Ubuntu
mosquitto package

Mosquitto pattern ACLs can be circumvented with special client ids or usernames

Bug #1692818 reported by Roger Light on 2017-05-23

268

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	mosquitto (Ubuntu)	Fix Released	Undecided	Unassigned

Bug Description

This issue will be disclosed as CVE-2017-7650.

It affects all versions currently packaged in Ubuntu. A fix is currently being tested and will be released as part of version 1.4.12 and as patches for earlier versions.

Could you please offer advice on how to deal with the packages in current versions of Ubuntu? Is that something I need to deal with or can the security team help?

CVE References

2017-7650

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2017-05-23:

Hello Roger, thanks for contacting us; because mosquitto is in universe it is community-supported -- anyone can provide us with debdiffs and we'll sponsor them into the archive.

You can find some more information about the process on https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures and https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation .

Thanks

Revision history for this message

Roger Light (roger.light) wrote on 2017-05-24:

trusty-cve-2017-7650.debdiff Edit (2.8 KiB, text/plain)

Revision history for this message

Roger Light (roger.light) wrote on 2017-05-24:

These are my proposed patches for each of the current releases. They apply cleanly to the old versions, have been built and confirmed in the appropriate pbuilder. The bug is still private for the moment, I've still got more ducks to line up.

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2017-05-24:

Beautiful patches Roger, thanks. Please let us know when to release and one of us will pick it up from there.

Thanks!

Revision history for this message

Roger Light (roger.light) wrote on 2017-05-25:

The plan is to release on Monday around noon.

Revision history for this message

Roger Light (roger.light) wrote on 2017-05-28:

xenial-cve-2017-7650.debdiff Edit (3.8 KiB, text/plain)

Revision history for this message

Roger Light (roger.light) wrote on 2017-05-28:

#10

yakkety-cve-2017-7650.debdiff Edit (3.8 KiB, text/plain)

Revision history for this message

Roger Light (roger.light) wrote on 2017-05-28:

#11

zesty-cve-2017-7650.debdiff Edit (3.6 KiB, text/plain)

Revision history for this message

Roger Light (roger.light) wrote on 2017-05-29:

#12

Hello, this is going to be public in a very short amount of time so you can start to publish these new packages.

Roger Light (roger.light) on 2017-05-29

Changed in mosquitto (Ubuntu):
status:	New → Confirmed

Roger Light (roger.light) on 2017-05-30

information type:

Private Security → Public Security

Revision history for this message

Launchpad Janitor (janitor) wrote on 2017-05-31:

#13

This bug was fixed in the package mosquitto - 1.4.10-2ubuntu0.1

---------------
mosquitto (1.4.10-2ubuntu0.1) zesty-security; urgency=low

  * SECURITY UPDATE: Pattern ACL can be bypassed by using a username/client id
    set to '+' or '#' (LP: #1692818).
    - debian/patches/mosquitto-1.4.10_cve-2017-7650.patch: Reject send/receive
      of messages to/from clients with a '+', '#' or '/' in their
      username/client id.
    - CVE-2017-7650

-- <email address hidden> (Roger A. Light) Tue, 23 May 2017 22:14:40 +0100

Changed in mosquitto (Ubuntu):
status:	Confirmed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2017-05-31:

#14

This bug was fixed in the package mosquitto - 1.4.8-1ubuntu0.16.10.1

---------------
mosquitto (1.4.8-1ubuntu0.16.10.1) yakkety-security; urgency=low

  * SECURITY UPDATE: Pattern ACL can be bypassed by using a username/client id
    set to '+' or '#' (LP: #1692818).
    - debian/patches/mosquitto-0.15_cve-2017-7650.patch: Reject send/receive
      of messages to/from clients with a '+', '#' or '/' in their
      username/client id.
    - CVE-2017-7650

-- <email address hidden> (Roger A. Light) Tue, 23 May 2017 22:14:40 +0100

Changed in mosquitto (Ubuntu):
status:	Confirmed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2017-05-31:

#15

This bug was fixed in the package mosquitto - 0.15-2ubuntu1.1

---------------
mosquitto (0.15-2ubuntu1.1) trusty-security; urgency=low

-- <email address hidden> (Roger A. Light) Tue, 23 May 2017 22:14:40 +0100

Changed in mosquitto (Ubuntu):
status:	Confirmed → Fix Released

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2017-05-31:

#16

Thanks Roger!

Report a bug

This report contains Public Security information

Everyone can see this security related information.

Duplicates of this bug

Bug #1694403

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntumosquitto package

Mosquitto pattern ACLs can be circumvented with special client ids or usernames

Bug Description

CVE References

Duplicates of this bug

Other bug subscribers

Patches

Remote bug watches

Ubuntu
mosquitto package