@@ -379,6 +379,10 @@
+ 		_mosquitto_log_printf(NULL, MOSQ_LOG_INFO, "Error saving in-memory database, out of memory.");
+ 		return MOSQ_ERR_NOMEM;
+ 	}
++
++	/* Restrict access to persistence file. */
++	umask(0077);
++
+ 	snprintf(outfile, len, "%s.new", db->config->persistence_filepath);
+ 	db_fptr = _mosquitto_fopen(outfile, "wb");
+ 	if(db_fptr == NULL){
diff -Nru mosquitto-1.3.4/debian/patches/series mosquitto-1.3.4/debian/patches/series
--- mosquitto-1.3.4/debian/patches/series	2017-05-23 22:14:40.0 +0100
+++ mosquitto-1.3.4/debian/patches/series	2017-12-22 21:47:21.0 +
@@ -5,3 +5,4 @@
 pynomake.patch
 disable-in-tree-uthash.patch
 mosquitto-1.3.4_cve-2017-7650.patch
+mosquitto-1.3.4_cve-2017-9868.patch