Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 625290 (CVE-2017-9868)

Summary: <app-misc/mosquitto-1.4.14 potential information local leakage via persistence file
Product: Gentoo Security Reporter: Manuel Rüger (RETIRED) <mrueg>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: neil, proxy-maint
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [noglsa cve]
Package list:
=app-misc/mosquitto-1.4.14 =net-libs/libwebsockets-2.1.1 =net-libs/libhubbub-0.3.3 =dev-libs/libparserutils-0.2.3
Runtime testing required: No

Description Manuel Rüger (RETIRED) gentoo-dev 2017-07-16 10:16:50 UTC
In Mosquitto through 1.4.12, mosquitto.db (aka the persistence file) is world readable, which allows local users to obtain sensitive MQTT topic information. 

In 1.4.13:
    Fix CVE-2017-9868. The persistence file was readable by all local users,
    potentially allowing sensitive information to be leaked.
    This can also be fixed administratively, by restricting access to the
    directory in which the persistence file is stored.
Comment 1 Manuel Rüger (RETIRED) gentoo-dev 2017-07-20 14:31:30 UTC
Bumped it myself:

commit 2e2f8a2964df8be140e80249385aeed626c1de1b (HEAD -> master, origin/master, origin/HEAD)
Author: Manuel Rüger <mrueg@gentoo.org>
Date:   Thu Jul 20 16:30:17 2017 +0200

    app-misc/mosquitto: Version bump to 1.4.14
    
    Gentoo-Bug: 625290
    Package-Manager: Portage-2.3.6, Repoman-2.3.3
Comment 2 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-07-27 16:00:05 UTC
@arches, please stabilize.
Comment 3 Stabilization helper bot gentoo-dev 2017-07-27 16:00:44 UTC
An automated check of this bug failed - repoman reported dependency errors (19 lines truncated): 

> dependency.bad app-misc/mosquitto/mosquitto-1.4.14.ebuild: DEPEND: amd64(default/linux/amd64/13.0) ['net-libs/libwebsockets']
> dependency.bad app-misc/mosquitto/mosquitto-1.4.14.ebuild: DEPEND: amd64(default/linux/amd64/13.0/desktop) ['net-libs/libwebsockets']
> dependency.bad app-misc/mosquitto/mosquitto-1.4.14.ebuild: DEPEND: amd64(default/linux/amd64/13.0/desktop/gnome) ['net-libs/libwebsockets']
Comment 4 Stabilization helper bot gentoo-dev 2017-07-29 23:01:09 UTC
An automated check of this bug failed - repoman reported dependency errors (41 lines truncated): 

> dependency.bad net-libs/libwebsockets/libwebsockets-2.1.1.ebuild: DEPEND: amd64(default/linux/amd64/13.0) ['net-libs/libhubbub']
> dependency.bad net-libs/libwebsockets/libwebsockets-2.1.1.ebuild: RDEPEND: amd64(default/linux/amd64/13.0) ['net-libs/libhubbub']
> dependency.bad net-libs/libwebsockets/libwebsockets-2.1.1.ebuild: DEPEND: amd64(default/linux/amd64/13.0/desktop) ['net-libs/libhubbub']
Comment 5 Stabilization helper bot gentoo-dev 2017-08-17 01:00:56 UTC
An automated check of this bug failed - repoman reported dependency errors (21 lines truncated): 

> dependency.bad net-libs/libhubbub/libhubbub-0.3.3.ebuild: DEPEND: amd64(default/linux/amd64/13.0) ['>=dev-libs/libparserutils-0.2.1-r1[static-libs?,abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad net-libs/libhubbub/libhubbub-0.3.3.ebuild: RDEPEND: amd64(default/linux/amd64/13.0) ['>=dev-libs/libparserutils-0.2.1-r1[static-libs?,abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad net-libs/libhubbub/libhubbub-0.3.3.ebuild: DEPEND: amd64(default/linux/amd64/13.0/desktop) ['>=dev-libs/libparserutils-0.2.1-r1[static-libs?,abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-09-02 18:04:50 UTC
amd64/x86 stable.

Tree is clean:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3f6f600d1d7518682040ed9df870c3cc15435b74


GLSA Vote: No