From 231048d9b3314a33f93647991dc803fdf5cc7ff7 Mon Sep 17 00:00:00 2001
From: Leonardo Arena <rnalrd@alpinelinux.org>
Date: Wed, 17 Apr 2019 14:38:46 +0000
Subject: main/mosquitto: security fixes (CVE-2018-12550, CVE-2018-12551)

Partially fixes #10269
---
 main/mosquitto/APKBUILD                            | 13 ++-
 .../mosquitto/mosquitto-1.4.x-cve-2018-12550.patch | 28 +++++++
 .../mosquitto/mosquitto-1.4.x-cve-2018-12551.patch | 94 ++++++++++++++++++++++
 3 files changed, 133 insertions(+), 2 deletions(-)
 create mode 100644 main/mosquitto/mosquitto-1.4.x-cve-2018-12550.patch
 create mode 100644 main/mosquitto/mosquitto-1.4.x-cve-2018-12551.patch

(limited to 'main/mosquitto')

diff --git a/main/mosquitto/APKBUILD b/main/mosquitto/APKBUILD
index 04dbd89737..9be9820bd4 100644
--- a/main/mosquitto/APKBUILD
+++ b/main/mosquitto/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=mosquitto
 pkgver=1.4.15
-pkgrel=3
+pkgrel=4
 pkgdesc="An Open Source MQTT v3.1 Broker"
 url="http://mosquitto.org/"
 arch="all"
@@ -18,10 +18,17 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-libs++:_pp $pkgname-openrc
 source="http://mosquitto.org/files/source/$pkgname-$pkgver.tar.gz
 	libressl.patch
 	config.patch
-	mosquitto.initd"
+	mosquitto-1.4.x-cve-2018-12550.patch
+	mosquitto-1.4.x-cve-2018-12551.patch
+
+	mosquitto.initd
+	"
 builddir="$srcdir/$pkgname-$pkgver"
 
