Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package mosquitto Version 1.4.10-2 currently in testing has a security issue CVE-2017-7650. This upload fixes that issue. This upload also fixes #857759, which is a regression against Jessie. unblock mosquitto/1.4.10-3 -- System Information: Debian Release: stretch/sid APT prefers xenial-updates APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500, 'xenial'), (100, 'xenial-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.4.0-71-generic (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: systemd (via /run/systemd/system) *** /home/roger/mosquitto.debdiff diff -Nru mosquitto-1.4.10/debian/changelog mosquitto-1.4.10/debian/changelog --- mosquitto-1.4.10/debian/changelog 2016-11-03 22:38:51.000000000 +0000 +++ mosquitto-1.4.10/debian/changelog 2017-05-29 14:38:36.000000000 +0100 @@ -1,3 +1,16 @@ +mosquitto (1.4.10-3) unstable; urgency=high + + * SECURITY UPDATE: Pattern ACL can be bypassed by using a username/client id + set to '+' or '#'. + - debian/patches/mosquitto-0.15_cve-2017-7650.patch: Reject send/receive + of messages to/from clients with a '+', '#' or '/' in their + username/client id. + - CVE-2017-7650 + * New patch debian/patches/allow_ipv6_bridges.patch allows bridges to make + IPv6 connections when using TLS (closes: #857759). + + -- Roger A. Light <ro...@atchoo.org> Mon, 29 May 2017 13:43:29 +0100 + mosquitto (1.4.10-2) unstable; urgency=medium * Bumped standards version to 3.9.8. No changes needed. diff -Nru mosquitto-1.4.10/debian/patches/allow_ipv6_bridges.patch mosquitto-1.4.10/debian/patches/allow_ipv6_bridges.patch --- mosquitto-1.4.10/debian/patches/allow_ipv6_bridges.patch 1970-01-01 01:00:00.000000000 +0100 +++ mosquitto-1.4.10/debian/patches/allow_ipv6_bridges.patch 2017-05-29 13:50:12.000000000 +0100 @@ -0,0 +1,22 @@ +Description: Allow bridges to make IPv6 connections when using TLS. +Author: Roger Light <ro...@atchoo.org> +Forwarded: not-needed +Origin: upstream, https://github.com/eclipse/mosquitto/commit/98ea68490626b1d18aee2004b411294c85e62212 +--- a/lib/net_mosq.c ++++ b/lib/net_mosq.c +@@ -281,14 +281,7 @@ + + *sock = INVALID_SOCKET; + memset(&hints, 0, sizeof(struct addrinfo)); +-#ifdef WITH_TLS +- if(mosq->tls_cafile || mosq->tls_capath || mosq->tls_psk){ +- hints.ai_family = PF_INET; +- }else +-#endif +- { +- hints.ai_family = PF_UNSPEC; +- } ++ hints.ai_family = PF_UNSPEC; + hints.ai_flags = AI_ADDRCONFIG; + hints.ai_socktype = SOCK_STREAM; + diff -Nru mosquitto-1.4.10/debian/patches/mosquitto-1.4.10_cve-2017-7650.patch mosquitto-1.4.10/debian/patches/mosquitto-1.4.10_cve-2017-7650.patch --- mosquitto-1.4.10/debian/patches/mosquitto-1.4.10_cve-2017-7650.patch 1970-01-01 01:00:00.000000000 +0100 +++ mosquitto-1.4.10/debian/patches/mosquitto-1.4.10_cve-2017-7650.patch 2017-05-28 23:10:06.000000000 +0100 @@ -0,0 +1,61 @@ +Description: Fix for CVE-207-7650. +Author: Roger Light <ro...@atchoo.org> +Forwarded: not-needed +Origin: upstream, https://mosquitto.org/files/cve/2017-7650/mosquitto-1.4.x_cve-2017-7650.patch +diff --git a/src/security.c b/src/security.c +index 6ae9fb9..37ce32b 100644 +--- src/security.c ++++ b/src/security.c +@@ -233,6 +233,21 @@ + { + username = context->username; + } ++ ++ /* Check whether the client id or username contains a +, # or / and if ++ * so deny access. ++ * ++ * Do this check for every message regardless, we have to protect the ++ * plugins against possible pattern based attacks. ++ */ ++ if(username && strpbrk(username, "+#/")){ ++ _mosquitto_log_printf(NULL, MOSQ_LOG_NOTICE, "ACL denying access to client with dangerous username \"%s\"", username); ++ return MOSQ_ERR_ACL_DENIED; ++ } ++ if(context->id && strpbrk(context->id, "+#/")){ ++ _mosquitto_log_printf(NULL, MOSQ_LOG_NOTICE, "ACL denying access to client with dangerous client id \"%s\"", context->id); ++ return MOSQ_ERR_ACL_DENIED; ++ } + return db->auth_plugin.acl_check(db->auth_plugin.user_data, context->id, username, topic, access); + } + } +diff --git a/src/security_default.c b/src/security_default.c +index 64ca846..a41c21f 100644 +--- src/security_default.c ++++ b/src/security_default.c +@@ -261,6 +261,26 @@ int mosquitto_acl_check_default(struct mosquitto_db *db, struct mosquitto *conte + } + + acl_root = db->acl_patterns; ++ ++ if(acl_root){ ++ /* We are using pattern based acls. Check whether the username or ++ * client id contains a +, # or / and if so deny access. ++ * ++ * Without this, a malicious client may configure its username/client ++ * id to bypass ACL checks (or have a username/client id that cannot ++ * publish or receive messages to its own place in the hierarchy). ++ */ ++ if(context->username && strpbrk(context->username, "+#/")){ ++ _mosquitto_log_printf(NULL, MOSQ_LOG_NOTICE, "ACL denying access to client with dangerous username \"%s\"", context->username); ++ return MOSQ_ERR_ACL_DENIED; ++ } ++ ++ if(context->id && strpbrk(context->id, "+#/")){ ++ _mosquitto_log_printf(NULL, MOSQ_LOG_NOTICE, "ACL denying access to client with dangerous client id \"%s\"", context->id); ++ return MOSQ_ERR_ACL_DENIED; ++ } ++ } ++ + /* Loop through all pattern ACLs. */ + clen = strlen(context->id); + while(acl_root){ diff -Nru mosquitto-1.4.10/debian/patches/series mosquitto-1.4.10/debian/patches/series --- mosquitto-1.4.10/debian/patches/series 2016-11-03 22:36:53.000000000 +0000 +++ mosquitto-1.4.10/debian/patches/series 2017-05-29 13:47:08.000000000 +0100 @@ -6,3 +6,5 @@ libdir.patch build-timestamp.patch hurd-errno.patch +mosquitto-1.4.10_cve-2017-7650.patch +allow_ipv6_bridges.patch