Control: tag -1 - moreinfo Control: tag -1 confirmed OK, go ahead and upload then.
Cheers, Julien On Sat, Feb 10, 2018 at 11:13:06 +0000, Roger Light wrote: > Thanks for taking a look at this. > > The application only creates this file and log files, so I don't > believe it should have any other impact. > > Regards, > > Roger > > > On 10 February 2018 at 09:07, Julien Cristau <jcris...@debian.org> wrote: > > Control: tag -1 moreinfo > > > > On Fri, Dec 22, 2017 at 23:47:34 +0000, Roger A. Light wrote: > > > >> +Description: Fix for CVE-207-9868. > >> +Author: Roger Light <ro...@atchoo.org> > >> +Forwarded: not-needed > >> +Origin: upstream, > >> https://mosquitto.org/files/cve/2017-9868/mosquitto-1.4.x_cve-2017-9868.patch > >> +--- a/src/persist.c > >> ++++ b/src/persist.c > >> +@@ -362,6 +362,10 @@ > >> + _mosquitto_log_printf(NULL, MOSQ_LOG_INFO, "Error saving > >> in-memory database, out of memory."); > >> + return MOSQ_ERR_NOMEM; > >> + } > >> ++ > >> ++ /* Restrict access to persistence file. */ > >> ++ umask(0077); > >> ++ > >> + snprintf(outfile, len, "%s.new", db->config->persistence_filepath); > >> + outfile[len] = '\0'; > >> + > > > > Is this likely to negatively affect other files the application might > > create? > > > > Cheers, > > Julien >
