diff -Nru mosquitto-1.4.8/debian/changelog mosquitto-1.4.8/debian/changelog --- mosquitto-1.4.8/debian/changelog 2017-06-30 17:33:23.000000000 -0400 +++ mosquitto-1.4.8/debian/changelog 2018-03-01 09:34:49.000000000 -0500 @@ -1,3 +1,9 @@ +mosquitto (1.4.8-1ubuntu0.16.04.3) xenial-security; urgency=medium + + * SECURITY UPDATE: upstream patch for CVE 2017-7651 + + -- Emmet Hikory Thu, 01 Mar 2018 09:34:49 -0500 + mosquitto (1.4.8-1ubuntu0.16.04.2) xenial-security; urgency=low * SECURITY UPDATE: Persistence file is world readable, which may expose diff -Nru mosquitto-1.4.8/debian/patches/mosquitto-1.4.x_cve-2017-7651.patch mosquitto-1.4.8/debian/patches/mosquitto-1.4.x_cve-2017-7651.patch --- mosquitto-1.4.8/debian/patches/mosquitto-1.4.x_cve-2017-7651.patch 1969-12-31 19:00:00.000000000 -0500 +++ mosquitto-1.4.8/debian/patches/mosquitto-1.4.x_cve-2017-7651.patch 2018-03-01 09:33:16.000000000 -0500 @@ -0,0 +1,146 @@ +diff --git a/lib/memory_mosq.c b/lib/memory_mosq.c +index dd3c50d..8094ba0 100644 +--- a/lib/memory_mosq.c ++++ b/lib/memory_mosq.c +@@ -37,8 +37,32 @@ static unsigned long memcount = 0; + static unsigned long max_memcount = 0; + #endif + ++#ifdef WITH_BROKER ++static size_t mem_limit = 0; ++void memory__set_limit(size_t lim) ++{ ++#ifdef LINUX ++ struct rlimit r; ++ ++ r.rlim_cur = lim; ++ r.rlim_max = lim; ++ ++ setrlimit(RLIMIT_CPU, &r); ++ ++ mem_limit = 0; ++#else ++ mem_limit = lim; ++#endif ++} ++#endif ++ + void *_mosquitto_calloc(size_t nmemb, size_t size) + { ++#ifdef REAL_WITH_MEMORY_TRACKING ++ if(mem_limit && memcount + size > mem_limit){ ++ return NULL; ++ } ++#endif + void *mem = calloc(nmemb, size); + + #ifdef REAL_WITH_MEMORY_TRACKING +@@ -64,6 +88,11 @@ void _mosquitto_free(void *mem) + + void *_mosquitto_malloc(size_t size) + { ++#ifdef REAL_WITH_MEMORY_TRACKING ++ if(mem_limit && memcount + size > mem_limit){ ++ return NULL; ++ } ++#endif + void *mem = malloc(size); + + #ifdef REAL_WITH_MEMORY_TRACKING +@@ -90,6 +119,11 @@ unsigned long _mosquitto_max_memory_used(void) + + void *_mosquitto_realloc(void *ptr, size_t size) + { ++#ifdef REAL_WITH_MEMORY_TRACKING ++ if(mem_limit && memcount + size > mem_limit){ ++ return NULL; ++ } ++#endif + void *mem; + #ifdef REAL_WITH_MEMORY_TRACKING + if(ptr){ +@@ -110,6 +144,11 @@ void *_mosquitto_realloc(void *ptr, size_t size) + + char *_mosquitto_strdup(const char *s) + { ++#ifdef REAL_WITH_MEMORY_TRACKING ++ if(mem_limit && memcount + strlen(s) > mem_limit){ ++ return NULL; ++ } ++#endif + char *str = strdup(s); + + #ifdef REAL_WITH_MEMORY_TRACKING +diff --git a/lib/memory_mosq.h b/lib/memory_mosq.h +index 6e14d7f..0b8d71d 100644 +--- a/lib/memory_mosq.h ++++ b/lib/memory_mosq.h +@@ -34,4 +34,8 @@ unsigned long _mosquitto_max_memory_used(void); + void *_mosquitto_realloc(void *ptr, size_t size); + char *_mosquitto_strdup(const char *s); + ++#ifdef WITH_BROKER ++void memory__set_limit(size_t lim); ++#endif ++ + #endif +diff --git a/lib/net_mosq.c b/lib/net_mosq.c +index e8097b6..6c9c5e2 100644 +--- a/lib/net_mosq.c ++++ b/lib/net_mosq.c +@@ -1086,6 +1086,36 @@ int _mosquitto_packet_read(struct mosquitto *mosq) + * positive. */ + mosq->in_packet.remaining_count *= -1; + ++#ifdef WITH_BROKER ++ /* Check packet sizes before allocating memory. ++ * Will need modifying for MQTT v5. */ ++ switch(mosq->in_packet.command & 0xF0){ ++ case CONNECT: ++ if(mosq->in_packet.remaining_length > 327699){ ++ return MOSQ_ERR_PROTOCOL; ++ } ++ break; ++ ++ case PUBACK: ++ case PUBREC: ++ case PUBREL: ++ case PUBCOMP: ++ case UNSUBACK: ++ if(mosq->in_packet.remaining_length != 2){ ++ return MOSQ_ERR_PROTOCOL; ++ } ++ break; ++ ++ case PINGREQ: ++ case PINGRESP: ++ case DISCONNECT: ++ if(mosq->in_packet.remaining_length != 0){ ++ return MOSQ_ERR_PROTOCOL; ++ } ++ break; ++ } ++#endif ++ + if(mosq->in_packet.remaining_length > 0){ + mosq->in_packet.payload = _mosquitto_malloc(mosq->in_packet.remaining_length*sizeof(uint8_t)); + if(!mosq->in_packet.payload) return MOSQ_ERR_NOMEM; +diff --git a/src/conf.c b/src/conf.c +index 274140a..ee04650 100644 +--- a/src/conf.c ++++ b/src/conf.c +@@ -1317,6 +1317,14 @@ int _config_read_file_core(struct mqtt3_config *config, bool reload, const char + }else{ + _mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Empty max_queued_messages value in configuration."); + } ++ }else if(!strcmp(token, "memory_limit")){ ++ size_t lim; ++ if(_conf_parse_int(&token, "memory_limit", (int *)&lim, saveptr)) return MOSQ_ERR_INVAL; ++ if(lim < 0){ ++ _mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Invalid memory_limit value (%lu).", lim); ++ return MOSQ_ERR_INVAL; ++ } ++ memory__set_limit(lim); + }else if(!strcmp(token, "message_size_limit")){ + if(_conf_parse_int(&token, "message_size_limit", (int *)&config->message_size_limit, saveptr)) return MOSQ_ERR_INVAL; + if(config->message_size_limit > MQTT_MAX_PAYLOAD){ diff -Nru mosquitto-1.4.8/debian/patches/series mosquitto-1.4.8/debian/patches/series --- mosquitto-1.4.8/debian/patches/series 2017-06-30 17:33:23.000000000 -0400 +++ mosquitto-1.4.8/debian/patches/series 2018-03-01 09:34:42.000000000 -0500 @@ -7,3 +7,4 @@ build-timestamp.patch mosquitto-1.4.8_cve-2017-7650.patch mosquitto-1.4.x_cve-2017-9868.patch +mosquitto-1.4.x_cve-2017-7651.patch