[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#885027: stretch-pu: package mosquitto/1.4.10-3+deb9u1

Thanks for taking a look at this.

The application only creates this file and log files, so I don't
believe it should have any other impact.

Regards,

Roger


On 10 February 2018 at 09:07, Julien Cristau <jcristau@debian.org> wrote:
> Control: tag -1 moreinfo
>
> On Fri, Dec 22, 2017 at 23:47:34 +0000, Roger A. Light wrote:
>
>> +Description: Fix for CVE-207-9868.
>> +Author: Roger Light <roger@atchoo.org>
>> +Forwarded: not-needed
>> +Origin: upstream, https://mosquitto.org/files/cve/2017-9868/mosquitto-1.4.x_cve-2017-9868.patch
>> +--- a/src/persist.c
>> ++++ b/src/persist.c
>> +@@ -362,6 +362,10 @@
>> +             _mosquitto_log_printf(NULL, MOSQ_LOG_INFO, "Error saving in-memory database, out of memory.");
>> +             return MOSQ_ERR_NOMEM;
>> +     }
>> ++
>> ++    /* Restrict access to persistence file. */
>> ++    umask(0077);
>> ++
>> +     snprintf(outfile, len, "%s.new", db->config->persistence_filepath);
>> +     outfile[len] = '\0';
>> +
>
> Is this likely to negatively affect other files the application might
> create?
>
> Cheers,
> Julien
Reply to: