Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 677638 (CVE-2018-12546, CVE-2018-12550, CVE-2018-12551) - <app-misc/mosquitto-1.5.6: Multiple vulnerabilities
Summary: <app-misc/mosquitto-1.5.6: Multiple vulnerabilities
Alias: CVE-2018-12546, CVE-2018-12550, CVE-2018-12551
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: C3 [noglsa cve]
Depends on:
Reported: 2019-02-10 11:23 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2019-03-20 13:44 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: No
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2019-02-10 11:23:57 UTC
1.5.6 - 20190206


CVE-2018-12551: If Mosquitto is configured to use a password file for
authentication, any malformed data in the password file will be
treated as valid. This typically means that the malformed data becomes
a username and no password. If this occurs, clients can circumvent
authentication and get access to the broker by using the malformed
username. In particular, a blank line will be treated as a valid empty
username. Other security measures are unaffected. Users who have only
used the mosquitto_passwd utility to create and modify their password
files are unaffected by this vulnerability.

CVE-2018-12550: If an ACL file is empty, or has only blank lines or
comments, then mosquitto treats the ACL file as not being defined,
which means that no topic access is denied. Although denying access to
all topics is not a useful configuration, this behaviour is unexpected
and could lead to access being incorrectly granted in some

CVE-2018-12546. If a client publishes a retained message to a topic
that they have access to, and then their access to that topic is
revoked, the retained message will still be delivered to future
subscribers. This behaviour may be undesirable in some applications,
so a configuration option `check_retain_source` has been introduced to
enforce checking of the retained message source on publish.
Comment 1 Larry the Git Cow gentoo-dev 2019-02-16 22:30:06 UTC
The bug has been referenced in the following commit(s):

commit 65f830a1752ce2004a7a9342964f3894a0d5f047
Author:     Lucas Ramage <>
AuthorDate: 2019-02-15 23:05:10 +0000
Commit:     Patrice Clement <>
CommitDate: 2019-02-16 22:29:14 +0000

    app-misc/mosquitto: bump to version 1.5.6.
    Package-Manager: Portage-2.3.51, Repoman-2.3.11
    Signed-off-by: Lucas Ramage <>
    Signed-off-by: Patrice Clement <>

 app-misc/mosquitto/Manifest               |   1 +
 app-misc/mosquitto/mosquitto-1.5.6.ebuild | 101 ++++++++++++++++++++++++++++++
 2 files changed, 102 insertions(+)
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2019-03-10 01:56:11 UTC
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Comment 3 Rage <oxr463> 2019-03-10 22:25:08 UTC
(In reply to Yury German from comment #2)
> Maintainer(s), please advise if you are ready for stabilization or call for
> stabilization yourself.

@arches, please stabilize. Thank you!
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2019-03-10 22:31:10 UTC
Arches, please test and mark stable:


Target Keywords : "amd64 arm x86"

Thank you!

Note: Rage, for the future it goes something like this for stabilization, if you do not have the rights to the other stuff, at least give us the info above, so we do not have to hunt for it.
Comment 5 Agostino Sarubbo gentoo-dev 2019-03-14 21:14:53 UTC
amd64 stable
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-03-16 13:59:26 UTC
arm stable
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2019-03-19 02:05:47 UTC
x86 stable
Comment 8 Aaron Bauman (RETIRED) gentoo-dev 2019-03-20 13:44:31 UTC
tree is clean