Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
This patch fixes CVS-2017-0868 for mosquitto. The security team does not believe it is worthy of a DSA and suggest a point release instead. -- System Information: Debian Release: stretch/sid APT prefers xenial-updates APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500, 'xenial'), (100, 'xenial-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.4.0-97-generic (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: systemd (via /run/systemd/system)
diff -Nru mosquitto-1.4.10/debian/changelog mosquitto-1.4.10/debian/changelog --- mosquitto-1.4.10/debian/changelog 2017-05-29 14:38:36.000000000 +0100 +++ mosquitto-1.4.10/debian/changelog 2017-12-22 21:29:50.000000000 +0000 @@ -1,3 +1,12 @@ +mosquitto (1.4.10-3+deb9u1) stretch; urgency=medium + + * SECURITY UPDATE: Mosquitto persistence file is world readable. + - debian/patches/mosquitto-1.4.x_cve-2017-9868.patch: Set umask to limit + read permissions. + - CVE-2017-9868 + + -- Roger A. Light <ro...@atchoo.org> Fri, 22 Dec 2017 08:19:25 +0000 + mosquitto (1.4.10-3) unstable; urgency=high * SECURITY UPDATE: Pattern ACL can be bypassed by using a username/client id diff -Nru mosquitto-1.4.10/debian/patches/mosquitto-1.4.x_cve-2017-9868.patch mosquitto-1.4.10/debian/patches/mosquitto-1.4.x_cve-2017-9868.patch --- mosquitto-1.4.10/debian/patches/mosquitto-1.4.x_cve-2017-9868.patch 1970-01-01 01:00:00.000000000 +0100 +++ mosquitto-1.4.10/debian/patches/mosquitto-1.4.x_cve-2017-9868.patch 2017-06-26 09:41:10.000000000 +0100 @@ -0,0 +1,17 @@ +Description: Fix for CVE-207-9868. +Author: Roger Light <ro...@atchoo.org> +Forwarded: not-needed +Origin: upstream, https://mosquitto.org/files/cve/2017-9868/mosquitto-1.4.x_cve-2017-9868.patch +--- a/src/persist.c ++++ b/src/persist.c +@@ -362,6 +362,10 @@ + _mosquitto_log_printf(NULL, MOSQ_LOG_INFO, "Error saving in-memory database, out of memory."); + return MOSQ_ERR_NOMEM; + } ++ ++ /* Restrict access to persistence file. */ ++ umask(0077); ++ + snprintf(outfile, len, "%s.new", db->config->persistence_filepath); + outfile[len] = '\0'; + diff -Nru mosquitto-1.4.10/debian/patches/series mosquitto-1.4.10/debian/patches/series --- mosquitto-1.4.10/debian/patches/series 2017-05-29 13:47:08.000000000 +0100 +++ mosquitto-1.4.10/debian/patches/series 2017-12-22 08:23:41.000000000 +0000 @@ -8,3 +8,4 @@ hurd-errno.patch mosquitto-1.4.10_cve-2017-7650.patch allow_ipv6_bridges.patch +mosquitto-1.4.x_cve-2017-9868.patch
