Merge branch 'fixes'

CMakeLists.txt

@@ -11,7 +11,7 @@ project(mosquitto)
 cmake_minimum_required(VERSION 2.8)
 # Only for version 3 and up. cmake_policy(SET CMP0042 NEW)
 
-set (VERSION 1.4.11)
+set (VERSION 1.4.12)
 
 if (WIN32)
  execute_process(COMMAND cmd /c echo %DATE% %TIME% OUTPUT_VARIABLE TIMESTAMP

ChangeLog.txt

@@ -1,3 +1,28 @@
+1.4.12 - 20170528
+=================
+
+Security:
+- Fix CVE-2017-7650, which allows clients with username or client id set to
+ '#' or '+' to bypass pattern based ACLs or third party plugins. The fix
+ denies message sending or receiving of messages for clients with a '#' or
+ '+' in their username or client id and if the message is subject to a
+ pattern ACL check or plugin check.
+ Patches for other versions are available at
+ https://mosquitto.org/files/cve/2017-7650/
+
+Broker:
+- Fix mosquitto.db from becoming corrupted due to client messages being
+ persisted with no stored message. Closes #424.
+- Fix bridge not restarting properly. Closes #428.
+- Fix unitialized memory in gets_quiet on Windows. Closes #426.
+- Fix building with WITH_ADNS=no for systems that don't use glibc. Closes
+ #415.
+- Fixes to readme.md.
+- Fix deprecation warning for OpenSSL 1.1. PR #416.
+- Don't segfault on duplicate bridge names. Closes #446.
+- Fix CVE-2017-7650.
+
+
 1.4.11 - 20170220
 =================
 

config.mk

@@ -86,7 +86,7 @@ WITH_SOCKS:=yes
 
 # Also bump lib/mosquitto.h, CMakeLists.txt,
 # installer/mosquitto.nsi, installer/mosquitto-cygwin.nsi
-VERSION=1.4.11
+VERSION=1.4.12
 TIMESTAMP:=$(shell date "+%F %T%z")
 
 # Client library SO version. Bump if incompatible API/ABI changes are made.
@@ -159,10 +159,6 @@ ifeq ($(UNAME),QNX)
  LIB_LIBS:=$(LIB_LIBS) -lsocket
 endif
 
-ifeq ($(UNAME),Linux)
- BROKER_LIBS:=$(BROKER_LIBS) -lanl
-endif
-
 ifeq ($(WITH_WRAP),yes)
  BROKER_LIBS:=$(BROKER_LIBS) -lwrap
  BROKER_CFLAGS:=$(BROKER_CFLAGS) -DWITH_WRAP

installer/mosquitto-cygwin.nsi

@@ -7,7 +7,7 @@
 !define env_hklm 'HKLM "SYSTEM\CurrentControlSet\Control\Session Manager\Environment"'
 
 Name "mosquitto"
-!define VERSION 1.4.11
+!define VERSION 1.4.12
 OutFile "mosquitto-${VERSION}-install-cygwin.exe"
 
 InstallDir "$PROGRAMFILES\mosquitto"

installer/mosquitto.nsi

@@ -9,7 +9,7 @@
 !define env_hklm 'HKLM "SYSTEM\CurrentControlSet\Control\Session Manager\Environment"'
 
 Name "mosquitto"
-!define VERSION 1.4.11
+!define VERSION 1.4.12
 OutFile "mosquitto-${VERSION}-install-win32.exe"
 
 InstallDir "$PROGRAMFILES\mosquitto"

lib/mosquitto.h

@@ -45,7 +45,7 @@ extern "C" {
 
 #define LIBMOSQUITTO_MAJOR 1
 #define LIBMOSQUITTO_MINOR 4
-#define LIBMOSQUITTO_REVISION 11
+#define LIBMOSQUITTO_REVISION 12
 /* LIBMOSQUITTO_VERSION_NUMBER looks like 1002001 for e.g. version 1.2.1. */
 #define LIBMOSQUITTO_VERSION_NUMBER (LIBMOSQUITTO_MAJOR*1000000+LIBMOSQUITTO_MINOR*1000+LIBMOSQUITTO_REVISION)
 

lib/net_mosq.c

@@ -114,7 +114,9 @@ void _mosquitto_net_init(void)
 void _mosquitto_net_cleanup(void)
 {
 #ifdef WITH_TLS
- ERR_remove_state(0);
+ #if OPENSSL_VERSION_NUMBER < 0x10100000L
+ ERR_remove_state(0);
+ #endif
  ENGINE_cleanup();
  CONF_modules_unload(1);
  ERR_free_strings();

readme.md

@@ -65,9 +65,9 @@ already be built. Use `make binary` to skip building the man pages, or install
 
 ### Build Dependencies
 
-* c-ares (libc-ares-dev on Debian based systems) - disable with `make WITH_DNS_SRV=no`
+* c-ares (libc-ares-dev on Debian based systems) - disable with `make WITH_SRV=no`
 * libuuid (uuid-dev) - disable with `make WITH_UUID=no`
-* libwebsockets (libwebsockets-dev) - enable with `make WITH_LIBWEBSOCKETS=yes`
+* libwebsockets (libwebsockets-dev) - enable with `make WITH_WEBSOCKETS=yes`
 * openssl (libssl-dev on Debian based systems) - disable with `make WITH_TLS=no`
 
