Commit 68e4e4a1 authored by Leo's avatar Leo Committed by Natanael Copa

main/mosquitto: fix CVE-2019-11779

parent 49ec6e34
...@@ -17,10 +17,14 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-libs++:_pp $pkgname-openrc ...@@ -17,10 +17,14 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-libs++:_pp $pkgname-openrc
source="http://mosquitto.org/files/source/$pkgname-$pkgver.tar.gz source="http://mosquitto.org/files/source/$pkgname-$pkgver.tar.gz
config.patch config.patch
disable-ci-tests.patch disable-ci-tests.patch
mosquitto.initd" mosquitto.initd
CVE-2019-11779.patch
"
builddir="$srcdir/$pkgname-$pkgver" builddir="$srcdir/$pkgname-$pkgver"
# secfixes: # secfixes:
# 1.6.3-r1:
# - CVE-2019-11779
# 1.5.6-r0: # 1.5.6-r0:
# - CVE-2018-12546 # - CVE-2018-12546
# - CVE-2018-12550 # - CVE-2018-12550
...@@ -93,4 +97,5 @@ clients() { ...@@ -93,4 +97,5 @@ clients() {
sha512sums="d78d95789cfadaa8c989becb799e6eace1a82cfed9d79582cf7278dd2f9f31060b0b6492c5e3461c687629445efbdda0db68cba65962eb6a305ada46611f6d94 mosquitto-1.6.3.tar.gz sha512sums="d78d95789cfadaa8c989becb799e6eace1a82cfed9d79582cf7278dd2f9f31060b0b6492c5e3461c687629445efbdda0db68cba65962eb6a305ada46611f6d94 mosquitto-1.6.3.tar.gz
fb000f9fa1ef94cbf3811a23b5692c0c8f9e2df945959cef6005462715e99d6f75cf6b31bd496271ffc17634024aed986771a73962fef865c0d386f6c194fb33 config.patch fb000f9fa1ef94cbf3811a23b5692c0c8f9e2df945959cef6005462715e99d6f75cf6b31bd496271ffc17634024aed986771a73962fef865c0d386f6c194fb33 config.patch
21df2006a5eb9e1248cf261e555ded8e80e79f2a2d2a55b1f8a153af7c0feb867f3b3bd71efbe4d8569e3031c65f3e144794724f012e7539244a9bd97b6b6bb3 disable-ci-tests.patch 21df2006a5eb9e1248cf261e555ded8e80e79f2a2d2a55b1f8a153af7c0feb867f3b3bd71efbe4d8569e3031c65f3e144794724f012e7539244a9bd97b6b6bb3 disable-ci-tests.patch
16f96d8f7f3a8b06e2b2e04d42d7e0d89a931b52277fc017e4802f7a3bc85aff4dd290b1a0c40382ea8f5568d0ceb7319c031d9be916f346d805231a002b0433 mosquitto.initd" 16f96d8f7f3a8b06e2b2e04d42d7e0d89a931b52277fc017e4802f7a3bc85aff4dd290b1a0c40382ea8f5568d0ceb7319c031d9be916f346d805231a002b0433 mosquitto.initd
f0d8aa24ccb0bb6206329c6538ebd7e019b51a8520983eba89b1da2c7c2ebc094b9e88d60cf2beb32ae13ddf49ddd541b519e6aca83bc5fd38eb100f88957adf CVE-2019-11779.patch"
From 106675093177335b18521bc0e5ad1d95343ad652 Mon Sep 17 00:00:00 2001
From: "Roger A. Light" <roger@atchoo.org>
Date: Tue, 17 Sep 2019 14:56:08 +0100
Subject: Fix for CVE-xxxx-xxxx
diff --git a/lib/util_topic.c b/lib/util_topic.c
index 67b7878..673cc6c 100644
--- a/lib/util_topic.c
+++ b/lib/util_topic.c
@@ -49,14 +49,25 @@ Contributors:
int mosquitto_pub_topic_check(const char *str)
{
int len = 0;
+#ifdef WITH_BROKER
+ int hier_count = 0;
+#endif
while(str && str[0]){
if(str[0] == '+' || str[0] == '#'){
return MOSQ_ERR_INVAL;
}
+#ifdef WITH_BROKER
+ else if(str[0] == '/'){
+ hier_count++;
+ }
+#endif
len++;
str = &str[1];
}
if(len > 65535) return MOSQ_ERR_INVAL;
+#ifdef WITH_BROKER
+ if(hier_count > TOPIC_HIERARCHY_LIMIT) return MOSQ_ERR_INVAL;
+#endif
return MOSQ_ERR_SUCCESS;
}
@@ -64,6 +75,9 @@ int mosquitto_pub_topic_check(const char *str)
int mosquitto_pub_topic_check2(const char *str, size_t len)
{
size_t i;
+#ifdef WITH_BROKER
+ int hier_count = 0;
+#endif
if(len > 65535) return MOSQ_ERR_INVAL;
@@ -71,7 +85,15 @@ int mosquitto_pub_topic_check2(const char *str, size_t len)
if(str[i] == '+' || str[i] == '#'){
return MOSQ_ERR_INVAL;
}
+#ifdef WITH_BROKER
+ else if(str[i] == '/'){
+ hier_count++;
+ }
+#endif
}
+#ifdef WITH_BROKER
+ if(hier_count > TOPIC_HIERARCHY_LIMIT) return MOSQ_ERR_INVAL;
+#endif
return MOSQ_ERR_SUCCESS;
}
@@ -87,6 +109,10 @@ int mosquitto_sub_topic_check(const char *str)
{
char c = '\0';
int len = 0;
+#ifdef WITH_BROKER
+ int hier_count = 0;
+#endif
+
while(str && str[0]){
if(str[0] == '+'){
if((c != '\0' && c != '/') || (str[1] != '\0' && str[1] != '/')){
@@ -97,11 +123,19 @@ int mosquitto_sub_topic_check(const char *str)
return MOSQ_ERR_INVAL;
}
}
+#ifdef WITH_BROKER
+ else if(str[0] == '/'){
+ hier_count++;
+ }
+#endif
len++;
c = str[0];
str = &str[1];
}
if(len > 65535) return MOSQ_ERR_INVAL;
+#ifdef WITH_BROKER
+ if(hier_count > TOPIC_HIERARCHY_LIMIT) return MOSQ_ERR_INVAL;
+#endif
return MOSQ_ERR_SUCCESS;
}
@@ -110,6 +144,9 @@ int mosquitto_sub_topic_check2(const char *str, size_t len)
{
char c = '\0';
size_t i;
+#ifdef WITH_BROKER
+ int hier_count = 0;
+#endif
if(len > 65535) return MOSQ_ERR_INVAL;
@@ -123,8 +160,16 @@ int mosquitto_sub_topic_check2(const char *str, size_t len)
return MOSQ_ERR_INVAL;
}
}
+#ifdef WITH_BROKER
+ else if(str[i] == '/'){
+ hier_count++;
+ }
+#endif
c = str[i];
}
+#ifdef WITH_BROKER
+ if(hier_count > TOPIC_HIERARCHY_LIMIT) return MOSQ_ERR_INVAL;
+#endif
return MOSQ_ERR_SUCCESS;
}
diff --git a/src/mosquitto_broker_internal.h b/src/mosquitto_broker_internal.h
index 25d4a5b..322c6a8 100644
--- a/src/mosquitto_broker_internal.h
+++ b/src/mosquitto_broker_internal.h
@@ -73,6 +73,9 @@ Contributors:
#define WEBSOCKET_CLIENT -2
+
+#define TOPIC_HIERARCHY_LIMIT 200
+
/* ========================================
* UHPA data types
* ======================================== */
diff --git a/src/subs.c b/src/subs.c
index aae3266..c059874 100644
--- a/src/subs.c
+++ b/src/subs.c
@@ -220,6 +220,7 @@ static int sub__topic_tokenise(const char *subtopic, struct sub__token **topics)
int start, stop, tlen;
int i;
char *topic;
+ int count = 0;
assert(subtopic);
assert(topics);
@@ -242,6 +243,7 @@ static int sub__topic_tokenise(const char *subtopic, struct sub__token **topics)
stop = 0;
for(i=start; i<len+1; i++){
+ count++;
if(subtopic[i] == '/' || subtopic[i] == '\0'){
stop = i;
@@ -262,6 +264,11 @@ static int sub__topic_tokenise(const char *subtopic, struct sub__token **topics)
}
}
+ if(count > TOPIC_HIERARCHY_LIMIT){
+ /* Set limit on hierarchy levels, to restrict stack usage. */
+ goto cleanup;
+ }
+
return MOSQ_ERR_SUCCESS;
cleanup:
--
2.20.1
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment