Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 620144 (CVE-2017-7650) - <app-misc/mosquitto-1.4.12: Pattern based ACLs can be bypassed
Summary: <app-misc/mosquitto-1.4.12: Pattern based ACLs can be bypassed
Status: RESOLVED FIXED
Alias: CVE-2017-7650
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-05-29 14:58 UTC by Agostino Sarubbo
Modified: 2017-10-08 21:08 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-05-29 14:58:54 UTC
From ${URL} :

A vulnerability exists in Mosquitto versions 0.15 to 1.4.11.

Pattern based ACLs can be bypassed by clients that set their username/client id to ‘#’ or ‘+’. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. 
The same issue may be present in third party authentication/access control plugins for Mosquitto.

The vulnerability only comes into effect where pattern based ACLs are in use, or potentially where third party plugins are in use.

External References:



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Aleksandr Wagner (Kivak) 2017-09-30 16:39:32 UTC
The most current version in the tree is 1.4.14 and only versions before 1.4.12 are vulnerable. Since nothing is left this bug is resolved.

The stabilization was done in bug 625290 by the way.

Gentoo Security Padawan
Kivak
Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-30 18:34:48 UTC
(In reply to Aleksandr Wagner (Kivak) from comment #1)
> The most current version in the tree is 1.4.14 and only versions before
> 1.4.12 are vulnerable. Since nothing is left this bug is resolved.
> 
> The stabilization was done in bug 625290 by the way.
> 
> Gentoo Security Padawan
> Kivak

Thank you,

@Security please vote, and add cve to database.
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-08 21:08:31 UTC
GLSA Vote: No