From 5cebd3bf3dfd0c61915700448f3a1859b9d6e26e684bd8de8ce9954ab07fd355 Mon Sep 17 00:00:00 2001 From: Martin Hauke Date: Sat, 21 Sep 2019 15:25:51 +0000 Subject: [PATCH] Accepting request 732372 from home:mnhauke Update to version 1.6.5 to fix CVE-2019-11778 and CVE-2019-11779 OBS-URL: https://build.opensuse.org/request/show/732372 OBS-URL: https://build.opensuse.org/package/show/network:messaging:mqtt/mosquitto?expand=0&rev=26 --- mosquitto-1.6.0.tar.gz | 3 - mosquitto-1.6.0.tar.gz.sig | 16 ---- mosquitto-1.6.5.tar.gz | 3 + mosquitto-1.6.5.tar.gz.sig | 16 ++++ mosquitto-fix-pkgconf-path.patch | 16 ++++ mosquitto.changes | 128 +++++++++++++++++++++++++++++++ mosquitto.spec | 5 +- 7 files changed, 167 insertions(+), 20 deletions(-) delete mode 100644 mosquitto-1.6.0.tar.gz delete mode 100644 mosquitto-1.6.0.tar.gz.sig create mode 100644 mosquitto-1.6.5.tar.gz create mode 100644 mosquitto-1.6.5.tar.gz.sig create mode 100644 mosquitto-fix-pkgconf-path.patch diff --git a/mosquitto-1.6.0.tar.gz b/mosquitto-1.6.0.tar.gz deleted file mode 100644 index 6ae230c..0000000 --- a/mosquitto-1.6.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:bd730d461f5f0adf6740abf2424c76c6d1263db0011fbb073c7a5c7eb8cc188b -size 574988 diff --git a/mosquitto-1.6.0.tar.gz.sig b/mosquitto-1.6.0.tar.gz.sig deleted file mode 100644 index 1f99d4f..0000000 --- a/mosquitto-1.6.0.tar.gz.sig +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEoNbuodyuSaY1o7Lwd5si37PnF7cFAly3oxAACgkQd5si37Pn -F7dGzA//ThvivZjtpBY4Jjw3qgixn5RCEQgHt+rnLrqKIJadwfWLSfyycLs+UL2k -+Jou9LqZ1J3Ix9CBFmjNmKN9pxBxjp2FKVEF0TcB2VEta1GzeXY7zbPgjXKLa9qO -LTmvGBqDVBtLoNLYVhdPhfa4f39UNmksBDRlb4DkCS1MY0zSVIfT7zS+7aYdlenr -3Heu/qu4xHvrcswBn23PJD/lxZ93+/QwvzHuydDjUV33vUR3gzgvmYaw1QR9Sy5N -SmFlKLHNKJJ/jFEY2VGjHQnCiehmngxcdAiA5NXCMexd9Kh9yFPhGNsq+2cFZZzT -47/as/vsi3TJwBTj+B4p1qgZKtZfnvtFS9D6Uc7WCAETSjyzjYbWhpDd5PxVqtRZ -hDUOKdxSinGqPYLT0ExlP0sDBu55+xtnDSAeyqiyhug831t2yGTT64qX7p46RSCw -M0sGw0/puPq4QRTKgM9BM/cJLGBNc3cppUHKTk+f4O16Nn+a//R2KfmfwVdF8v5B -YeeJbISb4LKo+836bwbzbwKRYzoX7h7sNPqtZX+OXixhQLgvGjkrfprfhEQZnKyN -Ncpp2qTuyUgCXA14ToQDK8f9h0JBCEP4Tc1a1+UDUtrQdG+wqII3g+pFquQ+STS+ -vqBMGVQOGNwtoDfTs1jxDe3Z2FuHnkYQyAff+jqnEMIAZQXM4sQ= -=geEj ------END PGP SIGNATURE----- diff --git a/mosquitto-1.6.5.tar.gz b/mosquitto-1.6.5.tar.gz new file mode 100644 index 0000000..42e9fd6 --- /dev/null +++ b/mosquitto-1.6.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bc71b38b5a26fc7cc772853e5607c657868db9f9a6d2b15e2b677649a0f85d20 +size 588828 diff --git a/mosquitto-1.6.5.tar.gz.sig b/mosquitto-1.6.5.tar.gz.sig new file mode 100644 index 0000000..4319e52 --- /dev/null +++ b/mosquitto-1.6.5.tar.gz.sig @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEoNbuodyuSaY1o7Lwd5si37PnF7cFAl16cSgACgkQd5si37Pn +F7fujBAAgMom6g6xgg0BZJ7BVDIc/bo32ttDH2WFLng+MBgn7n7fTZI3nYaW5k9l +z0vIjTOvgsECFWHuCnu3XkNtce8wbD9V8kcX10Wns0GYxGsci1Rk2AqB/jpdixWV +hp/+yGNSuTxyLfju3SRK3RFGM+lTPIm0qjJA1QrIjoChoQUCXyvG/+j0IlcjPD8U +Crg0QcfvPPt8g3K450b4qdsWxrrL3c7VcwY3dbRN9UCR2w4/p94e6VniYQz0FTtw +4R9M4OxMBN9m+XobW5ANJiWwfQExr090OODsdAkdBbI6tjoMkO3FmlVaF9fcBOMF +Drk7E376OJ9xH+QQxWjKcF5KhK+LXtsVIB4yp4SDPVLFcQnNFoeXFr5nvhKEDyQ3 +I0W27qn7uk2OtQDzcv7UPD2uKtgZD2dvqAPx8gy9VaeGq2IX5Ujk7cv/Une+aJkl +ZAb2Z7d3bCVsHoYC6+rAlOf/twVHKSG+mqqiuL62oOvSuYJNROVBgRM6Vdy+/+/u +u4zNyfatl6/TJZVudU3Lb0Ai6kb+inJsEpSAZxGpSYH7Ez6DTCpEWRj4Ry6lZbEt +AoyL97UdPYsJCzCy8hFyvN8aoa1dA5xzjjiOBHi/MkG/6y9TAn5s5n9Z5tdoIjeF +x7PFQWIZVF6X+Doja4osSsyeyMHBio9us+NlDs96IL79lriVTpo= +=wVLu +-----END PGP SIGNATURE----- diff --git a/mosquitto-fix-pkgconf-path.patch b/mosquitto-fix-pkgconf-path.patch new file mode 100644 index 0000000..c9e1f89 --- /dev/null +++ b/mosquitto-fix-pkgconf-path.patch @@ -0,0 +1,16 @@ +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 7fc2595..d5b90b8 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -111,9 +111,9 @@ install(FILES mosquitto.conf aclfile.example pskfile.example pwfile.example DEST + # ======================================== + + configure_file(libmosquitto.pc.in libmosquitto.pc @ONLY) +-install(FILES "${CMAKE_CURRENT_BINARY_DIR}/libmosquitto.pc" DESTINATION "${CMAKE_INSTALL_PREFIX}/share/pkgconfig") ++install(FILES "${CMAKE_CURRENT_BINARY_DIR}/libmosquitto.pc" DESTINATION "${CMAKE_INSTALL_LIBDIR}/pkgconfig") + configure_file(libmosquittopp.pc.in libmosquittopp.pc @ONLY) +-install(FILES "${CMAKE_CURRENT_BINARY_DIR}/libmosquittopp.pc" DESTINATION "${CMAKE_INSTALL_PREFIX}/share/pkgconfig") ++install(FILES "${CMAKE_CURRENT_BINARY_DIR}/libmosquittopp.pc" DESTINATION "${CMAKE_INSTALL_LIBDIR}/pkgconfig") + + # ======================================== + # Testing diff --git a/mosquitto.changes b/mosquitto.changes index 404d547..7e87583 100644 --- a/mosquitto.changes +++ b/mosquitto.changes @@ -1,3 +1,131 @@ +------------------------------------------------------------------- +Sat Sep 21 14:38:08 UTC 2019 - Martin Hauke + +- Update to version 1.6.5 + Fix CVE-2019-11779: + * In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT + client sends a SUBSCRIBE packet containing a topic that consists + of approximately 65400 or more '/' characters, i.e. the topic + hierarchy separator, then a stack overflow will occur. + Broker: + * Fix v5 DISCONNECT packets with remaining length == 2 being + treated as a protocol error. + * Fix support for libwebsockets 3.x. + * Fix slow websockets performance when sending large messages. + * Fix clients authorised using `use_identity_as_username` or + `use_subject_as_username` being disconnected on SIGHUP. + * Improve error messages in some situations when clients disconnect. + Reduces the number of "Socket error on client X, disconnecting" + messages. + * Fix Will for v5 clients not being sent if will delay interval was + greater than the session expiry interval. + * Fix CRL file not being reloaded on HUP. + Client library: + * Fix reconnect backoff for the situation where connections are + dropped rather than refused. + * Fix missing locks on `mosq->state`. + +- Update to version 1.6.4 + Fix CVE-2019-11778: + * If an MQTT v5 client connects to Eclipse Mosquitto versions 1.6.0 + to 1.6.4 inclusive, sets a last will and testament, sets a will + delay interval, sets a session expiry interval, and the will delay + interval is set longer than the session expiry interval, then a + use after free error occurs, which has the potential to cause a + crash in some situations. + Broker: + * Fix incoming QoS 2 messages being blocked when + `max_inflight_messages` was set to 1. + * Fix incoming messages not being removed for a client if the topic + being published to does not have any subscribers. + Client library: + * Fix MQTT v5 subscription options being incorrectly set for + MQTT v3 subscriptions. + * Make behaviour of `mosquitto_connect_async()` consistent with + `mosquitto_connect()` when connecting to a non-existent server. + * `mosquitto_string_option(mosq, MOSQ_OPT_TLS_KEYFORM, ...)` was + incorrectly returning `MOSQ_ERR_INVAL` with valid input. This has + been fixed. + * on_connect callback is now called with the correct v5 reason code + if a v5 client connects to a v3.x broker and is sent a CONNACK with + the "unacceptable protocol version" connack reason code. + * Fix memory leak when setting v5 properties in mosquitto_connect_v5(). + * Fix properties not being sent on QoS>0 PUBLISH messages. + Clients: + * mosquitto_pub: fix error codes not being returned when + mosquitto_pub exits. + * All clients: improve error messages when connecting to a v3.x broker + when in v5 mode. + Other: + - Various documentation fixes. + +- Update to version 1.6.3 + Broker: + * Fix detection of incoming v3.1/v3.1.1 bridges. + * Fix default max_topic_alias listener config not being copied to + the in-use listener when compiled