Ubuntu
mosquitto package

CVE-2024-8376: use-after-free in shared subscription handling

Bug #2141738 reported by Titi Wangsa Damhore
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mosquitto (Ubuntu)
New
Undecided
Eduardo Barretto

Bug Description

This seems like it is straightforward but I ended up requiring 3 patches for this one to work.

I built the source that came with `apt-get source mosquitto` and was able to crash it.

The CVE page https://www.cve.org/CVERecord?id=CVE-2024-8376 lists the github commit
https://github.com/eclipse-mosquitto/mosquitto/commit/1914b3ee2a18102d0a94cbdbbfeae1afa03edd17

So that patch fully work because there was change in the method signature for `sub__add` and `sub__remove`. We need to apply https://github.com/eclipse-mosquitto/mosquitto/commit/3bb6c9ad51f712864dea63529e0b55661c2a9e84 first. But that didn't fully solve the issue because it was missing https://github.com/eclipse-mosquitto/mosquitto/commit/5eb40ee3d691fb3c2dc222685e7ffcf6e6a69a79

```
curl --silent https://github.com/eclipse-mosquitto/mosquitto/commit/3bb6c9ad51f712864dea63529e0b55661c2a9e84.patch -o ~/patch-1.patch
curl --silent https://github.com/eclipse-mosquitto/mosquitto/commit/5eb40ee3d691fb3c2dc222685e7ffcf6e6a69a79.patch -o ~/patch-2.patch
curl --silent https://github.com/eclipse-mosquitto/mosquitto/commit/1914b3ee2a18102d0a94cbdbbfeae1afa03edd17.patch -o ~/patch-3.patch

patch -p1 < ~/patch-1.patch
patch -p1 < ~/patch-2.patch
filterdiff -x '*/ChangeLog.txt' ~/patch-3.patch | patch -p1

```

No files were hand-edited. This was all just applying patches (and ignore ChangeLog.txt).

I applied all 3 patches and built it and tested it on a multipass VM with Ubuntu 24.04 aarch64 running on an Apple M2.
```
dpkg-buildpackage -us -uc -b
```
The only file that could not be patched was ChangeLog.txt so I used filterdiff to filter it out.

When it broke, I had something like this
```
ubuntu@launchpad:~$ python3 poc-cve-2024-8376.py
Iteration 0: OK
Iteration 1: OK
Iteration 2: OK
Iteration 3: OK
Iteration 4: OK
Iteration 5: OK
Iteration 6: OK
Iteration 7: OK
Iteration 8: OK
Iteration 9: OK
Iteration 10: OK
Iteration 11: broker down - [Errno 32] Broken pipe
```

And when it was patched
```
Iteration 94: OK
Iteration 95: OK
Iteration 96: OK
Iteration 97: OK
Iteration 98: OK
Iteration 99: OK
Broker survived all iterations
```

This was the config file
```
$ cat /tmp/mosquitto_test.conf
listener 11883
allow_anonymous true
```

And this was how I started it:
```
./debian/mosquitto/usr/sbin/mosquitto -c /tmp/mosquitto_test.conf -v
```

The configuration `allow_anonymous true` was needed to crash it.

After the patch, the same config file was used and the same python script was used. It did not crash after it was patched.

CVE References

Revision history for this message
Titi Wangsa Damhore (twd425) wrote :
information type: Private Security → Public Security
Revision history for this message
Titi Wangsa Damhore (twd425) wrote :
Revision history for this message
Eduardo Barretto (ebarretto) wrote :

Hi Titi,

Could you please fix the debdiff to have the following version:
2.0.18-1ubuntu0.1

Also change noble in the changelog, to noble-security.

Revision history for this message
Titi Wangsa Damhore (twd425) wrote :

Updated...

Eduardo Barretto (ebarretto)
Changed in mosquitto (Ubuntu):
assignee: nobody → Eduardo Barretto (ebarretto)
Revision history for this message
Eduardo Barretto (ebarretto) wrote :

Hi Titi,

Could you please break the patch, into 3 patches.
Whenever there's more than one patch that needs to be applied, we import them separately and we just name then: CVE-YYYY-XXXX-N.patch, being N a counter from 1 to ...

Revision history for this message
Titi Wangsa Damhore (twd425) wrote :

Updated with v3

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.