Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 620144 (CVE-2017-7650)

Summary: <app-misc/mosquitto-1.4.12: Pattern based ACLs can be bypassed
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: neil, proxy-maint
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1456507
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2017-05-29 14:58:54 UTC
From ${URL} :

A vulnerability exists in Mosquitto versions 0.15 to 1.4.11.

Pattern based ACLs can be bypassed by clients that set their username/client id to ‘#’ or ‘+’. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. 
The same issue may be present in third party authentication/access control plugins for Mosquitto.

The vulnerability only comes into effect where pattern based ACLs are in use, or potentially where third party plugins are in use.

External References:



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Aleksandr Wagner (Kivak) 2017-09-30 16:39:32 UTC
The most current version in the tree is 1.4.14 and only versions before 1.4.12 are vulnerable. Since nothing is left this bug is resolved.

The stabilization was done in bug 625290 by the way.

Gentoo Security Padawan
Kivak
Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-30 18:34:48 UTC
(In reply to Aleksandr Wagner (Kivak) from comment #1)
> The most current version in the tree is 1.4.14 and only versions before
> 1.4.12 are vulnerable. Since nothing is left this bug is resolved.
> 
> The stabilization was done in bug 625290 by the way.
> 
> Gentoo Security Padawan
> Kivak

Thank you,

@Security please vote, and add cve to database.
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-08 21:08:31 UTC
GLSA Vote: No