Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 668436 (CVE-2018-12543)

Summary: <app-misc/mosquitto-1.5.3 - Denial of Service
Product: Gentoo Security Reporter: Manuel Rüger (RETIRED) <mrueg>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: proxy-maint, ramage.lucas
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
See Also:
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 664094    

Description Manuel Rüger (RETIRED) gentoo-dev 2018-10-12 08:51:09 UTC
- Fix CVE-2018-12543. If a message is sent to Mosquitto with a topic that
  begins with $, but is not $SYS, then an assert that should be unreachable is
triggered and Mosquitto will exit.
Comment 1 Virgil Dupras (RETIRED) gentoo-dev 2018-10-23 20:23:14 UTC
Lucas: this is a security bug, we're expected to bump in a timely manner. Do you still wish to proxy-maintain this package?
Comment 2 Rage <oxr463> 2018-10-25 01:01:44 UTC
(In reply to Virgil Dupras from comment #1)
> Lucas: this is a security bug, we're expected to bump in a timely manner. Do
> you still wish to proxy-maintain this package?

Considering that it took roughly 5 months for 656572 to be closed, what would you consider "in a timely manner"? :D

Apparently, proxy-maintainers can only send patches via the mailing list or via github now, so I opened a pull request on there,
Comment 3 Larry the Git Cow gentoo-dev 2018-10-26 00:35:08 UTC
The bug has been closed via the following commit(s):

commit afdf30764f85a99b4de9eaa6fb72bc473350dbd9
Author:     Lucas Ramage <>
AuthorDate: 2018-10-25 00:57:11 +0000
Commit:     Virgil Dupras <>
CommitDate: 2018-10-26 00:34:41 +0000

    app-misc/mosquitto: bump to version 1.5.3
    Signed-off-by: Lucas Ramage <>
    Package-Manager: Portage-2.3.49, Repoman-2.3.11
    Signed-off-by: Virgil Dupras <>

 app-misc/mosquitto/Manifest               |   1 +
 app-misc/mosquitto/mosquitto-1.5.3.ebuild | 101 ++++++++++++++++++++++++++++++
 2 files changed, 102 insertions(+)
Comment 4 Virgil Dupras (RETIRED) gentoo-dev 2018-10-26 00:42:25 UTC
Oops, I forgot to fix the git commit's comment which had the "Closes:" tag. Re-opening ticket.

Lucas: We're not supposed to close security ticket ourselves. Members of the security team take care of their bugs' workflow.

I tried to see through CVE info which versions are vulnerable so that we can see whether a stablereq is required, but the link to the CVE provided at points to an empty page. So, hum, since this bug hasn't been classified by the security team yet, I'll just wait.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2018-12-04 21:34:24 UTC
@arches, please stabilize.
Comment 6 Agostino Sarubbo gentoo-dev 2018-12-05 09:38:38 UTC
amd64 stable
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2018-12-07 02:42:41 UTC
x86 stable
Comment 8 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-12-07 12:48:41 UTC
arm stable
Comment 9 Yury German Gentoo Infrastructure gentoo-dev 2019-03-10 01:39:55 UTC
GLSA Vote: No

Thank you all for you work. 
Closing as [noglsa].