Accepting request 732372 from home:mnhauke

Update to version 1.6.5 to fix CVE-2019-11778 and CVE-2019-11779 OBS-URL: https://build.opensuse.org/request/show/732372 OBS-URL: https://build.opensuse.org/package/show/network:messaging:mqtt/mosquitto?expand=0&rev=26
2019-09-21 15:25:51 +00:00 · 2019-09-21 15:25:51 +00:00 · 5cebd3bf3d
commit 5cebd3bf3d
parent 5240810516
7 changed files with 167 additions and 20 deletions
--- a/mosquitto-1.6.0.tar.gz
+++ b/mosquitto-1.6.0.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:bd730d461f5f0adf6740abf2424c76c6d1263db0011fbb073c7a5c7eb8cc188b
-size 574988
--- a/mosquitto-1.6.0.tar.gz.sig
+++ b/mosquitto-1.6.0.tar.gz.sig
@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEoNbuodyuSaY1o7Lwd5si37PnF7cFAly3oxAACgkQd5si37Pn
-F7dGzA//ThvivZjtpBY4Jjw3qgixn5RCEQgHt+rnLrqKIJadwfWLSfyycLs+UL2k
-+Jou9LqZ1J3Ix9CBFmjNmKN9pxBxjp2FKVEF0TcB2VEta1GzeXY7zbPgjXKLa9qO
-LTmvGBqDVBtLoNLYVhdPhfa4f39UNmksBDRlb4DkCS1MY0zSVIfT7zS+7aYdlenr
-3Heu/qu4xHvrcswBn23PJD/lxZ93+/QwvzHuydDjUV33vUR3gzgvmYaw1QR9Sy5N
-SmFlKLHNKJJ/jFEY2VGjHQnCiehmngxcdAiA5NXCMexd9Kh9yFPhGNsq+2cFZZzT
-47/as/vsi3TJwBTj+B4p1qgZKtZfnvtFS9D6Uc7WCAETSjyzjYbWhpDd5PxVqtRZ
-hDUOKdxSinGqPYLT0ExlP0sDBu55+xtnDSAeyqiyhug831t2yGTT64qX7p46RSCw
-M0sGw0/puPq4QRTKgM9BM/cJLGBNc3cppUHKTk+f4O16Nn+a//R2KfmfwVdF8v5B
-YeeJbISb4LKo+836bwbzbwKRYzoX7h7sNPqtZX+OXixhQLgvGjkrfprfhEQZnKyN
-Ncpp2qTuyUgCXA14ToQDK8f9h0JBCEP4Tc1a1+UDUtrQdG+wqII3g+pFquQ+STS+
-vqBMGVQOGNwtoDfTs1jxDe3Z2FuHnkYQyAff+jqnEMIAZQXM4sQ=
-=geEj
-----END PGP SIGNATURE-----
--- a/mosquitto-1.6.5.tar.gz
+++ b/mosquitto-1.6.5.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bc71b38b5a26fc7cc772853e5607c657868db9f9a6d2b15e2b677649a0f85d20
+size 588828
--- a/mosquitto-1.6.5.tar.gz.sig
+++ b/mosquitto-1.6.5.tar.gz.sig
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEoNbuodyuSaY1o7Lwd5si37PnF7cFAl16cSgACgkQd5si37Pn
+F7fujBAAgMom6g6xgg0BZJ7BVDIc/bo32ttDH2WFLng+MBgn7n7fTZI3nYaW5k9l
+z0vIjTOvgsECFWHuCnu3XkNtce8wbD9V8kcX10Wns0GYxGsci1Rk2AqB/jpdixWV
+hp/+yGNSuTxyLfju3SRK3RFGM+lTPIm0qjJA1QrIjoChoQUCXyvG/+j0IlcjPD8U
+Crg0QcfvPPt8g3K450b4qdsWxrrL3c7VcwY3dbRN9UCR2w4/p94e6VniYQz0FTtw
+4R9M4OxMBN9m+XobW5ANJiWwfQExr090OODsdAkdBbI6tjoMkO3FmlVaF9fcBOMF
+Drk7E376OJ9xH+QQxWjKcF5KhK+LXtsVIB4yp4SDPVLFcQnNFoeXFr5nvhKEDyQ3
+I0W27qn7uk2OtQDzcv7UPD2uKtgZD2dvqAPx8gy9VaeGq2IX5Ujk7cv/Une+aJkl
+ZAb2Z7d3bCVsHoYC6+rAlOf/twVHKSG+mqqiuL62oOvSuYJNROVBgRM6Vdy+/+/u
+u4zNyfatl6/TJZVudU3Lb0Ai6kb+inJsEpSAZxGpSYH7Ez6DTCpEWRj4Ry6lZbEt
+AoyL97UdPYsJCzCy8hFyvN8aoa1dA5xzjjiOBHi/MkG/6y9TAn5s5n9Z5tdoIjeF
+x7PFQWIZVF6X+Doja4osSsyeyMHBio9us+NlDs96IL79lriVTpo=
+=wVLu
+-----END PGP SIGNATURE-----
--- a/mosquitto-fix-pkgconf-path.patch
+++ b/mosquitto-fix-pkgconf-path.patch
@ -0,0 +1,16 @@
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 7fc2595..d5b90b8 100644
+--- a/CMakeLists.txt
+++ b/CMakeLists.txt
+@@ -111,9 +111,9 @@ install(FILES mosquitto.conf aclfile.example pskfile.example pwfile.example DEST
+ # ========================================
+ 
+ configure_file(libmosquitto.pc.in libmosquitto.pc @ONLY)
+-install(FILES "${CMAKE_CURRENT_BINARY_DIR}/libmosquitto.pc" DESTINATION "${CMAKE_INSTALL_PREFIX}/share/pkgconfig")
+install(FILES "${CMAKE_CURRENT_BINARY_DIR}/libmosquitto.pc" DESTINATION "${CMAKE_INSTALL_LIBDIR}/pkgconfig")
+ configure_file(libmosquittopp.pc.in libmosquittopp.pc @ONLY)
+-install(FILES "${CMAKE_CURRENT_BINARY_DIR}/libmosquittopp.pc" DESTINATION "${CMAKE_INSTALL_PREFIX}/share/pkgconfig")
+install(FILES "${CMAKE_CURRENT_BINARY_DIR}/libmosquittopp.pc" DESTINATION "${CMAKE_INSTALL_LIBDIR}/pkgconfig")
+ 
+ # ========================================
+ # Testing
--- a/mosquitto.changes
+++ b/mosquitto.changes
@ -1,3 +1,131 @@
+-------------------------------------------------------------------
+Sat Sep 21 14:38:08 UTC 2019 - Martin Hauke <mardnh@gmx.de>
+
+- Update to version 1.6.5
+  Fix CVE-2019-11779:
+  * In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT
+    client sends a SUBSCRIBE packet containing a topic that consists
+    of approximately 65400 or more '/' characters, i.e. the topic
+    hierarchy separator, then a stack overflow will occur.
+  Broker:
+  * Fix v5 DISCONNECT packets with remaining length == 2 being
+    treated as a protocol error.
+  * Fix support for libwebsockets 3.x.
+  * Fix slow websockets performance when sending large messages.
+  * Fix clients authorised using `use_identity_as_username` or
+    `use_subject_as_username` being disconnected on SIGHUP.
+  * Improve error messages in some situations when clients disconnect.
+    Reduces the number of "Socket error on client X, disconnecting"
+    messages.
+  * Fix Will for v5 clients not being sent if will delay interval was
+    greater than the session expiry interval.
+  * Fix CRL file not being reloaded on HUP.
+  Client library:
+  * Fix reconnect backoff for the situation where connections are
+    dropped rather than refused.
+  * Fix missing locks on `mosq->state`.
+
+- Update to version 1.6.4
+  Fix CVE-2019-11778:
+  * If an MQTT v5 client connects to Eclipse Mosquitto versions 1.6.0
+    to 1.6.4 inclusive, sets a last will and testament, sets a will
+    delay interval, sets a session expiry interval, and the will delay
+    interval is set longer than the session expiry interval, then a
+    use after free error occurs, which has the potential to cause a
+    crash in some situations.
+  Broker:
+  * Fix incoming QoS 2 messages being blocked when
+    `max_inflight_messages` was set to 1.
+  * Fix incoming messages not being removed for a client if the topic
+    being published to does not have any subscribers.
+  Client library:
+  * Fix MQTT v5 subscription options being incorrectly set for
+    MQTT v3 subscriptions.
+  * Make behaviour of `mosquitto_connect_async()` consistent with
+    `mosquitto_connect()` when connecting to a non-existent server.
+  * `mosquitto_string_option(mosq, MOSQ_OPT_TLS_KEYFORM, ...)` was
+    incorrectly returning `MOSQ_ERR_INVAL` with valid input. This has
+    been fixed.
+  * on_connect callback is now called with the correct v5 reason code
+    if a v5 client connects to a v3.x broker and is sent a CONNACK with
+    the "unacceptable protocol version" connack reason code.
+  * Fix memory leak when setting v5 properties in mosquitto_connect_v5().
+  * Fix properties not being sent on QoS>0 PUBLISH messages.
+  Clients:
+  * mosquitto_pub: fix error codes not being returned when
+    mosquitto_pub exits.
+  * All clients: improve error messages when connecting to a v3.x broker
+    when in v5 mode.
+  Other:
+  - Various documentation fixes.
+
+- Update to version 1.6.3
+  Broker:
+  * Fix detection of incoming v3.1/v3.1.1 bridges.
+  * Fix default max_topic_alias listener config not being copied to
+    the in-use listener when compiled without TLS support.
+  * Fix random number generation if compiling using `WITH_TLS=no` and
+    on Linux with glibc >= 2.25. Without this fix, no random numbers
+    would be generated for e.g. on broker client id generation, and so
+    clients connecting expecting this feature would be unable to connect.
+  * Fix compilation problem related to `getrandom()` on non-glibc systems.
+  * Fix Will message for a persistent client incorrectly being sent when the
+    client reconnects after a clean disconnect.
+  - Fix Will message for a persistent client not being sent on disconnect.
+  * Improve documentation around the upgrading of persistence files.
+  * Add 'extern "C"' on mosquitto_broker.h and mosquitto_plugin.h for
+    C++ plugin writing.
+  * Fix persistent Websockets clients not receiving messages after they
+    reconnect, having sent DISCONNECT on a previous session
+  * Disable TLS renegotiation. Client initiated renegotiation is considered to
+    be a potential attack vector against servers.
+  * Fix incorrect shared subscription topic '$shared'.
+  * Fix zero length client ids being rejected for MQTT v5 clients with clean
+    start set to true.
+  * Fix MQTT v5 overlapping subscription behaviour. Clients now receive message
+    from all matching subscriptions rather than the first one encountered, which
+    ensures the maximum QoS requirement is met.
+  * Fix incoming/outgoing quota problems for QoS>0.
+  * Remove obsolete `store_clean_interval` from documentation.
+  * Fix v4 authentication plugin never calling psk_key_get.
+  Clients:
+  * Fix -L url parsing when `/topic` part is missing.
+  * Stop some error messages being printed even when `--quiet` was used.
+  * Fix mosquitto_pub exiting with error code 0 when an error occurred.
+  * Fix mosquitto_pub not using the `-c` option.
+  * Fix MQTT v5 clients not being able to specify a password without a
+    username.
+  * Fix `mosquitto_pub -l` not handling network failures.
+  * Fix `mosquitto_pub -l` not handling zero length input.
+  * Fix double free on exit in mosquitto_pub.
+
+- Update to version 1.6.2
+  Broker:
+  * Fix memory access after free, leading to possible crash, when v5
+    client with Will message disconnects, where the Will message has
+    as its first property one of `content-type`, `correlation-data`,
+    `payload-format-indicator`, or `response-topic`.
+  * Fix Will message not allowing user-property properties.
+  * Fix broker originated messages (e.g. $SYS/broker/version) not being
+    published when `check_retain_source` set to true.
+  * Fix $SYS/broker/version being incorrectly expired after 60 seconds.
+  Library:
+  * Fix crash after client has been unable to connect to a broker. This
+    occurs when the client is exiting and is part of the final library
+    cleanup routine.
+  Clients:
+  - Fix -L url parsing.
+
+- Update to version 1.6.1
+  Broker:
+  * Document `memory_limit` option.
+  Clients:
+  * Fix compilation on non glibc systems due to missing sys/time.h
+    header.
+
+- Add patch:
+  * mosquitto-fix-pkgconf-path.patch
+
 -------------------------------------------------------------------
 Thu Jul 11 05:41:41 UTC 2019 - Antoine Belvire <antoine.belvire@opensuse.org>

--- a/mosquitto.spec
+++ b/mosquitto.spec
@ -26,7 +26,7 @@
 %endif
 %bcond_without  websockets
 Name:           mosquitto
-Version:        1.6.0
+Version:        1.6.5
 Release:        0
 Summary:        A MQTT v3.1/v3.1.1 Broker
 License:        EPL-1.0
@ -40,6 +40,7 @@ Source4:        README-conf-d
 Source5:        README-ca_certificates
 Source6:        README-certs
 Patch0:         mosquitto-1.4.1_apparmor.patch
+Patch1:         mosquitto-fix-pkgconf-path.patch
 BuildRequires:  cmake
 BuildRequires:  gcc-c++
 BuildRequires:  libcares-devel
@ -121,10 +122,12 @@ Client for Mosquitto.
 %prep
 %setup -q
 %patch0 -p1
+%patch1 -p1
 find misc -type f -exec chmod a-x "{}" "+"

 %build
 %cmake \
+  -DCMAKE_INSTALL_SYSCONFDIR=/etc \
  %if %{with websockets}
  -DWITH_WEBSOCKETS=ON \
  %endif