From 68e4e4a13ae7d52d37708f6d7393a5a6ef0ef856 Mon Sep 17 00:00:00 2001 From: Leo Date: Thu, 26 Sep 2019 02:39:40 -0300 Subject: [PATCH] main/mosquitto: fix CVE-2019-11779 --- main/mosquitto/APKBUILD | 9 +- main/mosquitto/CVE-2019-11779.patch | 168 ++++++++++++++++++++++++++++ 2 files changed, 175 insertions(+), 2 deletions(-) create mode 100644 main/mosquitto/CVE-2019-11779.patch diff --git a/main/mosquitto/APKBUILD b/main/mosquitto/APKBUILD index 66c143d01a0..6d1e883d2b8 100644 --- a/main/mosquitto/APKBUILD +++ b/main/mosquitto/APKBUILD @@ -17,10 +17,14 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-libs++:_pp $pkgname-openrc source="http://mosquitto.org/files/source/$pkgname-$pkgver.tar.gz config.patch disable-ci-tests.patch - mosquitto.initd" + mosquitto.initd + CVE-2019-11779.patch + " builddir="$srcdir/$pkgname-$pkgver" # secfixes: +# 1.6.3-r1: +# - CVE-2019-11779 # 1.5.6-r0: # - CVE-2018-12546 # - CVE-2018-12550 @@ -93,4 +97,5 @@ clients() { sha512sums="d78d95789cfadaa8c989becb799e6eace1a82cfed9d79582cf7278dd2f9f31060b0b6492c5e3461c687629445efbdda0db68cba65962eb6a305ada46611f6d94 mosquitto-1.6.3.tar.gz fb000f9fa1ef94cbf3811a23b5692c0c8f9e2df945959cef6005462715e99d6f75cf6b31bd496271ffc17634024aed986771a73962fef865c0d386f6c194fb33 config.patch 21df2006a5eb9e1248cf261e555ded8e80e79f2a2d2a55b1f8a153af7c0feb867f3b3bd71efbe4d8569e3031c65f3e144794724f012e7539244a9bd97b6b6bb3 disable-ci-tests.patch -16f96d8f7f3a8b06e2b2e04d42d7e0d89a931b52277fc017e4802f7a3bc85aff4dd290b1a0c40382ea8f5568d0ceb7319c031d9be916f346d805231a002b0433 mosquitto.initd" +16f96d8f7f3a8b06e2b2e04d42d7e0d89a931b52277fc017e4802f7a3bc85aff4dd290b1a0c40382ea8f5568d0ceb7319c031d9be916f346d805231a002b0433 mosquitto.initd +f0d8aa24ccb0bb6206329c6538ebd7e019b51a8520983eba89b1da2c7c2ebc094b9e88d60cf2beb32ae13ddf49ddd541b519e6aca83bc5fd38eb100f88957adf CVE-2019-11779.patch" diff --git a/main/mosquitto/CVE-2019-11779.patch b/main/mosquitto/CVE-2019-11779.patch new file mode 100644 index 00000000000..61bf6382840 --- /dev/null +++ b/main/mosquitto/CVE-2019-11779.patch @@ -0,0 +1,168 @@ +From 106675093177335b18521bc0e5ad1d95343ad652 Mon Sep 17 00:00:00 2001 +From: "Roger A. Light" +Date: Tue, 17 Sep 2019 14:56:08 +0100 +Subject: Fix for CVE-xxxx-xxxx + +diff --git a/lib/util_topic.c b/lib/util_topic.c +index 67b7878..673cc6c 100644 +--- a/lib/util_topic.c ++++ b/lib/util_topic.c +@@ -49,14 +49,25 @@ Contributors: + int mosquitto_pub_topic_check(const char *str) + { + int len = 0; ++#ifdef WITH_BROKER ++ int hier_count = 0; ++#endif + while(str && str[0]){ + if(str[0] == '+' || str[0] == '#'){ + return MOSQ_ERR_INVAL; + } ++#ifdef WITH_BROKER ++ else if(str[0] == '/'){ ++ hier_count++; ++ } ++#endif + len++; + str = &str[1]; + } + if(len > 65535) return MOSQ_ERR_INVAL; ++#ifdef WITH_BROKER ++ if(hier_count > TOPIC_HIERARCHY_LIMIT) return MOSQ_ERR_INVAL; ++#endif + + return MOSQ_ERR_SUCCESS; + } +@@ -64,6 +75,9 @@ int mosquitto_pub_topic_check(const char *str) + int mosquitto_pub_topic_check2(const char *str, size_t len) + { + size_t i; ++#ifdef WITH_BROKER ++ int hier_count = 0; ++#endif + + if(len > 65535) return MOSQ_ERR_INVAL; + +@@ -71,7 +85,15 @@ int mosquitto_pub_topic_check2(const char *str, size_t len) + if(str[i] == '+' || str[i] == '#'){ + return MOSQ_ERR_INVAL; + } ++#ifdef WITH_BROKER ++ else if(str[i] == '/'){ ++ hier_count++; ++ } ++#endif + } ++#ifdef WITH_BROKER ++ if(hier_count > TOPIC_HIERARCHY_LIMIT) return MOSQ_ERR_INVAL; ++#endif + + return MOSQ_ERR_SUCCESS; + } +@@ -87,6 +109,10 @@ int mosquitto_sub_topic_check(const char *str) + { + char c = '\0'; + int len = 0; ++#ifdef WITH_BROKER ++ int hier_count = 0; ++#endif ++ + while(str && str[0]){ + if(str[0] == '+'){ + if((c != '\0' && c != '/') || (str[1] != '\0' && str[1] != '/')){ +@@ -97,11 +123,19 @@ int mosquitto_sub_topic_check(const char *str) + return MOSQ_ERR_INVAL; + } + } ++#ifdef WITH_BROKER ++ else if(str[0] == '/'){ ++ hier_count++; ++ } ++#endif + len++; + c = str[0]; + str = &str[1]; + } + if(len > 65535) return MOSQ_ERR_INVAL; ++#ifdef WITH_BROKER ++ if(hier_count > TOPIC_HIERARCHY_LIMIT) return MOSQ_ERR_INVAL; ++#endif + + return MOSQ_ERR_SUCCESS; + } +@@ -110,6 +144,9 @@ int mosquitto_sub_topic_check2(const char *str, size_t len) + { + char c = '\0'; + size_t i; ++#ifdef WITH_BROKER ++ int hier_count = 0; ++#endif + + if(len > 65535) return MOSQ_ERR_INVAL; + +@@ -123,8 +160,16 @@ int mosquitto_sub_topic_check2(const char *str, size_t len) + return MOSQ_ERR_INVAL; + } + } ++#ifdef WITH_BROKER ++ else if(str[i] == '/'){ ++ hier_count++; ++ } ++#endif + c = str[i]; + } ++#ifdef WITH_BROKER ++ if(hier_count > TOPIC_HIERARCHY_LIMIT) return MOSQ_ERR_INVAL; ++#endif + + return MOSQ_ERR_SUCCESS; + } +diff --git a/src/mosquitto_broker_internal.h b/src/mosquitto_broker_internal.h +index 25d4a5b..322c6a8 100644 +--- a/src/mosquitto_broker_internal.h ++++ b/src/mosquitto_broker_internal.h +@@ -73,6 +73,9 @@ Contributors: + + #define WEBSOCKET_CLIENT -2 + ++ ++#define TOPIC_HIERARCHY_LIMIT 200 ++ + /* ======================================== + * UHPA data types + * ======================================== */ +diff --git a/src/subs.c b/src/subs.c +index aae3266..c059874 100644 +--- a/src/subs.c ++++ b/src/subs.c +@@ -220,6 +220,7 @@ static int sub__topic_tokenise(const char *subtopic, struct sub__token **topics) + int start, stop, tlen; + int i; + char *topic; ++ int count = 0; + + assert(subtopic); + assert(topics); +@@ -242,6 +243,7 @@ static int sub__topic_tokenise(const char *subtopic, struct sub__token **topics) + + stop = 0; + for(i=start; i TOPIC_HIERARCHY_LIMIT){ ++ /* Set limit on hierarchy levels, to restrict stack usage. */ ++ goto cleanup; ++ } ++ + return MOSQ_ERR_SUCCESS; + + cleanup: +-- +2.20.1 +