e478977071
Fixes the following security issues: CVE-2018-12551: If Mosquitto is configured to use a password file for authentication, any malformed data in the password file will be treated as valid. This typically means that the malformed data becomes a username and no password. If this occurs, clients can circumvent authentication and get access to the broker by using the malformed username. In particular, a blank line will be treated as a valid empty username. Other security measures are unaffected. Users who have only used the mosquitto_passwd utility to create and modify their password files are unaffected by this vulnerability. Affects version 1.0 to 1.5.5 inclusive. CVE-2018-12550: If an ACL file is empty, or has only blank lines or comments, then mosquitto treats the ACL file as not being defined, which means that no topic access is denied. Although denying access to all topics is not a useful configuration, this behaviour is unexpected and could lead to access being incorrectly granted in some circumstances. Affects versions 1.0 to 1.5.5 inclusive. CVE-2018-12546: If a client publishes a retained message to a topic that they have access to, and then their access to that topic is revoked, the retained message will still be delivered to future subscribers. This behaviour may be undesirable in some applications, so a configuration option check_retain_source has been introduced to enforce checking of the retained message source on publish. Add two upstream post-1.5.6 patches to fix a build error in the bridge code when ADNS is enabled and when building with older toolchains not defaulting to C99 mode. Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
36 lines
1.1 KiB
Diff
36 lines
1.1 KiB
Diff
From 04e89450c0aeb0e6fdff58aca3cffce10b29fb98 Mon Sep 17 00:00:00 2001
|
|
From: "Roger A. Light" <roger@atchoo.org>
|
|
Date: Sat, 9 Feb 2019 13:52:09 +0000
|
|
Subject: [PATCH] Don't require C99 compiler.
|
|
|
|
[Peter: drop ChangeLog.txt modification]
|
|
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
---
|
|
src/persist.c | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/persist.c b/src/persist.c
|
|
index 2f40086..13b34d2 100644
|
|
--- a/src/persist.c
|
|
+++ b/src/persist.c
|
|
@@ -720,6 +720,7 @@ static int persist__msg_store_chunk_restore(struct mosquitto_db *db, FILE *db_fp
|
|
struct mosquitto_msg_store *stored = NULL;
|
|
struct mosquitto_msg_store_load *load;
|
|
char *err;
|
|
+ int i;
|
|
|
|
payload.ptr = NULL;
|
|
|
|
@@ -749,7 +750,7 @@ static int persist__msg_store_chunk_restore(struct mosquitto_db *db, FILE *db_fp
|
|
read_e(db_fptr, &i16temp, sizeof(uint16_t));
|
|
source_port = ntohs(i16temp);
|
|
if(source_port){
|
|
- for(int i=0; i<db->config->listener_count; i++){
|
|
+ for(i=0; i<db->config->listener_count; i++){
|
|
if(db->config->listeners[i].port == source_port){
|
|
source.listener = &db->config->listeners[i];
|
|
break;
|
|
--
|
|
2.11.0
|
|
|