without TLS support. + * Fix random number generation if compiling using `WITH_TLS=no` and + on Linux with glibc >= 2.25. Without this fix, no random numbers + would be generated for e.g. on broker client id generation, and so + clients connecting expecting this feature would be unable to connect. + * Fix compilation problem related to `getrandom()` on non-glibc systems. + * Fix Will message for a persistent client incorrectly being sent when the + client reconnects after a clean disconnect. + - Fix Will message for a persistent client not being sent on disconnect. + * Improve documentation around the upgrading of persistence files. + * Add 'extern "C"' on mosquitto_broker.h and mosquitto_plugin.h for + C++ plugin writing. + * Fix persistent Websockets clients not receiving messages after they + reconnect, having sent DISCONNECT on a previous session + * Disable TLS renegotiation. Client initiated renegotiation is considered to + be a potential attack vector against servers. + * Fix incorrect shared subscription topic '$shared'. + * Fix zero length client ids being rejected for MQTT v5 clients with clean + start set to true. + * Fix MQTT v5 overlapping subscription behaviour. Clients now receive message + from all matching subscriptions rather than the first one encountered, which + ensures the maximum QoS requirement is met. + * Fix incoming/outgoing quota problems for QoS>0. + * Remove obsolete `store_clean_interval` from documentation. + * Fix v4 authentication plugin never calling psk_key_get. + Clients: + * Fix -L url parsing when `/topic` part is missing. + * Stop some error messages being printed even when `--quiet` was used. + * Fix mosquitto_pub exiting with error code 0 when an error occurred. + * Fix mosquitto_pub not using the `-c` option. + * Fix MQTT v5 clients not being able to specify a password without a + username. + * Fix `mosquitto_pub -l` not handling network failures. + * Fix `mosquitto_pub -l` not handling zero length input. + * Fix double free on exit in mosquitto_pub. + +- Update to version 1.6.2 + Broker: + * Fix memory access after free, leading to possible crash, when v5 + client with Will message disconnects, where the Will message has + as its first property one of `content-type`, `correlation-data`, + `payload-format-indicator`, or `response-topic`. + * Fix Will message not allowing user-property properties. + * Fix broker originated messages (e.g. $SYS/broker/version) not being + published when `check_retain_source` set to true. + * Fix $SYS/broker/version being incorrectly expired after 60 seconds. + Library: + * Fix crash after client has been unable to connect to a broker. This + occurs when the client is exiting and is part of the final library + cleanup routine. + Clients: + - Fix -L url parsing. + +- Update to version 1.6.1 + Broker: + * Document `memory_limit` option. + Clients: + * Fix compilation on non glibc systems due to missing sys/time.h + header. + +- Add patch: + * mosquitto-fix-pkgconf-path.patch + ------------------------------------------------------------------- Thu Jul 11 05:41:41 UTC 2019 - Antoine Belvire diff --git a/mosquitto.spec b/mosquitto.spec index fbba0b3..aa76d6f 100644 --- a/mosquitto.spec +++ b/mosquitto.spec @@ -26,7 +26,7 @@ %endif %bcond_without websockets Name: mosquitto -Version: 1.6.0 +Version: 1.6.5 Release: 0 Summary: A MQTT v3.1/v3.1.1 Broker License: EPL-1.0 @@ -40,6 +40,7 @@ Source4: README-conf-d Source5: README-ca_certificates Source6: README-certs Patch0: mosquitto-1.4.1_apparmor.patch +Patch1: mosquitto-fix-pkgconf-path.patch BuildRequires: cmake BuildRequires: gcc-c++ BuildRequires: libcares-devel @@ -121,10 +122,12 @@ Client for Mosquitto. %prep %setup -q %patch0 -p1 +%patch1 -p1 find misc -type f -exec chmod a-x "{}" "+" %build %cmake \ + -DCMAKE_INSTALL_SYSCONFDIR=/etc \ %if %{with websockets} -DWITH_WEBSOCKETS=ON \ %endif