Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: a...@debian.org
Hello Stable release team, I would like to update mqtt-client in buster for fixing CVE-2019-0222. It is fixed in stretch, bullseye and sid. Right now stretch-security has a newer version(1.14-1+9u1) than buster, breaking clean upgrades to buster. CVE-2019-0222 is no-dsa thus using pu. Vcs field URL also updated. Debdiff is attached. Please allow to upload this fix to Buster. --abhijith -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 5.9.0-4-amd64 (SMP w/4 CPU threads) Kernel taint flags: TAINT_WARN Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8), LANGUAGE=en_IN:en Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff -Nru mqtt-client-1.14/debian/changelog mqtt-client-1.14/debian/changelog
--- mqtt-client-1.14/debian/changelog 2016-07-19 13:30:10.000000000 +0530
+++ mqtt-client-1.14/debian/changelog 2021-05-21 21:59:49.000000000 +0530
@@ -1,3 +1,13 @@
+mqtt-client (1.14-1+deb10u1) buster; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix CVE-2019-0222: unmarshalling corrupt MQTT frame can lead to
+ broker Out of Memory exception making it unresponsive.
+ (Closes: #988109)
+ * Update Vcs-* URL in d/control.
+
+ -- Abhijith PA <abhij...@debian.org> Fri, 21 May 2021 21:59:49 +0530
+
mqtt-client (1.14-1) unstable; urgency=medium
* New upstream release
diff -Nru mqtt-client-1.14/debian/control mqtt-client-1.14/debian/control
--- mqtt-client-1.14/debian/control 2016-07-19 13:28:53.000000000 +0530
+++ mqtt-client-1.14/debian/control 2021-05-21 21:59:49.000000000 +0530
@@ -10,8 +10,8 @@
libmaven-bundle-plugin-java,
maven-debian-helper (>= 1.5)
Standards-Version: 3.9.8
-Vcs-Git: https://anonscm.debian.org/git/pkg-java/mqtt-client.git
-Vcs-Browser: https://anonscm.debian.org/cgit/pkg-java/mqtt-client.git
+Vcs-Git: https://salsa.debian.org/java-team/mqtt-client.git
+Vcs-Browser: https://salsa.debian.org/java-team/mqtt-client
Homepage: http://mqtt-client.fusesource.org
Package: libmqtt-client-java
diff -Nru mqtt-client-1.14/debian/patches/CVE-2019-0222.patch
mqtt-client-1.14/debian/patches/CVE-2019-0222.patch
--- mqtt-client-1.14/debian/patches/CVE-2019-0222.patch 1970-01-01
05:30:00.000000000 +0530
+++ mqtt-client-1.14/debian/patches/CVE-2019-0222.patch 2021-05-21
21:59:02.000000000 +0530
@@ -0,0 +1,21 @@
+Description: CVE-2019-0222
+
+ unmarshalling corrupt MQTT frame can lead
+ to broker Out of Memory exception making it unresponsive.
+
+Author: Abhijith PA <abhij...@debian.org>
+
+diff --git
a/mqtt-client/src/main/java/org/fusesource/mqtt/codec/MessageSupport.java
b/mqtt-client/src/main/java/org/fusesource/mqtt/codec/MessageSupport.java
+index
08fb8391abbbdb365310cda08373b3a7e4befc3e..a0a5e8ee4cec70d37b9c451e9f2bd02010107dfa
100644
+--- a/mqtt-client/src/main/java/org/fusesource/mqtt/codec/MessageSupport.java
++++ b/mqtt-client/src/main/java/org/fusesource/mqtt/codec/MessageSupport.java
+@@ -62,6 +62,9 @@ public final class MessageSupport {
+
+ static protected UTF8Buffer readUTF(DataByteArrayInputStream is) throws
ProtocolException {
+ int size = is.readUnsignedShort();
++ if (size < 0) {
++ throw new ProtocolException("Invalid message encoding");
++ }
+ Buffer buffer = is.readBuffer(size);
+ if (buffer == null || buffer.length != size) {
+ throw new ProtocolException("Invalid message encoding");
diff -Nru mqtt-client-1.14/debian/patches/series
mqtt-client-1.14/debian/patches/series
--- mqtt-client-1.14/debian/patches/series 1970-01-01 05:30:00.000000000
+0530
+++ mqtt-client-1.14/debian/patches/series 2021-05-21 21:59:02.000000000
+0530
@@ -0,0 +1 @@
+CVE-2019-0222.patch
signature.asc
Description: PGP signature