 # secfixes:
+#   1.4.15-r4:
+#     - CVE-2018-12550
+#     - CVE-2018-12551
 #   1.4.15-r0:
 #     - CVE-2017-7652
 #     - CVE-2017-7651
@@ -89,4 +96,6 @@ clients() {
 sha512sums="36b06547553cf28af3ca9b728c42fc27e849c4ae84d7964572d430233ab26e2b59eee2a215ac23ddf2d0bef419e7c70e64e2a22c397fadb3e0677314d03f1100  mosquitto-1.4.15.tar.gz
 53859b628f965b77f6e47910c0ceba2f2737b815131ed800dc64a80419e434d25b5ba0938ae645882e9aa5d475d4940c7d35cc6d56f54bc4937a66b32d7db4ad  libressl.patch
 d5442373ae6ae8bc83eee59b425fbd76e80f905b9fd2bd2ed2a37a7e156fe95a9cf477c9c4dac0975c5fd90e70884de6fb8a16aefcd37b239199d5deae50b7d2  config.patch
+58cf7211781c07d25ad555e982b66aca716230698ad239b964de073bb41dc2566d2c6fde379ded18106f704aba864859e36cb39c4c85762d00b5ed4f2b5cef58  mosquitto-1.4.x-cve-2018-12550.patch
+b1ba9d61ede7b7f0232811d6e2381a2943ed12a3c8b83ea2c2e1d3fce153260565f48ca900d4e0590688031013e1f425dfa8b1d89e0f1194516438b42dc158e2  mosquitto-1.4.x-cve-2018-12551.patch
 16f96d8f7f3a8b06e2b2e04d42d7e0d89a931b52277fc017e4802f7a3bc85aff4dd290b1a0c40382ea8f5568d0ceb7319c031d9be916f346d805231a002b0433  mosquitto.initd"
diff --git a/main/mosquitto/mosquitto-1.4.x-cve-2018-12550.patch b/main/mosquitto/mosquitto-1.4.x-cve-2018-12550.patch
new file mode 100644
index 0000000000..c6a4d9406e
--- /dev/null
+++ b/main/mosquitto/mosquitto-1.4.x-cve-2018-12550.patch
@@ -0,0 +1,28 @@
+Description: Fix for CVE-2018-12550
+Author: Roger Light <roger@atchoo.org>
+Forwarded: not-needed
+Origin: upstream, https://mosquitto.org/files/cve/2018-12550/mosquitto-1.4.x_cve-2018-12550.patch
+Index: mosquitto-1.4.10/src/security_default.c
+===================================================================
+--- mosquitto-1.4.10.orig/src/security_default.c
++++ mosquitto-1.4.10/src/security_default.c
+@@ -231,7 +231,7 @@ int mosquitto_acl_check_default(struct m
+ 	char *s;
+ 
+ 	if(!db || !context || !topic) return MOSQ_ERR_INVAL;
+-	if(!db->acl_list && !db->acl_patterns) return MOSQ_ERR_SUCCESS;
++	if(!db->config->acl_file && !db->acl_list && !db->acl_patterns) return MOSQ_ERR_SUCCESS;
+ 	if(context->bridge) return MOSQ_ERR_SUCCESS;
+ 	if(!context->acl_list && !db->acl_patterns) return MOSQ_ERR_ACL_DENIED;
+ 
+@@ -442,6 +442,10 @@ static int _aclfile_parse(struct mosquit
+ 					fclose(aclfile);
+ 					return 1;
+ 				}
++			}else{
++				_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Invalid line in acl_file \"%s\": %s.", db->config->acl_file, buf);
++				fclose(aclfile);
++				return 1;
+ 			}
+ 		}
+ 	}
diff --git a/main/mosquitto/mosquitto-1.4.x-cve-2018-12551.patch b/main/mosquitto/mosquitto-1.4.x-cve-2018-12551.patch
new file mode 100644
index 0000000000..fee254dea8
--- /dev/null
+++ b/main/mosquitto/mosquitto-1.4.x-cve-2018-12551.patch
@@ -0,0 +1,94 @@
+Description: Fix for CVE-2018-12551
+Author: Roger Light <roger@atchoo.org>
+Forwarded: not-needed
+Origin: upstream, https://mosquitto.org/files/cve/2018-12551/mosquitto-1.4.x_cve-2018-12551.patch
+Index: mosquitto-1.4.10/src/security_default.c
+===================================================================
+--- mosquitto-1.4.10.orig/src/security_default.c
++++ mosquitto-1.4.10/src/security_default.c
+@@ -556,6 +556,9 @@ static int _pwfile_parse(const char *fil
+ 
+ 	while(!feof(pwfile)){
+ 		if(fgets(buf, 256, pwfile)){
++			if(buf[0] == '#') continue;
++			if(!strchr(buf, ':')) continue;
++
+ 			username = strtok_r(buf, ":", &saveptr);
+ 			if(username){
+ 				unpwd = _mosquitto_calloc(1, sizeof(struct _mosquitto_unpwd));
+@@ -588,8 +591,13 @@ static int _pwfile_parse(const char *fil
+ 						unpwd->password[len-1] = '\0';
+ 						len = strlen(unpwd->password);
+ 					}
++
++					HASH_ADD_KEYPTR(hh, *root, unpwd->username, strlen(unpwd->username), unpwd);
++				}else{
++					_mosquitto_log_printf(NULL, MOSQ_LOG_NOTICE, "Warning: Invalid line in password file '%s': %s", file, buf);
++					_mosquitto_free(unpwd->username);
++					_mosquitto_free(unpwd);
+ 				}
+-				HASH_ADD_KEYPTR(hh, *root, unpwd->username, strlen(unpwd->username), unpwd);
+ 			}
+ 		}
+ 	}
+@@ -626,34 +634,39 @@ static int _unpwd_file_parse(struct mosq
+ 				token = strtok(NULL, "$");
+ 				if(token){
+ 					rc = _base64_decode(token, &salt, &salt_len);
+-					if(rc){
+-						_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Unable to decode password salt for user %s.", u->username);
+-						return MOSQ_ERR_INVAL;
+-					}
+-					u->salt = salt;
+-					u->salt_len = salt_len;
+-					token = strtok(NULL, "$");
+-					if(token){
+-						rc = _base64_decode(token, &password, &password_len);
+-						if(rc){
+-							_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Unable to decode password for user %s.", u->username);
+-							return MOSQ_ERR_INVAL;
++					if(rc == MOSQ_ERR_SUCCESS && salt_len == 12){
++						u->salt = salt;
++						u->salt_len = salt_len;
++						token = strtok(NULL, "$");
++						if(token){
++							rc = _base64_decode(token, &password, &password_len);
++							if(rc == MOSQ_ERR_SUCCESS && password_len == 64){
++								_mosquitto_free(u->password);
++								u->password = (char *)password;
++								u->password_len = password_len;
++							}else{
++								_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Unable to decode password for user %s, removing entry.", u->username);
++								HASH_DEL(db->unpwd, u);
++							}
++						}else{
++							_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Invalid password hash for user %s, removing entry.", u->username);
++							HASH_DEL(db->unpwd, u);
+ 						}
+-						_mosquitto_free(u->password);
+-						u->password = (char *)password;
+-						u->password_len = password_len;
+ 					}else{
+-						_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Invalid password hash for user %s.", u->username);
+-						return MOSQ_ERR_INVAL;
++						_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Unable to decode password salt for user %s, removing entry.", u->username);
++						HASH_DEL(db->unpwd, u);
+ 					}
+ 				}else{
+-					_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Invalid password hash for user %s.", u->username);
+-					return MOSQ_ERR_INVAL;
++					_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Invalid password hash for user %s, removing entry.", u->username);
++					HASH_DEL(db->unpwd, u);
+ 				}
+ 			}else{
+-				_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Invalid password hash for user %s.", u->username);
+-				return MOSQ_ERR_INVAL;
++				_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Invalid password hash for user %s, removing entry.", u->username);
++				HASH_DEL(db->unpwd, u);
+ 			}
++		}else{
++			_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Missing password hash for user %s, removing entry.", u->username);
++			HASH_DEL(db->unpwd, u);
+ 		}
+ 	}
+ #endif
-- 
cgit v1.2.3