*** This bug is a security vulnerability *** Public security bug reported:
This seems like it is straightforward but I ended up requiring 3 patches for this one to work. I built the source that came with `apt-get source mosquitto` and was able to crash it. The CVE page https://www.cve.org/CVERecord?id=CVE-2024-8376 lists the github commit https://github.com/eclipse-mosquitto/mosquitto/commit/1914b3ee2a18102d0a94cbdbbfeae1afa03edd17 So that patch fully work because there was change in the method signature for `sub__add` and `sub__remove`. We need to apply https://github.com/eclipse- mosquitto/mosquitto/commit/3bb6c9ad51f712864dea63529e0b55661c2a9e84 first. But that didn't fully solve the issue because it was missing https://github.com/eclipse- mosquitto/mosquitto/commit/5eb40ee3d691fb3c2dc222685e7ffcf6e6a69a79 ``` curl --silent https://github.com/eclipse-mosquitto/mosquitto/commit/3bb6c9ad51f712864dea63529e0b55661c2a9e84.patch -o ~/patch-1.patch curl --silent https://github.com/eclipse-mosquitto/mosquitto/commit/5eb40ee3d691fb3c2dc222685e7ffcf6e6a69a79.patch -o ~/patch-2.patch curl --silent https://github.com/eclipse-mosquitto/mosquitto/commit/1914b3ee2a18102d0a94cbdbbfeae1afa03edd17.patch -o ~/patch-3.patch patch -p1 < ~/patch-1.patch patch -p1 < ~/patch-2.patch filterdiff -x '*/ChangeLog.txt' ~/patch-3.patch | patch -p1 ``` No files were hand-edited. This was all just applying patches (and ignore ChangeLog.txt). I applied all 3 patches and built it and tested it on a multipass VM with Ubuntu 24.04 aarch64 running on an Apple M2. ``` dpkg-buildpackage -us -uc -b ``` The only file that could not be patched was ChangeLog.txt so I used filterdiff to filter it out. When it broke, I had something like this ``` ubuntu@launchpad:~$ python3 poc-cve-2024-8376.py Iteration 0: OK Iteration 1: OK Iteration 2: OK Iteration 3: OK Iteration 4: OK Iteration 5: OK Iteration 6: OK Iteration 7: OK Iteration 8: OK Iteration 9: OK Iteration 10: OK Iteration 11: broker down - [Errno 32] Broken pipe ``` And when it was patched ``` Iteration 94: OK Iteration 95: OK Iteration 96: OK Iteration 97: OK Iteration 98: OK Iteration 99: OK Broker survived all iterations ``` This was the config file ``` $ cat /tmp/mosquitto_test.conf listener 11883 allow_anonymous true ``` And this was how I started it: ``` ./debian/mosquitto/usr/sbin/mosquitto -c /tmp/mosquitto_test.conf -v ``` The configuration `allow_anonymous true` was needed to crash it. After the patch, the same config file was used and the same python script was used. It did not crash after it was patched. ** Affects: mosquitto (Ubuntu) Importance: Undecided Status: New ** Patch added: "mosquitto_CVE-2024-8376.debdiff" https://bugs.launchpad.net/bugs/2141738/+attachment/5945786/+files/mosquitto_CVE-2024-8376.debdiff ** Information type changed from Private Security to Public Security ** CVE added: https://cve.org/CVERecord?id=CVE-2024-8376 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2141738 Title: CVE-2024-8376: use-after-free in shared subscription handling To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mosquitto/+bug/2141738/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
