Bug 1083912 – VUL-0: CVE-2017-7652: mosquitto: If the broker has exhausted all of its free sockets/file descriptors and then a SIGHUP signal is received to trigger reloading of the configuration, then the reloading will fail.

Bug 1083912 - (CVE-2017-7652) VUL-0: CVE-2017-7652: mosquitto: If the broker has exhausted all of its free sockets/file descriptors and then a SIGHUP signal is received to trigger reloading of the configuration, then the reloading will fail.

(CVE-2017-7652)
Summary:	VUL-0: CVE-2017-7652: mosquitto: If the broker has exhausted all of its free ...

Status:	RESOLVED FIXED

Classification:	openSUSE
Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Security
Version:	Leap 15.0
Hardware:	Other Other

Priority:	P5 - None Severity: Normal (vote)
Target Milestone:	---
Assigned To:	Marcus Rückert
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/201130/
Whiteboard:	CVSSv3:RedHat:CVE-2017-7652:5.3:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2018-03-05 09:33 UTC by Karol Babioch
Modified:	2018-03-06 00:27 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Karol Babioch 2018-03-05 09:33:24 UTC

CVE-2017-7652

A vulnerability exists in Mosquitto versions 1.0 to 1.4.14 inclusive known as CVE-2017-7652.

If the broker has exhausted all of its free sockets/file descriptors and then a SIGHUP signal is received to trigger reloading of the configuration, then the reloading will fail. This results in many of the configuration options, including security options, being set to their default value. This means that authorisation and access control may no longer be in place.

The issue is fixed in Mosquitto 1.4.15. Patches for older versions are available at https://mosquitto.org/files/cve/2017-7652

The fix addresses the problem by only copying the new configuration options to the in use configuration after a successful reload has taken place.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7652
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7652.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7652

Comment 1 Karol Babioch 2018-03-05 09:33:47 UTC

http://mosquitto.org/blog/2018/02/security-advisory-cve-2017-7651-cve-2017-7652/

Comment 2 Karol Babioch 2018-03-05 09:35:23 UTC

Already fixed in Factory.