 ## Credits

set-version.sh

@@ -2,7 +2,7 @@
 
 MAJOR=1
 MINOR=4
-REVISION=11
+REVISION=12
 
 sed -i "s/^VERSION=.*/VERSION=${MAJOR}.${MINOR}.${REVISION}/" config.mk
 

src/conf.c

@@ -916,6 +916,14 @@ int _config_read_file_core(struct mqtt3_config *config, bool reload, const char
  if(reload) continue; // FIXME
  token = strtok_r(NULL, " ", &saveptr);
  if(token){
+ /* Check for existing bridge name. */
+ for(i=0; i<config->bridge_count; i++){
+ if(!strcmp(config->bridges[i].name, token)){
+ _mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Duplicate bridge name \"%s\".", token);
+ return MOSQ_ERR_INVAL;
+ }
+ }
+
  config->bridge_count++;
  config->bridges = _mosquitto_realloc(config->bridges, config->bridge_count*sizeof(struct _mqtt3_bridge));
  if(!config->bridges){

src/loop.c

@@ -246,7 +246,7 @@ int mosquitto_main_loop(struct mosquitto_db *db, mosq_sock_t *listensock, int li
  }else{
  if((context->bridge->start_type == bst_lazy && context->bridge->lazy_reconnect)
  || (context->bridge->start_type == bst_automatic && now > context->bridge->restart_t)){
-
+ context->bridge->restart_t = 0;
 #if defined(__GLIBC__) && defined(WITH_ADNS)
  if(context->adns){
  /* Waiting on DNS lookup */

src/mosquitto_passwd.c

@@ -230,6 +230,7 @@ int gets_quiet(char *s, int len)
  memset(s, 0, len);
  h = GetStdHandle(STD_INPUT_HANDLE);
  GetConsoleMode(h, &con_orig);
+ con_quiet = con_orig;
  con_quiet &= ~ENABLE_ECHO_INPUT;
  con_quiet |= ENABLE_LINE_INPUT;
  SetConsoleMode(h, con_quiet);

src/persist.c

@@ -79,6 +79,16 @@ static int mqtt3_db_client_messages_write(struct mosquitto_db *db, FILE *db_fptr
 
  cmsg = context->msgs;
  while(cmsg){
+ if(!strncmp(cmsg->store->topic, "$SYS", 4)
+ && cmsg->store->ref_count <= 1
+ && cmsg->store->dest_id_count == 0){
+
+ /* This $SYS message won't have been persisted, so we can't persist
+ * this client message. */
+ cmsg = cmsg->next;
+ continue;
+ }
+
  slen = strlen(context->id);
 
  length = htonl(sizeof(dbid_t) + sizeof(uint16_t) + sizeof(uint8_t) +

src/security.c

@@ -233,6 +233,21 @@ int mosquitto_acl_check(struct mosquitto_db *db, struct mosquitto *context, cons
  {
  username = context->username;
  }
+
+ /* Check whether the client id or username contains a +, # or / and if
+ * so deny access.
+ *
+ * Do this check for every message regardless, we have to protect the
+ * plugins against possible pattern based attacks.
+ */
+ if(username && strpbrk(username, "+#/")){
+ _mosquitto_log_printf(NULL, MOSQ_LOG_NOTICE, "ACL denying access to client with dangerous username \"%s\"", username);
+ return MOSQ_ERR_ACL_DENIED;
+ }
+ if(context->id && strpbrk(context->id, "+#/")){
+ _mosquitto_log_printf(NULL, MOSQ_LOG_NOTICE, "ACL denying access to client with dangerous client id \"%s\"", context->id);
+ return MOSQ_ERR_ACL_DENIED;
+ }
  return db->auth_plugin.acl_check(db->auth_plugin.user_data, context->id, username, topic, access);
  }
 }

src/security_default.c

@@ -261,6 +261,26 @@ int mosquitto_acl_check_default(struct mosquitto_db *db, struct mosquitto *conte
  }
 
  acl_root = db->acl_patterns;
+
+ if(acl_root){
+ /* We are using pattern based acls. Check whether the username or
+ * client id contains a +, # or / and if so deny access.
+ *
+ * Without this, a malicious client may configure its username/client
+ * id to bypass ACL checks (or have a username/client id that cannot
+ * publish or receive messages to its own place in the hierarchy).
+ */
+ if(context->username && strpbrk(context->username, "+#/")){
+ _mosquitto_log_printf(NULL, MOSQ_LOG_NOTICE, "ACL denying access to client with dangerous username \"%s\"", context->username);
+ return MOSQ_ERR_ACL_DENIED;
+ }
+
+ if(context->id && strpbrk(context->id, "+#/")){
+ _mosquitto_log_printf(NULL, MOSQ_LOG_NOTICE, "ACL denying access to client with dangerous client id \"%s\"", context->id);
+ return MOSQ_ERR_ACL_DENIED;
+ }
+ }
+
  /* Loop through all pattern ACLs. */
  clen = strlen(context->id);
  while(acl_root){