668436 – (CVE-2018-12543) <app-misc/mosquitto-1.5.3 - Denial of Service

Bug 668436 (CVE-2018-12543) - <app-misc/mosquitto-1.5.3 - Denial of Service

Summary: <app-misc/mosquitto-1.5.3 - Denial of Service

Status:	RESOLVED FIXED

Alias:	CVE-2018-12543

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:
Blocks:	CVE-2017-7654
	Show dependency tree

Reported:	2018-10-12 08:51 UTC by Manuel Rüger (RETIRED)
Modified:	2019-03-10 01:39 UTC (History)
CC List:	2 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/10221
Package list:	=app-misc/mosquitto-1.5.3
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Manuel Rüger (RETIRED) gentoo-dev

2018-10-12 08:51:09 UTC

Security:
- Fix CVE-2018-12543. If a message is sent to Mosquitto with a topic that
  begins with $, but is not $SYS, then an assert that should be unreachable is
triggered and Mosquitto will exit.


https://github.com/eclipse/mosquitto/blob/master/ChangeLog.txt

Comment 1 Virgil Dupras (RETIRED) gentoo-dev

2018-10-23 20:23:14 UTC

Lucas: this is a security bug, we're expected to bump in a timely manner. Do you still wish to proxy-maintain this package?

Comment 2 Rage <oxr463> 2018-10-25 01:01:44 UTC

(In reply to Virgil Dupras from comment #1)
> Lucas: this is a security bug, we're expected to bump in a timely manner. Do
> you still wish to proxy-maintain this package?

Considering that it took roughly 5 months for 656572 to be closed, what would you consider "in a timely manner"? :D

Apparently, proxy-maintainers can only send patches via the mailing list or via github now, so I opened a pull request on there,

https://github.com/gentoo/gentoo/pull/10221

Comment 3 Larry the Git Cow gentoo-dev

2018-10-26 00:35:08 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=afdf30764f85a99b4de9eaa6fb72bc473350dbd9

commit afdf30764f85a99b4de9eaa6fb72bc473350dbd9
Author:     Lucas Ramage <ramage.lucas@protonmail.com>
AuthorDate: 2018-10-25 00:57:11 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-10-26 00:34:41 +0000

    app-misc/mosquitto: bump to version 1.5.3
    
    Closes: https://bugs.gentoo.org/668436
    Signed-off-by: Lucas Ramage <ramage.lucas@protonmail.com>
    Package-Manager: Portage-2.3.49, Repoman-2.3.11
    Closes: https://github.com/gentoo/gentoo/pull/10221
    Signed-off-by: Virgil Dupras <vdupras@gentoo.org>

 app-misc/mosquitto/Manifest               |   1 +
 app-misc/mosquitto/mosquitto-1.5.3.ebuild | 101 ++++++++++++++++++++++++++++++
 2 files changed, 102 insertions(+)

Comment 4 Virgil Dupras (RETIRED) gentoo-dev

2018-10-26 00:42:25 UTC

Oops, I forgot to fix the git commit's comment which had the "Closes:" tag. Re-opening ticket.

Lucas: We're not supposed to close security ticket ourselves. Members of the security team take care of their bugs' workflow.

I tried to see through CVE info which versions are vulnerable so that we can see whether a stablereq is required, but the link to the CVE provided at https://mosquitto.org/blog/2018/09/security-advisory-cve-2018-12543/ points to an empty page. So, hum, since this bug hasn't been classified by the security team yet, I'll just wait.

Comment 5 Aaron Bauman (RETIRED) gentoo-dev

2018-12-04 21:34:24 UTC

@arches, please stabilize.

Comment 6 Agostino Sarubbo gentoo-dev

2018-12-05 09:38:38 UTC

amd64 stable

Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev

2018-12-07 02:42:41 UTC

x86 stable

Comment 8 Mikle Kolyada (RETIRED) archtester

2018-12-07 12:48:41 UTC

arm stable

Comment 9 Yury German Gentoo Infrastructure

2019-03-10 01:39:55 UTC

GLSA Vote: No

Thank you all for you work. 
Closing as [noglsa].