Debian has issued an advisory on November 17: https://www.debian.org/security/2019/dsa-4570 The issue is fixed upstream in 1.6.6.
Done!
CC: (none) => geiger.david68210
Advisory: ======================== Updated mosquitto packages fix security vulnerability: A vulnerability was discovered in mosquitto, allowing a malicious MQTT client to cause a denial of service (stack overflow and daemon crash), by sending a specially crafted SUBSCRIBE packet containing a topic with a extremely deep hierarchy (CVE-2019-11779). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11779 https://www.debian.org/security/2019/dsa-4570 ======================== Updated packages in core/updates_testing: ======================== mosquitto-1.6.6-1.mga7 libmosquitto1-1.6.6-1.mga7 libmosquittopp1-1.6.6-1.mga7 libmosquitto-devel-1.6.6-1.mga7 from mosquitto-1.6.6-1.mga7.src.rpm
Assignee: bugsquad => qa-bugs
Mageia 7, x86_64. Starting to explore this, before updating. Discovered that MQTT is an important packet protocol in the IOT. See http://www.steves-internet-guide.com/mqtt/. Downloaded the example mclient.py client module and a sample script to compose a packet. Started the MQTT broker on the local machine (it is an /sbin command): $ sudo mosquitto -d Ran the sample script to send the packet through port 1883 (I think) but don't know how to interrogate the broker to see what is happening. Wireshark is mentioned for inspecting packets but again I know little about wireshark or exactly how to find the sent packet. $ cat client.py import mclient as mqtt # import the client1 broker_address = "192.168.1.62" #broker_address="iot.eclipse.org" # use external broker client = mqtt.Client( "P1" ) # create new instance client.connect( broker_address ) # connect to broker client.publish( "house/main-light", "OFF" ) # publish $ python client.py ('length of packet is', 16) ('sending command ', '0x10', ' sending flags =', 0) ('sending ', bytearray(b'\x10\x0e\x00\x04MQTT\x04\x02\x00<\x00\x02P1')) ('length of packet is', 23) ('sending command ', '0x30', ' sending flags =', 0) ('sending ', bytearray(b'0\x15\x00\x10house/main-lightOFF')) Leaving it there for now. Updating later.
CC: (none) => tarazed25
Continuing from comment 3: Updated the four packages. Had a look at mosquitto.conf, which runs to 956 lines, and changed a few of the entries from the defaults. The man pages contain several entries for mosquitto, which contain a lot of information. It would be a career job to absorb all that information. $ sudo systemctl start vnstat Started the mosquitto server $ sudo mosquitto -d $ python client.py ('length of packet is', 16) ('sending command ', '0x10', ' sending flags =', 0) ('sending ', bytearray(b'\x10\x0e\x00\x04MQTT\x04\x02\x00<\x00\x02P1')) ('length of packet is', 23) ('sending command ', '0x30', ' sending flags =', 0) ('sending ', bytearray(b'0\x15\x00\x10house/main-lightOFF')) Started vnstat in a terminal $ vnstat -5 0 enp0s31f6 / 5 minute time rx | tx | total | avg. rate ------------------------+-------------+-------------+--------------- 2019-11-28 10:50 9.82 MiB | 147.47 KiB | 9.96 MiB | 278.62 kbit/s 10:55 1.43 MiB | 174.02 KiB | 1.60 MiB | 44.60 kbit/s 11:00 4.82 KiB | 1.69 KiB | 6.51 KiB | 888 bit/s ------------------------+-------------+-------------+--------------- The last transaction looks like it might be the packet just sent; the time is correct and the small size seems significant. These are extremely elementary tests, all in the local loop, but at least they run and do not break. Giving this the 64-bit OK.
Whiteboard: (none) => MGA7-64-OK
A PoC for this could be generated but it involves a subscription packet containing more than 65400 '/' topic separators. Might try it sometime.
And a correction. The vnstat entries are a summary of total traffic over five minute intervals so the entry does not necessarily identify the MQTT packet. It really needs something like wireshark.
Better than anything I could do, Len. Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0345.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
This update fixed another issue: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2BTXFZTM5ZLXR6W3GRIYELKTHAYEFBGT/ http://mosquitto.org/blog/2019/04/version-1-6-2-released/ No CVE was assigned. It also fixed CVE-2019-11778: https://nvd.nist.gov/vuln/detail/CVE-2019-11778 http://mosquitto.org/blog/2019/09/version-1-6-6-released/ http://mosquitto.org/security/
*** Bug 25902 has been marked as a duplicate of this bug. ***