From ad0fe154472a18d1088db47e51b5979f67fd38cc3ef8e8af24920b1666d3678d Mon Sep 17 00:00:00 2001 From: Martin Hauke Date: Wed, 7 Apr 2021 22:25:40 +0000 Subject: [PATCH] Accepting request 883684 from home:mnhauke - Update to version 2.0.10 Security: * CVE-2021-28166: If an authenticated client connected with MQTT v5 sent a malformed CONNACK message to the broker a NULL pointer dereference occurred, most likely resulting in a segfault. This will be updated with the CVE number when it is assigned. Affects versions 2.0.0 to 2.0.9 inclusive. Broker: * Don't over write new receive-maximum if a v5 client connects and takes over an old session. * Fix CVE-2021-28166. Closes #2163. Clients: * Set `receive-maximum` to not exceed the `-C` message count in mosquitto_sub and mosquitto_rr, to avoid potentially lost messages. * Fix TLS-PSK mode not working with port 8883. Client library: * Fix possible socket leak. This would occur if a client was using `mosquitto_loop_start()`, then if the connection failed due to the remote server being inaccessible they called `mosquitto_loop_stop(, true)` and recreated the mosquitto object. Build: * A variety of minor build related fixes, like functions not having previous declarations. OBS-URL: https://build.opensuse.org/request/show/883684 OBS-URL: https://build.opensuse.org/package/show/network:messaging:mqtt/mosquitto?expand=0&rev=53 --- fix-undefined-symbols-in-plugins.patch | 40 +++++++++++++------------- mosquitto-2.0.10.tar.gz | 3 ++ mosquitto-2.0.10.tar.gz.sig | 16 +++++++++++ mosquitto-2.0.9.tar.gz | 3 -- mosquitto-2.0.9.tar.gz.sig | 16 ----------- mosquitto.changes | 30 +++++++++++++++++++ mosquitto.spec | 2 +- 7 files changed, 70 insertions(+), 40 deletions(-) create mode 100644 mosquitto-2.0.10.tar.gz create mode 100644 mosquitto-2.0.10.tar.gz.sig delete mode 100644 mosquitto-2.0.9.tar.gz delete mode 100644 mosquitto-2.0.9.tar.gz.sig diff --git a/fix-undefined-symbols-in-plugins.patch b/fix-undefined-symbols-in-plugins.patch index d40e4ec..3822fc7 100644 --- a/fix-undefined-symbols-in-plugins.patch +++ b/fix-undefined-symbols-in-plugins.patch @@ -1,20 +1,20 @@ -Index: mosquitto-2.0.8/plugins/auth-by-ip/CMakeLists.txt -=================================================================== ---- mosquitto-2.0.8.orig/plugins/auth-by-ip/CMakeLists.txt -+++ mosquitto-2.0.8/plugins/auth-by-ip/CMakeLists.txt +diff --git a/plugins/auth-by-ip/CMakeLists.txt b/plugins/auth-by-ip/CMakeLists.txt +index 45260bd..e5e25d8 100644 +--- a/plugins/auth-by-ip/CMakeLists.txt ++++ b/plugins/auth-by-ip/CMakeLists.txt @@ -1,7 +1,7 @@ include_directories(${mosquitto_SOURCE_DIR} ${mosquitto_SOURCE_DIR}/include - ${STDBOOL_H_PATH} ${STDINT_H_PATH}) + ${OPENSSL_INCLUDE_DIR} ${STDBOOL_H_PATH} ${STDINT_H_PATH}) -add_library(mosquitto_auth_by_ip SHARED mosquitto_auth_by_ip.c) +add_library(mosquitto_auth_by_ip MODULE mosquitto_auth_by_ip.c) set_target_properties(mosquitto_auth_by_ip PROPERTIES POSITION_INDEPENDENT_CODE 1 ) -Index: mosquitto-2.0.8/plugins/dynamic-security/CMakeLists.txt -=================================================================== ---- mosquitto-2.0.8.orig/plugins/dynamic-security/CMakeLists.txt -+++ mosquitto-2.0.8/plugins/dynamic-security/CMakeLists.txt +diff --git a/plugins/dynamic-security/CMakeLists.txt b/plugins/dynamic-security/CMakeLists.txt +index 213ea03..0e02518 100644 +--- a/plugins/dynamic-security/CMakeLists.txt ++++ b/plugins/dynamic-security/CMakeLists.txt @@ -12,7 +12,7 @@ if (CJSON_FOUND AND WITH_TLS) include_directories(${CLIENT_INC}) link_directories(${CLIENT_DIR} ${mosquitto_SOURCE_DIR}) @@ -24,25 +24,25 @@ Index: mosquitto-2.0.8/plugins/dynamic-security/CMakeLists.txt acl.c auth.c clients.c -Index: mosquitto-2.0.8/plugins/message-timestamp/CMakeLists.txt -=================================================================== ---- mosquitto-2.0.8.orig/plugins/message-timestamp/CMakeLists.txt -+++ mosquitto-2.0.8/plugins/message-timestamp/CMakeLists.txt +diff --git a/plugins/message-timestamp/CMakeLists.txt b/plugins/message-timestamp/CMakeLists.txt +index e53a4bc..d28cb1d 100644 +--- a/plugins/message-timestamp/CMakeLists.txt ++++ b/plugins/message-timestamp/CMakeLists.txt @@ -1,7 +1,7 @@ include_directories(${mosquitto_SOURCE_DIR} ${mosquitto_SOURCE_DIR}/include - ${STDBOOL_H_PATH} ${STDINT_H_PATH}) + ${OPENSSL_INCLUDE_DIR} ${STDBOOL_H_PATH} ${STDINT_H_PATH}) -add_library(mosquitto_message_timestamp SHARED mosquitto_message_timestamp.c) +add_library(mosquitto_message_timestamp MODULE mosquitto_message_timestamp.c) set_target_properties(mosquitto_message_timestamp PROPERTIES POSITION_INDEPENDENT_CODE 1 ) -Index: mosquitto-2.0.8/plugins/payload-modification/CMakeLists.txt -=================================================================== ---- mosquitto-2.0.8.orig/plugins/payload-modification/CMakeLists.txt -+++ mosquitto-2.0.8/plugins/payload-modification/CMakeLists.txt -@@ -2,7 +2,7 @@ include_directories(${mosquitto_SOURCE_D - ${STDBOOL_H_PATH} ${STDINT_H_PATH}) +diff --git a/plugins/payload-modification/CMakeLists.txt b/plugins/payload-modification/CMakeLists.txt +index a449291..e77c870 100644 +--- a/plugins/payload-modification/CMakeLists.txt ++++ b/plugins/payload-modification/CMakeLists.txt +@@ -2,7 +2,7 @@ include_directories(${mosquitto_SOURCE_DIR} ${mosquitto_SOURCE_DIR}/include + ${OPENSSL_INCLUDE_DIR} ${STDBOOL_H_PATH} ${STDINT_H_PATH}) link_directories(${mosquitto_SOURCE_DIR}) -add_library(mosquitto_payload_modification SHARED mosquitto_payload_modification.c) diff --git a/mosquitto-2.0.10.tar.gz b/mosquitto-2.0.10.tar.gz new file mode 100644 index 0000000..9122628 --- /dev/null +++ b/mosquitto-2.0.10.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0188f7b21b91d6d80e992b8d6116ba851468b3bd154030e8a003ed28fb6f4a44 +size 759106 diff --git a/mosquitto-2.0.10.tar.gz.sig b/mosquitto-2.0.10.tar.gz.sig new file mode 100644 index 0000000..47e3be2 --- /dev/null +++ b/mosquitto-2.0.10.tar.gz.sig @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEoNbuodyuSaY1o7Lwd5si37PnF7cFAmBoSz8ACgkQd5si37Pn +F7exyQ//Q9UXpuHS7aywypHcHKAdTm3Eu/unQhlMojbLD7K97uy/ROP2qt4B5QpY +ckj7uhzYPuno/dGOE+uU8HR+RQ2bpJJ84VbI+t6SI1RFJImPyNnkDYuLPO+L1PWs +OlITozi6W4HpwwY6sCXxJujXGE8tTQzfE3FIMYg7KrKFRpx34wYFRzQVWJ/FkDkJ +ZeJnwJ/ZTbNOc1fMJFfSx2+Xx1Yppk28HFshKmEZlFzJiaXQi8jx1XFJ5ySsA18/ +6uLTExy9tz/vPHz1tR18VNSYy/Ix7TNEdmfFg62rkMm5BbQlCR0Yx0sRYaCtxafN +fW1L9DYM8D9TBRNg4LKUXAJjZwnwqMqXdt9n2h4jG/DHoCsPuimi+gVnwVwHOENt +B5UcuxdqDq6zfSSQx8Y9XLFJ4BZYtojJFqzHoq/dmKsOwi+LbuJPali6FiX+nl9K +Qxt5etp6rfgIfv+2FD0g+gg2E8wLOm/m2qEC0mBMGEMtqnyshel3Pyh3PUeMsP5u +HhIbLDP2GJ7qcGoz63BUpXx8enlgqLxEXFptwTsFb0NvlwHH81gySUStcZwcz9rH +4q+EfmEV1gFeaNV1ceFvvt33stEaYzZRYBT/sSUJ0/CewGkOfdA7f8gzgetvbLN4 +Vw4wMHtLPNiaA0EFXaLc+RLu+5ZoJ4AiV0HxXeR5+jLuJwrcD0c= +=34DU +-----END PGP SIGNATURE----- diff --git a/mosquitto-2.0.9.tar.gz b/mosquitto-2.0.9.tar.gz deleted file mode 100644 index b1f8871..0000000 --- a/mosquitto-2.0.9.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:1b8553ef64a1cf5e4f4cfbe098330ae612adccd3d37f35b2db6f6fab501b01d4 -size 757878 diff --git a/mosquitto-2.0.9.tar.gz.sig b/mosquitto-2.0.9.tar.gz.sig deleted file mode 100644 index 2979bd5..0000000 --- a/mosquitto-2.0.9.tar.gz.sig +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEoNbuodyuSaY1o7Lwd5si37PnF7cFAmBKm6EACgkQd5si37Pn -F7dmgQ//XpvIqRaP3xEjYHHonQh/vAJziXSsC2GjyY7lGK8S5Ab0ft7EPjhEQBoF -UU1CRHJcdVpY8Xaw8c7lihWrxSl+wY9tKwlqOA2I4gMKBU2iKlcGeah1G35ncnZV -35RqaKr/5Cx5W4e80jqcCJ75/JBIXpYLH5lDZaOT2z3644HjOsnWzVPO6Ht2rsYT -99N0/Wobl3cRZTuqv7R2qOasg5OriY/aUn3RBdJm1pBbX2qHN/altBwkdyqaxScf -QmkSdjBdvHCkQRn0spNRnECPWsmVIGQ3YO9HPGdxu0+vA3PLm8fFnvytWOC0W5fv -our4OJqvvTmYTh1+ZhCqlzraR1g8jkH/ExAHwBxJ8wDZGGobtfg4Eq4cwXMYVNa5 -jxILPn/BVEbYAmi9IQqBaapr6vbRPpJVDuX8613rEcJ9Npd8EPPPy0uJEqd7nAEi -mYHsMcS6cch4mbiFcy9FE0rUkOpVZrthOpCv7jMPoIpM1fc7Q4ev3/fhjmFDSSOH -RNn+nZQux9GNJXnCcyCGIj/AFW0wm0+kiw7MsaDnlxXyovekrNQ2aXfqCOahhBzv -goVNRrTQCRcWuGWgUI2Vr728mLgwPbsszotwbvX5Gxv5VOJTU1DAtQAr4J4w/Sd1 -+lgcxziT77nyCXzdjB9OgpR/xXe0BgKzDpdVMIHqmTOzfxNwIVI= -=aRYG ------END PGP SIGNATURE----- diff --git a/mosquitto.changes b/mosquitto.changes index 443871c..fc270f6 100644 --- a/mosquitto.changes +++ b/mosquitto.changes @@ -1,3 +1,33 @@ +------------------------------------------------------------------- +Tue Apr 6 18:58:02 UTC 2021 - Martin Hauke + +- Update to version 2.0.10 + Security: + * CVE-2021-28166: If an authenticated client connected with + MQTT v5 sent a malformed CONNACK message to the broker a NULL + pointer dereference occurred, most likely resulting in a + segfault. This will be updated with the CVE number when it is + assigned. + Affects versions 2.0.0 to 2.0.9 inclusive. + Broker: + * Don't over write new receive-maximum if a v5 client connects + and takes over an old session. + * Fix CVE-2021-28166. Closes #2163. + Clients: + * Set `receive-maximum` to not exceed the `-C` message count in + mosquitto_sub and mosquitto_rr, to avoid potentially lost + messages. + * Fix TLS-PSK mode not working with port 8883. + Client library: + * Fix possible socket leak. This would occur if a client was + using `mosquitto_loop_start()`, then if the connection failed + due to the remote server being inaccessible they called + `mosquitto_loop_stop(, true)` and recreated the mosquitto + object. + Build: + * A variety of minor build related fixes, like functions not + having previous declarations. + ------------------------------------------------------------------- Fri Mar 12 14:13:54 UTC 2021 - Martin Hauke diff --git a/mosquitto.spec b/mosquitto.spec index b28a54c..e20382b 100644 --- a/mosquitto.spec +++ b/mosquitto.spec @@ -20,7 +20,7 @@ %define c_lib libmosquitto1 %define cpp_lib libmosquittopp1 Name: mosquitto -Version: 2.0.9 +Version: 2.0.10 Release: 0 Summary: A MQTT v3.1/v3.1.1 Broker License: EPL-1.0