Bug 255229 - net/mosquitto: NULL pointer dereference
Summary: net/mosquitto: NULL pointer dereference
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Craig Leres
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-04-19 16:45 UTC by Daniel Engberg
Modified: 2021-07-24 21:16 UTC (History)
4 users (show)

See Also:
joe: maintainer-feedback+


Attachments
patch (980 bytes, patch)
2021-07-24 19:45 UTC, Craig Leres
joe: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Engberg freebsd_committer freebsd_triage 2021-04-19 16:45:43 UTC
Security:
- CVE-2021-23980: If an authenticated client connected with MQTT v5 sent a
  malformed CONNACK message to the broker a NULL pointer dereference occurred,
  most likely resulting in a segfault.
  Affects versions 2.0.0 to 2.0.9 inclusive.

https://github.com/eclipse/mosquitto/blob/d5ecd9f5aa98d42e7549eea09a71a23eef241f31/ChangeLog.txt

I think the easiest solution would be bumping it to 2.0.10
Comment 1 Li-Wen Hsu freebsd_committer freebsd_triage 2021-04-19 16:56:47 UTC
And we need an entry in vuxml.
Comment 2 commit-hook freebsd_committer freebsd_triage 2021-07-24 17:05:03 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=5baee87529e462e477cd6a1685cf3ad201ce332a

commit 5baee87529e462e477cd6a1685cf3ad201ce332a
Author:     Craig Leres <leres@FreeBSD.org>
AuthorDate: 2021-07-24 16:59:42 +0000
Commit:     Craig Leres <leres@FreeBSD.org>
CommitDate: 2021-07-24 16:59:42 +0000

    security/vuxml: Mark mosquitto >= 2.0.0, < 2.0.10 vulnerable as per:

        https://github.com/eclipse/mosquitto/blob/d5ecd9f5aa98d42e7549eea09a71a23eef241f31/ChangeLog.txt

     - If an authenticated client connected with MQTT v5 sent a malformed
       CONNACK message to the broker a NULL pointer dereference occurred,
       most likely resulting in a segfault.

    PR:             255229
    Reported by:    Daniel Engberg

 security/vuxml/vuln-2021.xml | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
Comment 3 Craig Leres freebsd_committer freebsd_triage 2021-07-24 19:45:07 UTC
Created attachment 226657 [details]
patch

Update to 2.0.10 (update MASTER_SITES to https while we're here).
Comment 4 Craig Leres freebsd_committer freebsd_triage 2021-07-24 19:47:43 UTC
The CVE referenced in the summary was incorrect.
Comment 5 commit-hook freebsd_committer freebsd_triage 2021-07-24 21:15:43 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=e220d6ed93a7e736c1972c8a864737641d818067

commit e220d6ed93a7e736c1972c8a864737641d818067
Author:     Craig Leres <leres@FreeBSD.org>
AuthorDate: 2021-07-24 21:14:01 +0000
Commit:     Craig Leres <leres@FreeBSD.org>
CommitDate: 2021-07-24 21:14:01 +0000

    net/mosquitto: Update to 2.0.10 and solve NULL pointer dereference

        https://github.com/eclipse/mosquitto/blob/d5ecd9f5aa98d42e7549eea09a71a23eef241f31/ChangeLog.txt

    This release fixes a DoS vulnerability:

     - If an authenticated client connected with MQTT v5 sent a malformed
       CONNACK message to the broker a NULL pointer dereference occurred,
       most likely resulting in a segfault.

    Other changes since 2.0.8:

     - Set `receive-maximum` to not exceed the `-C` message count in
       mosquitto_sub and mosquitto_rr, to avoid potentially lost messages.

     - Fix TLS-PSK mode not working with port 8883.

     - Fix possible socket leak. This would occur if a client was using
       `mosquitto_loop_start()`, then if the connection failed due to
       the remote server being inaccessible they called `mosquitto_loop_stop(,
       true)` and recreated the mosquitto object.

     - If an empty or invalid CA file was provided to the client library
       for verifying the remote broker, then the initial connection
       would fail but subsequent connections would succeed without
       verifying the remote broker certificate.

     - If an empty or invalid CA file was provided to the broker for
       verifying the remote broker for an outgoing bridge connection
       then the initial connection would fail but subsequent connections
       would succeed without verifying the remote broker certificate.

     - Fix encrypted bridge connections incorrectly connecting when
       `bridge_cafile` is empty or invalid.

     - Fix `tls_version` behaviour not matching documentation.

     - Fix messages to `$` prefixed topics being rejected.

     - Fix QoS 0 messages not being delivered when max_queued_bytes was
       configured.

     - Fix bridge increasing backoff calculation.

     - Improve handling of invalid combinations of listener address and
       bind interface configurations.

     - Fix `max_keepalive` option not applying to clients connecting
       with keepalive

     - Fix encrypted connections incorrectly connecting when the CA
       file passed to `mosquitto_tls_set()` is empty or invalid.  set
       to 0.

    PR:             255229
    Reported by:    Daniel Engberg
    Approved by:    joe@thrallingpenguin.com (maintainer)
    MFH:            2021Q3
    Security:       cc553d79-e1f0-4b94-89f2-bacad42ee826

 net/mosquitto/Makefile | 4 ++--
 net/mosquitto/distinfo | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)
Comment 6 Craig Leres freebsd_committer freebsd_triage 2021-07-24 21:16:34 UTC
Thanks for the bug report!