Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 668436 (CVE-2018-12543) - <app-misc/mosquitto-1.5.3 - Denial of Service
Summary: <app-misc/mosquitto-1.5.3 - Denial of Service
Alias: CVE-2018-12543
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa cve]
Depends on:
Blocks: CVE-2017-7654
  Show dependency tree
Reported: 2018-10-12 08:51 UTC by Manuel Rüger (RETIRED)
Modified: 2019-03-10 01:39 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Manuel Rüger (RETIRED) gentoo-dev 2018-10-12 08:51:09 UTC
- Fix CVE-2018-12543. If a message is sent to Mosquitto with a topic that
  begins with $, but is not $SYS, then an assert that should be unreachable is
triggered and Mosquitto will exit.
Comment 1 Virgil Dupras (RETIRED) gentoo-dev 2018-10-23 20:23:14 UTC
Lucas: this is a security bug, we're expected to bump in a timely manner. Do you still wish to proxy-maintain this package?
Comment 2 Rage <oxr463> 2018-10-25 01:01:44 UTC
(In reply to Virgil Dupras from comment #1)
> Lucas: this is a security bug, we're expected to bump in a timely manner. Do
> you still wish to proxy-maintain this package?

Considering that it took roughly 5 months for 656572 to be closed, what would you consider "in a timely manner"? :D

Apparently, proxy-maintainers can only send patches via the mailing list or via github now, so I opened a pull request on there,
Comment 3 Larry the Git Cow gentoo-dev 2018-10-26 00:35:08 UTC
The bug has been closed via the following commit(s):

commit afdf30764f85a99b4de9eaa6fb72bc473350dbd9
Author:     Lucas Ramage <>
AuthorDate: 2018-10-25 00:57:11 +0000
Commit:     Virgil Dupras <>
CommitDate: 2018-10-26 00:34:41 +0000

    app-misc/mosquitto: bump to version 1.5.3
    Signed-off-by: Lucas Ramage <>
    Package-Manager: Portage-2.3.49, Repoman-2.3.11
    Signed-off-by: Virgil Dupras <>

 app-misc/mosquitto/Manifest               |   1 +
 app-misc/mosquitto/mosquitto-1.5.3.ebuild | 101 ++++++++++++++++++++++++++++++
 2 files changed, 102 insertions(+)
Comment 4 Virgil Dupras (RETIRED) gentoo-dev 2018-10-26 00:42:25 UTC
Oops, I forgot to fix the git commit's comment which had the "Closes:" tag. Re-opening ticket.

Lucas: We're not supposed to close security ticket ourselves. Members of the security team take care of their bugs' workflow.

I tried to see through CVE info which versions are vulnerable so that we can see whether a stablereq is required, but the link to the CVE provided at points to an empty page. So, hum, since this bug hasn't been classified by the security team yet, I'll just wait.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2018-12-04 21:34:24 UTC
@arches, please stabilize.
Comment 6 Agostino Sarubbo gentoo-dev 2018-12-05 09:38:38 UTC
amd64 stable
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2018-12-07 02:42:41 UTC
x86 stable
Comment 8 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-12-07 12:48:41 UTC
arm stable
Comment 9 Yury German Gentoo Infrastructure gentoo-dev 2019-03-10 01:39:55 UTC
GLSA Vote: No

Thank you all for you work. 
Closing as [noglsa].