aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--main/mosquitto/APKBUILD15
-rw-r--r--main/mosquitto/CVE-2021-34432.patch61
2 files changed, 72 insertions, 4 deletions
diff --git a/main/mosquitto/APKBUILD b/main/mosquitto/APKBUILD
index 52e54089ca..b6eb1b88f1 100644
--- a/main/mosquitto/APKBUILD
+++ b/main/mosquitto/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=mosquitto
pkgver=1.6.8
-pkgrel=0
+pkgrel=1
pkgdesc="An Open Source MQTT v3.1 Message Broker"
url="https://mosquitto.org/"
arch="all"
@@ -17,9 +17,13 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-libs++:_pp $pkgname-openrc
source="http://mosquitto.org/files/source/mosquitto-$pkgver.tar.gz
config.patch
disable-ci-tests.patch
- mosquitto.initd"
+ mosquitto.initd
+ CVE-2021-34432.patch
+ "
# secfixes:
+# 1.6.8-r1:
+# - CVE-2021-34432
# 1.6.7-r0:
# - CVE-2019-11779
# 1.5.6-r0:
@@ -87,7 +91,10 @@ clients() {
mv "$pkgdir"/usr/bin/mosquitto_[ps]ub "$subpkgdir"/usr/bin/
}
-sha512sums="c15897df4e0979ee29a1e67cc671f56db600a078e9eb0bea376248b3f53b13ceed36616ad3678e2c9e07d6834a6d75e4efca2c40086069c1546e0223be04c071 mosquitto-1.6.8.tar.gz
+sha512sums="
+c15897df4e0979ee29a1e67cc671f56db600a078e9eb0bea376248b3f53b13ceed36616ad3678e2c9e07d6834a6d75e4efca2c40086069c1546e0223be04c071 mosquitto-1.6.8.tar.gz
fb000f9fa1ef94cbf3811a23b5692c0c8f9e2df945959cef6005462715e99d6f75cf6b31bd496271ffc17634024aed986771a73962fef865c0d386f6c194fb33 config.patch
21df2006a5eb9e1248cf261e555ded8e80e79f2a2d2a55b1f8a153af7c0feb867f3b3bd71efbe4d8569e3031c65f3e144794724f012e7539244a9bd97b6b6bb3 disable-ci-tests.patch
-d5406c258351133d85fc90056d78286a0ed1defde90e68d84fa9a1d65244d2baef76fd30fd04855e4bf6fc87532ef8ff274a6b70564f09f69fc6d14b5106fef0 mosquitto.initd"
+d5406c258351133d85fc90056d78286a0ed1defde90e68d84fa9a1d65244d2baef76fd30fd04855e4bf6fc87532ef8ff274a6b70564f09f69fc6d14b5106fef0 mosquitto.initd
+5dfd7ac9a49284a08e75f36cea6ea7b5ed6126e5afb43ba4ecfe8efe38ddf6b15f52b1b1eff0b8901f065f0773595ed8f66757b70e12283a7d1a2e876b39f092 CVE-2021-34432.patch
+"
diff --git a/main/mosquitto/CVE-2021-34432.patch b/main/mosquitto/CVE-2021-34432.patch
new file mode 100644
index 0000000000..14037ba13c
--- /dev/null
+++ b/main/mosquitto/CVE-2021-34432.patch
@@ -0,0 +1,61 @@
+From 9b08faf0bdaf5a4f2e6e3dd1ea7e8c57f70418d6 Mon Sep 17 00:00:00 2001
+From: "Roger A. Light" <roger@atchoo.org>
+Date: Tue, 9 Feb 2021 14:09:53 +0000
+Subject: [PATCH] Fix mosquitto_{pub|sub}_topic_check() function returns.
+
+The would not return MOSQ_ERR_INVAL on topic == NULL.
+---
+ lib/util_topic.c | 19 ++++++++++++++++---
+ 2 files changed, 21 insertions(+), 3 deletions(-)
+
+diff --git a/lib/util_topic.c b/lib/util_topic.c
+index fc24f0d1cb..62b531127c 100644
+--- a/lib/util_topic.c
++++ b/lib/util_topic.c
+@@ -54,6 +54,11 @@ int mosquitto_pub_topic_check(const char *str)
+ #ifdef WITH_BROKER
+ int hier_count = 0;
+ #endif
++
++ if(str == NULL){
++ return MOSQ_ERR_INVAL;
++ }
++
+ while(str && str[0]){
+ if(str[0] == '+' || str[0] == '#'){
+ return MOSQ_ERR_INVAL;
+@@ -81,7 +86,9 @@ int mosquitto_pub_topic_check2(const char *str, size_t len)
+ int hier_count = 0;
+ #endif
+
+- if(len > 65535) return MOSQ_ERR_INVAL;
++ if(str == NULL || len > 65535){
++ return MOSQ_ERR_INVAL;
++ }
+
+ for(i=0; i<len; i++){
+ if(str[i] == '+' || str[i] == '#'){
+@@ -115,7 +122,11 @@ int mosquitto_sub_topic_check(const char *str)
+ int hier_count = 0;
+ #endif
+
+- while(str && str[0]){
++ if(str == NULL){
++ return MOSQ_ERR_INVAL;
++ }
++
++ while(str[0]){
+ if(str[0] == '+'){
+ if((c != '\0' && c != '/') || (str[1] != '\0' && str[1] != '/')){
+ return MOSQ_ERR_INVAL;
+@@ -150,7 +161,9 @@ int mosquitto_sub_topic_check2(const char *str, size_t len)
+ int hier_count = 0;
+ #endif
+
+- if(len > 65535) return MOSQ_ERR_INVAL;
++ if(str == NULL || len > 65535){
++ return MOSQ_ERR_INVAL;
++ }
+
+ for(i=0; i<len; i++){
+ if(str[i] == '+'){