Bug#885027: stretch-pu: package mosquitto/1.4.10-3+deb9u1
Thanks for taking a look at this.
The application only creates this file and log files, so I don't
believe it should have any other impact.
Regards,
Roger
On 10 February 2018 at 09:07, Julien Cristau <jcristau@debian.org> wrote:
> Control: tag -1 moreinfo
>
> On Fri, Dec 22, 2017 at 23:47:34 +0000, Roger A. Light wrote:
>
>> +Description: Fix for CVE-207-9868.
>> +Author: Roger Light <roger@atchoo.org>
>> +Forwarded: not-needed
>> +Origin: upstream, https://mosquitto.org/files/cve/2017-9868/mosquitto-1.4.x_cve-2017-9868.patch
>> +--- a/src/persist.c
>> ++++ b/src/persist.c
>> +@@ -362,6 +362,10 @@
>> + _mosquitto_log_printf(NULL, MOSQ_LOG_INFO, "Error saving in-memory database, out of memory.");
>> + return MOSQ_ERR_NOMEM;
>> + }
>> ++
>> ++ /* Restrict access to persistence file. */
>> ++ umask(0077);
>> ++
>> + snprintf(outfile, len, "%s.new", db->config->persistence_filepath);
>> + outfile[len] = '\0';
>> +
>
> Is this likely to negatively affect other files the application might
> create?
>
> Cheers,
> Julien
Reply to: