Mosquitto pattern ACLs can be circumvented with special client ids or usernames

Bug #1692818 reported by Roger Light on 2017-05-23
268
This bug affects 2 people
Affects Status Importance Assigned to Milestone
mosquitto (Ubuntu)
Undecided
Unassigned

Bug Description

This issue will be disclosed as CVE-2017-7650.

It affects all versions currently packaged in Ubuntu. A fix is currently being tested and will be released as part of version 1.4.12 and as patches for earlier versions.

Could you please offer advice on how to deal with the packages in current versions of Ubuntu? Is that something I need to deal with or can the security team help?

CVE References

Seth Arnold (seth-arnold) wrote :

Hello Roger, thanks for contacting us; because mosquitto is in universe it is community-supported -- anyone can provide us with debdiffs and we'll sponsor them into the archive.

You can find some more information about the process on https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures and https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation .

Thanks

Roger Light (roger.light) wrote :
Roger Light (roger.light) wrote :

These are my proposed patches for each of the current releases. They apply cleanly to the old versions, have been built and confirmed in the appropriate pbuilder. The bug is still private for the moment, I've still got more ducks to line up.

Seth Arnold (seth-arnold) wrote :

Beautiful patches Roger, thanks. Please let us know when to release and one of us will pick it up from there.

Thanks!

Roger Light (roger.light) wrote :

The plan is to release on Monday around noon.

Roger Light (roger.light) wrote :
Roger Light (roger.light) wrote :
Roger Light (roger.light) wrote :
Roger Light (roger.light) wrote :

Hello, this is going to be public in a very short amount of time so you can start to publish these new packages.

Changed in mosquitto (Ubuntu):
status: New → Confirmed
information type: Private Security → Public Security
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mosquitto - 1.4.10-2ubuntu0.1

---------------
mosquitto (1.4.10-2ubuntu0.1) zesty-security; urgency=low

  * SECURITY UPDATE: Pattern ACL can be bypassed by using a username/client id
    set to '+' or '#' (LP: #1692818).
    - debian/patches/mosquitto-1.4.10_cve-2017-7650.patch: Reject send/receive
      of messages to/from clients with a '+', '#' or '/' in their
      username/client id.
    - CVE-2017-7650

 -- <email address hidden> (Roger A. Light) Tue, 23 May 2017 22:14:40 +0100

Changed in mosquitto (Ubuntu):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mosquitto - 1.4.8-1ubuntu0.16.10.1

---------------
mosquitto (1.4.8-1ubuntu0.16.10.1) yakkety-security; urgency=low

  * SECURITY UPDATE: Pattern ACL can be bypassed by using a username/client id
    set to '+' or '#' (LP: #1692818).
    - debian/patches/mosquitto-0.15_cve-2017-7650.patch: Reject send/receive
      of messages to/from clients with a '+', '#' or '/' in their
      username/client id.
    - CVE-2017-7650

 -- <email address hidden> (Roger A. Light) Tue, 23 May 2017 22:14:40 +0100

Changed in mosquitto (Ubuntu):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mosquitto - 0.15-2ubuntu1.1

---------------
mosquitto (0.15-2ubuntu1.1) trusty-security; urgency=low

  * SECURITY UPDATE: Pattern ACL can be bypassed by using a username/client id
    set to '+' or '#' (LP: #1692818).
    - debian/patches/mosquitto-0.15_cve-2017-7650.patch: Reject send/receive
      of messages to/from clients with a '+', '#' or '/' in their
      username/client id.
    - CVE-2017-7650

 -- <email address hidden> (Roger A. Light) Tue, 23 May 2017 22:14:40 +0100

Changed in mosquitto (Ubuntu):
status: Confirmed → Fix Released
Seth Arnold (seth-arnold) wrote :

Thanks Roger!

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers