Recent Vulnerabilities Product List Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2019-11779

Source

Debian Bug report logs - #940654
mosquitto: CVE-2019-11779: Excess hierarchy characters on subscribe causes crash

Package: mosquitto; Maintainer for mosquitto is Roger A. Light <roger@atchoo.org>; Source for mosquitto is src:mosquitto (PTS, buildd, popcon).

Reported by: Roger Light <roger@atchoo.org>

Date: Wed, 18 Sep 2019 15:48:01 UTC

Severity: important

Tags: security, upstream

Found in versions mosquitto/1.6.4-1, mosquitto/1.5.7-1

Fixed in version mosquitto/1.6.6-1

Done: Salvatore Bonaccorso <carnil@debian.org>

Forwarded to https://bugs.eclipse.org/bugs/show_bug.cgi?id=551160

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, roger@atchoo.org, Roger A. Light <roger@atchoo.org>:
Bug#940654; Package mosquitto. (Wed, 18 Sep 2019 15:48:03 GMT) (full text, mbox, link).

Acknowledgement sent to Roger Light <roger@atchoo.org>:
New Bug report received and forwarded. Copy sent to roger@atchoo.org, Roger A. Light <roger@atchoo.org>. (Wed, 18 Sep 2019 15:48:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: mosquitto
Version: 1.5.7
Severity: important
Tags: upstream

Dear Maintainer,

If a malicious MQTT client sends a SUBSCRIBE packet containing a topic
that consists of approximately 65400 or more '/' characters, i.e. the
topic hierarchy separator, then a stack overflow will occur.

This is a security vulnerability that has already been disclosed. It is
being tracked upstream at
https://bugs.eclipse.org/bugs/show_bug.cgi?id=551160

The bug affects versions 1.5 to 1.6.5 inclusive.

Information forwarded to debian-bugs-dist@lists.debian.org, Roger A. Light <roger@atchoo.org>:
Bug#940654; Package mosquitto. (Wed, 18 Sep 2019 16:12:03 GMT) (full text, mbox, link).

Acknowledgement sent to Roger Light <roger@atchoo.org>:
Extra info received and forwarded to list. Copy sent to Roger A. Light <roger@atchoo.org>. (Wed, 18 Sep 2019 16:12:03 GMT) (full text, mbox, link).

Message #10 received at submit@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Tags: patch

The attached debdiff fixes this bug.

A CVE has been assigned: CVE-2019-11779

[940654.debdiff (application/octet-stream, attachment)]

Changed Bug title to 'mosquitto: CVE-2019-11779: Excess hierarchy characters on subscribe causes crash' from 'mosquitto: Excess hierarchy characters on subscribe causes crash'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 18 Sep 2019 19:12:04 GMT) (full text, mbox, link).

Added tag(s) security. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 18 Sep 2019 19:12:05 GMT) (full text, mbox, link).

Set Bug forwarded-to-address to 'https://bugs.eclipse.org/bugs/show_bug.cgi?id=551160'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 18 Sep 2019 19:12:05 GMT) (full text, mbox, link).

Marked as found in versions mosquitto/1.5.7-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 18 Sep 2019 19:12:06 GMT) (full text, mbox, link).

Marked as found in versions mosquitto/1.6.4-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 18 Sep 2019 19:12:07 GMT) (full text, mbox, link).

No longer marked as found in versions 1.5.7. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 18 Sep 2019 19:12:07 GMT) (full text, mbox, link).

Marked as fixed in versions mosquitto/1.6.6-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 18 Sep 2019 19:12:08 GMT) (full text, mbox, link).

Marked Bug as done Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 18 Sep 2019 19:12:08 GMT) (full text, mbox, link).

Notification sent to Roger Light <roger@atchoo.org>:
Bug acknowledged by developer. (Wed, 18 Sep 2019 19:12:09 GMT) (full text, mbox, link).

Message sent on to Roger Light <roger@atchoo.org>:
Bug#940654. (Wed, 18 Sep 2019 19:12:13 GMT) (full text, mbox, link).

Message #31 received at 940654-submitter@bugs.debian.org (full text, mbox, reply):

retitle 940654 mosquitto: CVE-2019-11779: Excess hierarchy characters on subscribe causes crash
tags 940654 + security
forwarded 940654 https://bugs.eclipse.org/bugs/show_bug.cgi?id=551160
found 940654 1.5.7-1
found 940654 1.6.4-1
notfound 940654 1.5.7
close 940654 1.6.6-1
thanks

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Sep 19 16:46:22 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

mosquitto: CVE-2019-11779: Excess hierarchy characters on subscribe causes crash

Debian Bug report logs - #940654
mosquitto: CVE-2019-11779: Excess hierarchy characters on subscribe causes crash

Vulmon Search

About

Products

Connect

mosquitto: CVE-2019-11779: Excess hierarchy characters on subscribe causes crash

Debian Bug report logs - #940654 mosquitto: CVE-2019-11779: Excess hierarchy characters on subscribe causes crash

Vulmon Search

About

Products

Connect

Debian Bug report logs - #940654
mosquitto: CVE-2019-11779: Excess hierarchy characters on subscribe causes crash