Persistence file is world readable

Bug #1700490 reported by Roger Light on 2017-06-26
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mosquitto (Ubuntu)
Undecided
Unassigned

Bug Description

If persistence is enabled (as it is by default on Ubuntu), the mosquitto.db file is world readable.

This means any local user can access this file and potentially access sensitive data.

This is CVE-2017-9868. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9868

Upstream bug: https://github.com/eclipse/mosquitto/issues/468

This has already been publicly disclosed.

CVE References

information type: Private Security → Public Security
Roger Light (roger.light) wrote :
Roger Light (roger.light) wrote :
Roger Light (roger.light) wrote :
Roger Light (roger.light) wrote :
Roger Light (roger.light) wrote :

Artful is also affected, but I'm going to fix that with a new upstream release.

Changed in mosquitto (Ubuntu):
status: New → Confirmed
Seth Arnold (seth-arnold) wrote :

Hello Roger, does this persistence happen in a process dedicated to persistence? If not I fear this may introduce a regression by not putting the umask back afterwards.

(Granted the POSIX interfaces for this are pretty crummy.)

Thanks

Roger Light (roger.light) wrote :

A fair point... The only files that mosquitto can create are a pid file (if created then occurring before this call to umask), the persistence file and log files. Having the log files readable by all would probably be a bad thing as well.

Tyler Hicks (tyhicks) wrote :

Hi Roger - The debdiffs looked pretty good to me. IIRC, I only had to make two small changes:

1) The Trusty debdiff's changelog entry didn't reference this bug
2
) The Zesty debdiff's version needed to be adjusted from 1.4.10-1ubuntu0.2 to 1.4.10-2ubuntu0.2

I've uploaded the packages to the ubuntu-security-proposed PPA:

  https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

Please comment on what amount of testing you've performed. If the builds go as expected and the testing is green, we'll get these updates published next week. Thanks!

Roger Light (roger.light) wrote :

Ok, thanks for the changes.

I've done build and runtime tests of the patches.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mosquitto - 1.4.10-2ubuntu0.2

---------------
mosquitto (1.4.10-2ubuntu0.2) zesty-security; urgency=low

  * SECURITY UPDATE: Persistence file is world readable, which may expose
    sensitive data (LP: #1700490).
    - debian/patches/mosquitto-1.4.x_cve-2017-9868.patch: Set umask to
      restrict persistence file read access to owner.
    - CVE-2017-9868

 -- <email address hidden> (Roger A. Light) Mon, 26 Jun 2017 09:31:02 +0100

Changed in mosquitto (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers