diff -Nru mosquitto-1.4.8/debian/changelog mosquitto-1.4.8/debian/changelog --- mosquitto-1.4.8/debian/changelog 2017-05-31 02:20:29.000000000 +0100 +++ mosquitto-1.4.8/debian/changelog 2017-06-26 10:57:30.000000000 +0100 @@ -1,3 +1,13 @@ +mosquitto (1.4.8-1ubuntu0.16.04.2) xenial-security; urgency=low + + * SECURITY UPDATE: Persistence file is world readable, which may expose + sensitive data (LP: #1700490). + - debian/patches/mosquitto-1.4.x_cve-2017-9868.patch: Set umask to + restrict persistence file read access to owner. + - CVE-2017-9868 + + -- Roger A. Light Mon, 26 Jun 2017 09:31:02 +0100 + mosquitto (1.4.8-1ubuntu0.16.04.1) xenial-security; urgency=low * SECURITY UPDATE: Pattern ACL can be bypassed by using a username/client id diff -Nru mosquitto-1.4.8/debian/patches/mosquitto-1.4.x_cve-2017-9868.patch mosquitto-1.4.8/debian/patches/mosquitto-1.4.x_cve-2017-9868.patch --- mosquitto-1.4.8/debian/patches/mosquitto-1.4.x_cve-2017-9868.patch 1970-01-01 01:00:00.000000000 +0100 +++ mosquitto-1.4.8/debian/patches/mosquitto-1.4.x_cve-2017-9868.patch 2017-06-26 10:05:44.000000000 +0100 @@ -0,0 +1,17 @@ +Description: Fix for CVE-207-9868. +Author: Roger Light +Forwarded: not-needed +Origin: upstream, https://mosquitto.org/files/cve/2017-9868/mosquitto-1.4.x_cve-2017-9868.patch +--- a/src/persist.c ++++ b/src/persist.c +@@ -347,6 +347,10 @@ + _mosquitto_log_printf(NULL, MOSQ_LOG_INFO, "Error saving in-memory database, out of memory."); + return MOSQ_ERR_NOMEM; + } ++ ++ /* Restrict access to persistence file. */ ++ umask(0077); ++ + snprintf(outfile, len, "%s.new", db->config->persistence_filepath); + outfile[len] = '\0'; + db_fptr = _mosquitto_fopen(outfile, "wb"); diff -Nru mosquitto-1.4.8/debian/patches/series mosquitto-1.4.8/debian/patches/series --- mosquitto-1.4.8/debian/patches/series 2017-05-31 02:20:29.000000000 +0100 +++ mosquitto-1.4.8/debian/patches/series 2017-06-26 10:05:37.000000000 +0100 @@ -6,3 +6,4 @@ libdir.patch build-timestamp.patch mosquitto-1.4.8_cve-2017-7650.patch +mosquitto-1.4.x_cve-2017-9868.patch