[Bug 1700490] Re: Persistence file is world readable
This bug was fixed in the package mosquitto - 1.4.10-2ubuntu0.2 --- mosquitto (1.4.10-2ubuntu0.2) zesty-security; urgency=low * SECURITY UPDATE: Persistence file is world readable, which may expose sensitive data (LP: #1700490). - debian/patches/mosquitto-1.4.x_cve-2017-9868.patch: Set umask to restrict persistence file read access to owner. - CVE-2017-9868 -- ro...@atchoo.org (Roger A. Light) Mon, 26 Jun 2017 09:31:02 +0100 ** Changed in: mosquitto (Ubuntu) Status: Confirmed => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9868 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1700490 Title: Persistence file is world readable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mosquitto/+bug/1700490/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1700490] Re: Persistence file is world readable
Ok, thanks for the changes. I've done build and runtime tests of the patches. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1700490 Title: Persistence file is world readable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mosquitto/+bug/1700490/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1700490] Re: Persistence file is world readable
Hi Roger - The debdiffs looked pretty good to me. IIRC, I only had to make two small changes: 1) The Trusty debdiff's changelog entry didn't reference this bug 2) The Zesty debdiff's version needed to be adjusted from 1.4.10-1ubuntu0.2 to 1.4.10-2ubuntu0.2 I've uploaded the packages to the ubuntu-security-proposed PPA: https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/+packages Please comment on what amount of testing you've performed. If the builds go as expected and the testing is green, we'll get these updates published next week. Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1700490 Title: Persistence file is world readable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mosquitto/+bug/1700490/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1700490] Re: Persistence file is world readable
A fair point... The only files that mosquitto can create are a pid file (if created then occurring before this call to umask), the persistence file and log files. Having the log files readable by all would probably be a bad thing as well. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1700490 Title: Persistence file is world readable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mosquitto/+bug/1700490/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1700490] Re: Persistence file is world readable
Hello Roger, does this persistence happen in a process dedicated to persistence? If not I fear this may introduce a regression by not putting the umask back afterwards. (Granted the POSIX interfaces for this are pretty crummy.) Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1700490 Title: Persistence file is world readable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mosquitto/+bug/1700490/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1700490] Re: Persistence file is world readable
Artful is also affected, but I'm going to fix that with a new upstream release. ** Changed in: mosquitto (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1700490 Title: Persistence file is world readable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mosquitto/+bug/1700490/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1700490] Re: Persistence file is world readable
** Patch added: "yakkety-cve-2017-9868.debdiff" https://bugs.launchpad.net/ubuntu/+source/mosquitto/+bug/1700490/+attachment/4903459/+files/yakkety-cve-2017-9868.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1700490 Title: Persistence file is world readable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mosquitto/+bug/1700490/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1700490] Re: Persistence file is world readable
** Patch added: "xenial-cve-2017-9868.debdiff" https://bugs.launchpad.net/ubuntu/+source/mosquitto/+bug/1700490/+attachment/4903458/+files/xenial-cve-2017-9868.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1700490 Title: Persistence file is world readable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mosquitto/+bug/1700490/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1700490] Re: Persistence file is world readable
** Patch added: "zesty-cve-2017-9868.debdiff" https://bugs.launchpad.net/ubuntu/+source/mosquitto/+bug/1700490/+attachment/4903460/+files/zesty-cve-2017-9868.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1700490 Title: Persistence file is world readable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mosquitto/+bug/1700490/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1700490] Re: Persistence file is world readable
** Patch added: "trusty-cve-2017-9868.debdiff" https://bugs.launchpad.net/ubuntu/+source/mosquitto/+bug/1700490/+attachment/4903457/+files/trusty-cve-2017-9868.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1700490 Title: Persistence file is world readable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mosquitto/+bug/1700490/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs