main/mosquitto: fix CVE-2019-11779

2026-05-05 20:36:40 +02:00 · 2019-09-26 02:39:40 -03:00 · 2019-09-26 02:39:40 -03:00 · 68e4e4a13a
commit 68e4e4a13a
parent 49ec6e343c
2 changed files with 175 additions and 2 deletions
--- a/main/mosquitto/APKBUILD
+++ b/main/mosquitto/APKBUILD
@ -17,10 +17,14 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-libs++:_pp $pkgname-openrc
 source="http://mosquitto.org/files/source/$pkgname-$pkgver.tar.gz
 	config.patch
 	disable-ci-tests.patch
-	mosquitto.initd"
+	mosquitto.initd
+	CVE-2019-11779.patch
+	"
 builddir="$srcdir/$pkgname-$pkgver"

 # secfixes:
+#   1.6.3-r1:
+#     - CVE-2019-11779
 #   1.5.6-r0:
 #     - CVE-2018-12546
 #     - CVE-2018-12550
@ -93,4 +97,5 @@ clients() {
 sha512sums="d78d95789cfadaa8c989becb799e6eace1a82cfed9d79582cf7278dd2f9f31060b0b6492c5e3461c687629445efbdda0db68cba65962eb6a305ada46611f6d94  mosquitto-1.6.3.tar.gz
 fb000f9fa1ef94cbf3811a23b5692c0c8f9e2df945959cef6005462715e99d6f75cf6b31bd496271ffc17634024aed986771a73962fef865c0d386f6c194fb33  config.patch
 21df2006a5eb9e1248cf261e555ded8e80e79f2a2d2a55b1f8a153af7c0feb867f3b3bd71efbe4d8569e3031c65f3e144794724f012e7539244a9bd97b6b6bb3  disable-ci-tests.patch
-16f96d8f7f3a8b06e2b2e04d42d7e0d89a931b52277fc017e4802f7a3bc85aff4dd290b1a0c40382ea8f5568d0ceb7319c031d9be916f346d805231a002b0433  mosquitto.initd"
+16f96d8f7f3a8b06e2b2e04d42d7e0d89a931b52277fc017e4802f7a3bc85aff4dd290b1a0c40382ea8f5568d0ceb7319c031d9be916f346d805231a002b0433  mosquitto.initd
+f0d8aa24ccb0bb6206329c6538ebd7e019b51a8520983eba89b1da2c7c2ebc094b9e88d60cf2beb32ae13ddf49ddd541b519e6aca83bc5fd38eb100f88957adf  CVE-2019-11779.patch"
--- a/main/mosquitto/CVE-2019-11779.patch
+++ b/main/mosquitto/CVE-2019-11779.patch
@ -0,0 +1,168 @@
+From 106675093177335b18521bc0e5ad1d95343ad652 Mon Sep 17 00:00:00 2001
+From: "Roger A. Light" <roger@atchoo.org>
+Date: Tue, 17 Sep 2019 14:56:08 +0100
+Subject: Fix for CVE-xxxx-xxxx
+
+diff --git a/lib/util_topic.c b/lib/util_topic.c
+index 67b7878..673cc6c 100644
+--- a/lib/util_topic.c
+++ b/lib/util_topic.c
+@@ -49,14 +49,25 @@ Contributors:
+ int mosquitto_pub_topic_check(const char *str)
+ {
+ 	int len = 0;
+#ifdef WITH_BROKER
+	int hier_count = 0;
+#endif
+ 	while(str && str[0]){
+ 		if(str[0] == '+' || str[0] == '#'){
+ 			return MOSQ_ERR_INVAL;
+ 		}
+#ifdef WITH_BROKER
+		else if(str[0] == '/'){
+			hier_count++;
+		}
+#endif
+ 		len++;
+ 		str = &str[1];
+ 	}
+ 	if(len > 65535) return MOSQ_ERR_INVAL;
+#ifdef WITH_BROKER
+	if(hier_count > TOPIC_HIERARCHY_LIMIT) return MOSQ_ERR_INVAL;
+#endif
+ 
+ 	return MOSQ_ERR_SUCCESS;
+ }
+@@ -64,6 +75,9 @@ int mosquitto_pub_topic_check(const char *str)
+ int mosquitto_pub_topic_check2(const char *str, size_t len)
+ {
+ 	size_t i;
+#ifdef WITH_BROKER
+	int hier_count = 0;
+#endif
+ 
+ 	if(len > 65535) return MOSQ_ERR_INVAL;
+ 
+@@ -71,7 +85,15 @@ int mosquitto_pub_topic_check2(const char *str, size_t len)
+ 		if(str[i] == '+' || str[i] == '#'){
+ 			return MOSQ_ERR_INVAL;
+ 		}
+#ifdef WITH_BROKER
+		else if(str[i] == '/'){
+			hier_count++;
+		}
+#endif
+ 	}
+#ifdef WITH_BROKER
+	if(hier_count > TOPIC_HIERARCHY_LIMIT) return MOSQ_ERR_INVAL;
+#endif
+ 
+ 	return MOSQ_ERR_SUCCESS;
+ }
+@@ -87,6 +109,10 @@ int mosquitto_sub_topic_check(const char *str)
+ {
+ 	char c = '\0';
+ 	int len = 0;
+#ifdef WITH_BROKER
+	int hier_count = 0;
+#endif
+
+ 	while(str && str[0]){
+ 		if(str[0] == '+'){
+ 			if((c != '\0' && c != '/') || (str[1] != '\0' && str[1] != '/')){
+@@ -97,11 +123,19 @@ int mosquitto_sub_topic_check(const char *str)
+ 				return MOSQ_ERR_INVAL;
+ 			}
+ 		}
+#ifdef WITH_BROKER
+		else if(str[0] == '/'){
+			hier_count++;
+		}
+#endif
+ 		len++;
+ 		c = str[0];
+ 		str = &str[1];
+ 	}
+ 	if(len > 65535) return MOSQ_ERR_INVAL;
+#ifdef WITH_BROKER
+	if(hier_count > TOPIC_HIERARCHY_LIMIT) return MOSQ_ERR_INVAL;
+#endif
+ 
+ 	return MOSQ_ERR_SUCCESS;
+ }
+@@ -110,6 +144,9 @@ int mosquitto_sub_topic_check2(const char *str, size_t len)
+ {
+ 	char c = '\0';
+ 	size_t i;
+#ifdef WITH_BROKER
+	int hier_count = 0;
+#endif
+ 
+ 	if(len > 65535) return MOSQ_ERR_INVAL;
+ 
+@@ -123,8 +160,16 @@ int mosquitto_sub_topic_check2(const char *str, size_t len)
+ 				return MOSQ_ERR_INVAL;
+ 			}
+ 		}
+#ifdef WITH_BROKER
+		else if(str[i] == '/'){
+			hier_count++;
+		}
+#endif
+ 		c = str[i];
+ 	}
+#ifdef WITH_BROKER
+	if(hier_count > TOPIC_HIERARCHY_LIMIT) return MOSQ_ERR_INVAL;
+#endif
+ 
+ 	return MOSQ_ERR_SUCCESS;
+ }
+diff --git a/src/mosquitto_broker_internal.h b/src/mosquitto_broker_internal.h
+index 25d4a5b..322c6a8 100644
+--- a/src/mosquitto_broker_internal.h
+++ b/src/mosquitto_broker_internal.h
+@@ -73,6 +73,9 @@ Contributors:
+ 
+ #define WEBSOCKET_CLIENT -2
+ 
+
+#define TOPIC_HIERARCHY_LIMIT 200
+
+ /* ========================================
+  * UHPA data types
+  * ======================================== */
+diff --git a/src/subs.c b/src/subs.c
+index aae3266..c059874 100644
+--- a/src/subs.c
+++ b/src/subs.c
+@@ -220,6 +220,7 @@ static int sub__topic_tokenise(const char *subtopic, struct sub__token **topics)
+ 	int start, stop, tlen;
+ 	int i;
+ 	char *topic;
+	int count = 0;
+ 
+ 	assert(subtopic);
+ 	assert(topics);
+@@ -242,6 +243,7 @@ static int sub__topic_tokenise(const char *subtopic, struct sub__token **topics)
+ 
+ 	stop = 0;
+ 	for(i=start; i<len+1; i++){
+		count++;
+ 		if(subtopic[i] == '/' || subtopic[i] == '\0'){
+ 			stop = i;
+ 
+@@ -262,6 +264,11 @@ static int sub__topic_tokenise(const char *subtopic, struct sub__token **topics)
+ 		}
+ 	}
+ 
+	if(count > TOPIC_HIERARCHY_LIMIT){
+		/* Set limit on hierarchy levels, to restrict stack usage. */
+		goto cleanup;
+	}
+
+ 	return MOSQ_ERR_SUCCESS;
+ 
+ cleanup:
+-- 
+2.20.1
+