Commit d2a7f0cc authored by Leo's avatar Leo Committed by Natanael Copa

main/mosquitto: fix CVE-2019-11779

parent 9097b932
......@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=mosquitto
pkgver=1.5.6
pkgrel=0
pkgrel=1
pkgdesc="An Open Source MQTT v3.1 Broker"
url="https://mosquitto.org/"
arch="all"
......@@ -18,10 +18,14 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-libs++:_pp $pkgname-openrc
$pkgname-libs $pkgname-clients"
source="http://mosquitto.org/files/source/$pkgname-$pkgver.tar.gz
config.patch
mosquitto.initd"
mosquitto.initd
CVE-2019-11779.patch
"
builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
# 1.5.6-r1:
# - CVE-2019-11779
# 1.5.6-r0:
# - CVE-2018-12546
# - CVE-2018-12550
......@@ -93,4 +97,5 @@ clients() {
sha512sums="99bd935f93ae25f0c7992870780cce4748b35ffd58fd0d39e20ee69f34c28d3eac289cf0c7dec078dbdced3bda12da4569d4b5e84ebdaa5514640f331ca3238b mosquitto-1.5.6.tar.gz
fb000f9fa1ef94cbf3811a23b5692c0c8f9e2df945959cef6005462715e99d6f75cf6b31bd496271ffc17634024aed986771a73962fef865c0d386f6c194fb33 config.patch
16f96d8f7f3a8b06e2b2e04d42d7e0d89a931b52277fc017e4802f7a3bc85aff4dd290b1a0c40382ea8f5568d0ceb7319c031d9be916f346d805231a002b0433 mosquitto.initd"
16f96d8f7f3a8b06e2b2e04d42d7e0d89a931b52277fc017e4802f7a3bc85aff4dd290b1a0c40382ea8f5568d0ceb7319c031d9be916f346d805231a002b0433 mosquitto.initd
821bce2d7ed38f146e5065d50c2799b56deaf1511a4634de7033aa7bfe5c0c529f949827b779594e15ee2c3cca2fcb1b7e0ae37c5778e27774925cb92bedc62a CVE-2019-11779.patch"
From 84681d9728ceb7f6ea2b6751b4d87200d8a62f14 Mon Sep 17 00:00:00 2001
From: "Roger A. Light" <roger@atchoo.org>
Date: Tue, 17 Sep 2019 14:56:08 +0100
Subject: Fix for CVE-xxxx-xxxx
diff --git a/lib/util_mosq.c b/lib/util_mosq.c
index 25bd61d..cfc3ce8 100644
--- a/lib/util_mosq.c
+++ b/lib/util_mosq.c
@@ -143,14 +143,25 @@ uint16_t mosquitto__mid_generate(struct mosquitto *mosq)
int mosquitto_pub_topic_check(const char *str)
{
int len = 0;
+#ifdef WITH_BROKER
+ int hier_count = 0;
+#endif
while(str && str[0]){
if(str[0] == '+' || str[0] == '#'){
return MOSQ_ERR_INVAL;
}
+#ifdef WITH_BROKER
+ else if(str[0] == '/'){
+ hier_count++;
+ }
+#endif
len++;
str = &str[1];
}
if(len > 65535) return MOSQ_ERR_INVAL;
+#ifdef WITH_BROKER
+ if(hier_count > TOPIC_HIERARCHY_LIMIT) return MOSQ_ERR_INVAL;
+#endif
return MOSQ_ERR_SUCCESS;
}
@@ -158,6 +169,9 @@ int mosquitto_pub_topic_check(const char *str)
int mosquitto_pub_topic_check2(const char *str, size_t len)
{
int i;
+#ifdef WITH_BROKER
+ int hier_count = 0;
+#endif
if(len > 65535) return MOSQ_ERR_INVAL;
@@ -165,7 +179,15 @@ int mosquitto_pub_topic_check2(const char *str, size_t len)
if(str[i] == '+' || str[i] == '#'){
return MOSQ_ERR_INVAL;
}
+#ifdef WITH_BROKER
+ else if(str[i] == '/'){
+ hier_count++;
+ }
+#endif
}
+#ifdef WITH_BROKER
+ if(hier_count > TOPIC_HIERARCHY_LIMIT) return MOSQ_ERR_INVAL;
+#endif
return MOSQ_ERR_SUCCESS;
}
@@ -181,6 +203,10 @@ int mosquitto_sub_topic_check(const char *str)
{
char c = '\0';
int len = 0;
+#ifdef WITH_BROKER
+ int hier_count = 0;
+#endif
+
while(str && str[0]){
if(str[0] == '+'){
if((c != '\0' && c != '/') || (str[1] != '\0' && str[1] != '/')){
@@ -191,11 +217,19 @@ int mosquitto_sub_topic_check(const char *str)
return MOSQ_ERR_INVAL;
}
}
+#ifdef WITH_BROKER
+ else if(str[0] == '/'){
+ hier_count++;
+ }
+#endif
len++;
c = str[0];
str = &str[1];
}
if(len > 65535) return MOSQ_ERR_INVAL;
+#ifdef WITH_BROKER
+ if(hier_count > TOPIC_HIERARCHY_LIMIT) return MOSQ_ERR_INVAL;
+#endif
return MOSQ_ERR_SUCCESS;
}
@@ -204,6 +238,9 @@ int mosquitto_sub_topic_check2(const char *str, size_t len)
{
char c = '\0';
int i;
+#ifdef WITH_BROKER
+ int hier_count = 0;
+#endif
if(len > 65535) return MOSQ_ERR_INVAL;
@@ -217,8 +254,16 @@ int mosquitto_sub_topic_check2(const char *str, size_t len)
return MOSQ_ERR_INVAL;
}
}
+#ifdef WITH_BROKER
+ else if(str[i] == '/'){
+ hier_count++;
+ }
+#endif
c = str[i];
}
+#ifdef WITH_BROKER
+ if(hier_count > TOPIC_HIERARCHY_LIMIT) return MOSQ_ERR_INVAL;
+#endif
return MOSQ_ERR_SUCCESS;
}
diff --git a/src/mosquitto_broker_internal.h b/src/mosquitto_broker_internal.h
index 512937a..5c077cb 100644
--- a/src/mosquitto_broker_internal.h
+++ b/src/mosquitto_broker_internal.h
@@ -70,6 +70,9 @@ Contributors:
#define WEBSOCKET_CLIENT -2
+
+#define TOPIC_HIERARCHY_LIMIT 200
+
/* ========================================
* UHPA data types
* ======================================== */
diff --git a/src/subs.c b/src/subs.c
index 6b53aa6..a03c7bd 100644
--- a/src/subs.c
+++ b/src/subs.c
@@ -178,6 +178,7 @@ static int sub__topic_tokenise(const char *subtopic, struct sub__token **topics)
int start, stop, tlen;
int i;
mosquitto__topic_element_uhpa topic;
+ int count = 0;
assert(subtopic);
assert(topics);
@@ -200,6 +201,7 @@ static int sub__topic_tokenise(const char *subtopic, struct sub__token **topics)
stop = 0;
for(i=start; i<len+1; i++){
+ count++;
if(subtopic[i] == '/' || subtopic[i] == '\0'){
stop = i;
@@ -219,6 +221,11 @@ static int sub__topic_tokenise(const char *subtopic, struct sub__token **topics)
}
}
+ if(count > TOPIC_HIERARCHY_LIMIT){
+ /* Set limit on hierarchy levels, to restrict stack usage. */
+ goto cleanup;
+ }
+
return MOSQ_ERR_SUCCESS;
cleanup:
--
2.20.1
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment