| Summary: | <app-misc/mosquitto-1.4.14 potential information local leakage via persistence file | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Manuel Rüger (RETIRED) <mrueg> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | neil, proxy-maint |
| Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | B4 [noglsa cve] | ||
| Package list: |
=app-misc/mosquitto-1.4.14
=net-libs/libwebsockets-2.1.1
=net-libs/libhubbub-0.3.3
=dev-libs/libparserutils-0.2.3
|
Runtime testing required: | No |
Bumped it myself: commit 2e2f8a2964df8be140e80249385aeed626c1de1b (HEAD -> master, origin/master, origin/HEAD) Author: Manuel Rüger <mrueg@gentoo.org> Date: Thu Jul 20 16:30:17 2017 +0200 app-misc/mosquitto: Version bump to 1.4.14 Gentoo-Bug: 625290 Package-Manager: Portage-2.3.6, Repoman-2.3.3 @arches, please stabilize. An automated check of this bug failed - repoman reported dependency errors (19 lines truncated):
> dependency.bad app-misc/mosquitto/mosquitto-1.4.14.ebuild: DEPEND: amd64(default/linux/amd64/13.0) ['net-libs/libwebsockets']
> dependency.bad app-misc/mosquitto/mosquitto-1.4.14.ebuild: DEPEND: amd64(default/linux/amd64/13.0/desktop) ['net-libs/libwebsockets']
> dependency.bad app-misc/mosquitto/mosquitto-1.4.14.ebuild: DEPEND: amd64(default/linux/amd64/13.0/desktop/gnome) ['net-libs/libwebsockets']
An automated check of this bug failed - repoman reported dependency errors (41 lines truncated):
> dependency.bad net-libs/libwebsockets/libwebsockets-2.1.1.ebuild: DEPEND: amd64(default/linux/amd64/13.0) ['net-libs/libhubbub']
> dependency.bad net-libs/libwebsockets/libwebsockets-2.1.1.ebuild: RDEPEND: amd64(default/linux/amd64/13.0) ['net-libs/libhubbub']
> dependency.bad net-libs/libwebsockets/libwebsockets-2.1.1.ebuild: DEPEND: amd64(default/linux/amd64/13.0/desktop) ['net-libs/libhubbub']
An automated check of this bug failed - repoman reported dependency errors (21 lines truncated):
> dependency.bad net-libs/libhubbub/libhubbub-0.3.3.ebuild: DEPEND: amd64(default/linux/amd64/13.0) ['>=dev-libs/libparserutils-0.2.1-r1[static-libs?,abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad net-libs/libhubbub/libhubbub-0.3.3.ebuild: RDEPEND: amd64(default/linux/amd64/13.0) ['>=dev-libs/libparserutils-0.2.1-r1[static-libs?,abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad net-libs/libhubbub/libhubbub-0.3.3.ebuild: DEPEND: amd64(default/linux/amd64/13.0/desktop) ['>=dev-libs/libparserutils-0.2.1-r1[static-libs?,abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
amd64/x86 stable. Tree is clean: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3f6f600d1d7518682040ed9df870c3cc15435b74 GLSA Vote: No |
In Mosquitto through 1.4.12, mosquitto.db (aka the persistence file) is world readable, which allows local users to obtain sensitive MQTT topic information. In 1.4.13: Fix CVE-2017-9868. The persistence file was readable by all local users, potentially allowing sensitive information to be leaked. This can also be fixed administratively, by restricting access to the directory in which the persistence file is stored.