Ubuntu
mosquitto package

Persistence file is world readable

Bug #1700490 reported by Roger Light
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mosquitto (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

If persistence is enabled (as it is by default on Ubuntu), the mosquitto.db file is world readable.

This means any local user can access this file and potentially access sensitive data.

This is CVE-2017-9868. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9868

Upstream bug: https://github.com/eclipse/mosquitto/issues/468

This has already been publicly disclosed.

CVE References

Roger Light (roger.light)
information type: Private Security → Public Security
Revision history for this message
Roger Light (roger.light) wrote :
Revision history for this message
Roger Light (roger.light) wrote :
Revision history for this message
Roger Light (roger.light) wrote :
Revision history for this message
Roger Light (roger.light) wrote :
Revision history for this message
Roger Light (roger.light) wrote :

Artful is also affected, but I'm going to fix that with a new upstream release.

Changed in mosquitto (Ubuntu):
status: New → Confirmed
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello Roger, does this persistence happen in a process dedicated to persistence? If not I fear this may introduce a regression by not putting the umask back afterwards.

(Granted the POSIX interfaces for this are pretty crummy.)

Thanks

Revision history for this message
Roger Light (roger.light) wrote :

A fair point... The only files that mosquitto can create are a pid file (if created then occurring before this call to umask), the persistence file and log files. Having the log files readable by all would probably be a bad thing as well.

Revision history for this message
Tyler Hicks (tyhicks) wrote :

Hi Roger - The debdiffs looked pretty good to me. IIRC, I only had to make two small changes:

1) The Trusty debdiff's changelog entry didn't reference this bug
2) The Zesty debdiff's version needed to be adjusted from 1.4.10-1ubuntu0.2 to 1.4.10-2ubuntu0.2

I've uploaded the packages to the ubuntu-security-proposed PPA:

  https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

Please comment on what amount of testing you've performed. If the builds go as expected and the testing is green, we'll get these updates published next week. Thanks!

Revision history for this message
Roger Light (roger.light) wrote :

Ok, thanks for the changes.

I've done build and runtime tests of the patches.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mosquitto - 1.4.10-2ubuntu0.2

---------------
mosquitto (1.4.10-2ubuntu0.2) zesty-security; urgency=low

  * SECURITY UPDATE: Persistence file is world readable, which may expose
    sensitive data (LP: #1700490).
    - debian/patches/mosquitto-1.4.x_cve-2017-9868.patch: Set umask to
      restrict persistence file read access to owner.
    - CVE-2017-9868

 -- <email address hidden> (Roger A. Light) Mon, 26 Jun 2017 09:31:02 +0100

Changed in mosquitto (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.