Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 625290 (CVE-2017-9868) - <app-misc/mosquitto-1.4.14 potential information local leakage via persistence file
Summary: <app-misc/mosquitto-1.4.14 potential information local leakage via persistenc...
Status: RESOLVED FIXED
Alias: CVE-2017-9868
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-07-16 10:16 UTC by Manuel Rüger (RETIRED)
Modified: 2017-09-02 18:04 UTC (History)
2 users (show)

See Also:
Package list:
=app-misc/mosquitto-1.4.14 =net-libs/libwebsockets-2.1.1 =net-libs/libhubbub-0.3.3 =dev-libs/libparserutils-0.2.3
Runtime testing required: No
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Manuel Rüger (RETIRED) gentoo-dev 2017-07-16 10:16:50 UTC
In Mosquitto through 1.4.12, mosquitto.db (aka the persistence file) is world readable, which allows local users to obtain sensitive MQTT topic information. 

In 1.4.13:
    Fix CVE-2017-9868. The persistence file was readable by all local users,
    potentially allowing sensitive information to be leaked.
    This can also be fixed administratively, by restricting access to the
    directory in which the persistence file is stored.
Comment 1 Manuel Rüger (RETIRED) gentoo-dev 2017-07-20 14:31:30 UTC
Bumped it myself:

commit 2e2f8a2964df8be140e80249385aeed626c1de1b (HEAD -> master, origin/master, origin/HEAD)
Author: Manuel Rüger <mrueg@gentoo.org>
Date:   Thu Jul 20 16:30:17 2017 +0200

    app-misc/mosquitto: Version bump to 1.4.14
    
    Gentoo-Bug: 625290
    Package-Manager: Portage-2.3.6, Repoman-2.3.3
Comment 2 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-07-27 16:00:05 UTC
@arches, please stabilize.
Comment 3 Stabilization helper bot gentoo-dev 2017-07-27 16:00:44 UTC
An automated check of this bug failed - repoman reported dependency errors (19 lines truncated): 

> dependency.bad app-misc/mosquitto/mosquitto-1.4.14.ebuild: DEPEND: amd64(default/linux/amd64/13.0) ['net-libs/libwebsockets']
> dependency.bad app-misc/mosquitto/mosquitto-1.4.14.ebuild: DEPEND: amd64(default/linux/amd64/13.0/desktop) ['net-libs/libwebsockets']
> dependency.bad app-misc/mosquitto/mosquitto-1.4.14.ebuild: DEPEND: amd64(default/linux/amd64/13.0/desktop/gnome) ['net-libs/libwebsockets']
Comment 4 Stabilization helper bot gentoo-dev 2017-07-29 23:01:09 UTC
An automated check of this bug failed - repoman reported dependency errors (41 lines truncated): 

> dependency.bad net-libs/libwebsockets/libwebsockets-2.1.1.ebuild: DEPEND: amd64(default/linux/amd64/13.0) ['net-libs/libhubbub']
> dependency.bad net-libs/libwebsockets/libwebsockets-2.1.1.ebuild: RDEPEND: amd64(default/linux/amd64/13.0) ['net-libs/libhubbub']
> dependency.bad net-libs/libwebsockets/libwebsockets-2.1.1.ebuild: DEPEND: amd64(default/linux/amd64/13.0/desktop) ['net-libs/libhubbub']
Comment 5 Stabilization helper bot gentoo-dev 2017-08-17 01:00:56 UTC
An automated check of this bug failed - repoman reported dependency errors (21 lines truncated): 

> dependency.bad net-libs/libhubbub/libhubbub-0.3.3.ebuild: DEPEND: amd64(default/linux/amd64/13.0) ['>=dev-libs/libparserutils-0.2.1-r1[static-libs?,abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad net-libs/libhubbub/libhubbub-0.3.3.ebuild: RDEPEND: amd64(default/linux/amd64/13.0) ['>=dev-libs/libparserutils-0.2.1-r1[static-libs?,abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad net-libs/libhubbub/libhubbub-0.3.3.ebuild: DEPEND: amd64(default/linux/amd64/13.0/desktop) ['>=dev-libs/libparserutils-0.2.1-r1[static-libs?,abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-09-02 18:04:50 UTC
amd64/x86 stable.

Tree is clean:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3f6f600d1d7518682040ed9df870c3cc15435b74


GLSA Vote: No