Bug#863633: marked as done (unblock: mosquitto/1.4.10-3)

[Debian Bug Tracking System]

Your message dated Mon, 29 May 2017 16:02:39 +0000
with message-id <e1dfn7v-0001ke...@respighi.debian.org>
and subject line unblock mosquitto
has caused the Debian Bug report #863633,
regarding unblock: mosquitto/1.4.10-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
863633: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863633
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Please unblock package mosquitto

Version 1.4.10-2 currently in testing has a security issue
CVE-2017-7650. This upload fixes that issue.

This upload also fixes #857759, which is a regression against Jessie.

unblock mosquitto/1.4.10-3

-- System Information:
Debian Release: stretch/sid
  APT prefers xenial-updates
  APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500, 
'xenial'), (100, 'xenial-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.4.0-71-generic (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

*** /home/roger/mosquitto.debdiff
diff -Nru mosquitto-1.4.10/debian/changelog mosquitto-1.4.10/debian/changelog
--- mosquitto-1.4.10/debian/changelog   2016-11-03 22:38:51.000000000 +0000
+++ mosquitto-1.4.10/debian/changelog   2017-05-29 14:38:36.000000000 +0100
@@ -1,3 +1,16 @@
+mosquitto (1.4.10-3) unstable; urgency=high
+
+  * SECURITY UPDATE: Pattern ACL can be bypassed by using a username/client id
+    set to '+' or '#'.
+    - debian/patches/mosquitto-0.15_cve-2017-7650.patch: Reject send/receive
+      of messages to/from clients with a '+', '#' or '/' in their
+      username/client id.
+    - CVE-2017-7650
+  * New patch debian/patches/allow_ipv6_bridges.patch allows bridges to make
+    IPv6 connections when using TLS (closes: #857759).
+
+ -- Roger A. Light <ro...@atchoo.org>  Mon, 29 May 2017 13:43:29 +0100
+
 mosquitto (1.4.10-2) unstable; urgency=medium
 
   * Bumped standards version to 3.9.8. No changes needed.
diff -Nru mosquitto-1.4.10/debian/patches/allow_ipv6_bridges.patch 
mosquitto-1.4.10/debian/patches/allow_ipv6_bridges.patch
--- mosquitto-1.4.10/debian/patches/allow_ipv6_bridges.patch    1970-01-01 
01:00:00.000000000 +0100
+++ mosquitto-1.4.10/debian/patches/allow_ipv6_bridges.patch    2017-05-29 
13:50:12.000000000 +0100
@@ -0,0 +1,22 @@
+Description: Allow bridges to make IPv6 connections when using TLS.
+Author: Roger Light <ro...@atchoo.org>
+Forwarded: not-needed
+Origin: upstream, 
https://github.com/eclipse/mosquitto/commit/98ea68490626b1d18aee2004b411294c85e62212
+--- a/lib/net_mosq.c
++++ b/lib/net_mosq.c
+@@ -281,14 +281,7 @@
+ 
+       *sock = INVALID_SOCKET;
+       memset(&hints, 0, sizeof(struct addrinfo));
+-#ifdef WITH_TLS
+-      if(mosq->tls_cafile || mosq->tls_capath || mosq->tls_psk){
+-              hints.ai_family = PF_INET;
+-      }else
+-#endif
+-      {
+-              hints.ai_family = PF_UNSPEC;
+-      }
++      hints.ai_family = PF_UNSPEC;
+       hints.ai_flags = AI_ADDRCONFIG;
+       hints.ai_socktype = SOCK_STREAM;
+ 
diff -Nru mosquitto-1.4.10/debian/patches/mosquitto-1.4.10_cve-2017-7650.patch 
mosquitto-1.4.10/debian/patches/mosquitto-1.4.10_cve-2017-7650.patch
--- mosquitto-1.4.10/debian/patches/mosquitto-1.4.10_cve-2017-7650.patch        
1970-01-01 01:00:00.000000000 +0100
+++ mosquitto-1.4.10/debian/patches/mosquitto-1.4.10_cve-2017-7650.patch        
2017-05-28 23:10:06.000000000 +0100
@@ -0,0 +1,61 @@
+Description: Fix for CVE-207-7650.
+Author: Roger Light <ro...@atchoo.org>
+Forwarded: not-needed
+Origin: upstream, 
https://mosquitto.org/files/cve/2017-7650/mosquitto-1.4.x_cve-2017-7650.patch
+diff --git a/src/security.c b/src/security.c
+index 6ae9fb9..37ce32b 100644
+--- src/security.c
++++ b/src/security.c
+@@ -233,6 +233,21 @@
+               {
+                       username = context->username;
+               }
++
++              /* Check whether the client id or username contains a +, # or / 
and if
++               * so deny access.
++               *
++               * Do this check for every message regardless, we have to 
protect the
++               * plugins against possible pattern based attacks.
++               */
++              if(username && strpbrk(username, "+#/")){
++                      _mosquitto_log_printf(NULL, MOSQ_LOG_NOTICE, "ACL 
denying access to client with dangerous username \"%s\"", username);
++                      return MOSQ_ERR_ACL_DENIED;
++              }
++              if(context->id && strpbrk(context->id, "+#/")){
++                      _mosquitto_log_printf(NULL, MOSQ_LOG_NOTICE, "ACL 
denying access to client with dangerous client id \"%s\"", context->id);
++                      return MOSQ_ERR_ACL_DENIED;
++              }
+               return db->auth_plugin.acl_check(db->auth_plugin.user_data, 
context->id, username, topic, access);
+       }
+ }
+diff --git a/src/security_default.c b/src/security_default.c
+index 64ca846..a41c21f 100644
+--- src/security_default.c
++++ b/src/security_default.c
+@@ -261,6 +261,26 @@ int mosquitto_acl_check_default(struct mosquitto_db *db, 
struct mosquitto *conte
+       }
+ 
+       acl_root = db->acl_patterns;
++
++      if(acl_root){
++              /* We are using pattern based acls. Check whether the username 
or
++               * client id contains a +, # or / and if so deny access.
++               *
++               * Without this, a malicious client may configure its 
username/client
++               * id to bypass ACL checks (or have a username/client id that 
cannot
++               * publish or receive messages to its own place in the 
hierarchy).
++               */
++              if(context->username && strpbrk(context->username, "+#/")){
++                      _mosquitto_log_printf(NULL, MOSQ_LOG_NOTICE, "ACL 
denying access to client with dangerous username \"%s\"", context->username);
++                      return MOSQ_ERR_ACL_DENIED;
++              }
++
++              if(context->id && strpbrk(context->id, "+#/")){
++                      _mosquitto_log_printf(NULL, MOSQ_LOG_NOTICE, "ACL 
denying access to client with dangerous client id \"%s\"", context->id);
++                      return MOSQ_ERR_ACL_DENIED;
++              }
++      }
++
+       /* Loop through all pattern ACLs. */
+       clen = strlen(context->id);
+       while(acl_root){
diff -Nru mosquitto-1.4.10/debian/patches/series 
mosquitto-1.4.10/debian/patches/series
--- mosquitto-1.4.10/debian/patches/series      2016-11-03 22:36:53.000000000 
+0000
+++ mosquitto-1.4.10/debian/patches/series      2017-05-29 13:47:08.000000000 
+0100
@@ -6,3 +6,5 @@
 libdir.patch
 build-timestamp.patch
 hurd-errno.patch
+mosquitto-1.4.10_cve-2017-7650.patch
+allow_ipv6_bridges.patch

--- End Message ---

--- Begin Message ---

Unblocked.

--- End Message ---