Bug 539295 (CVE-2018-12543)

Summary: Remote crash in Mosquitto 1.5 to 1.5.2
Product: Community Reporter: Roger Light <roger>
Component: Vulnerability ReportsAssignee: Security vulnerabilitied reported against Eclipse projects <vulnerability.reports-inbox>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: wayne.beaton
Version: unspecifiedKeywords: security
Target Milestone: ---   
Hardware: PC   
OS: Linux   
URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12543
Whiteboard:

Description Roger Light CLA 2018-09-20 10:33:30 EDT 
It is possible to cause mosquitto versions 1.5 to 1.5.2 to crash by publishing to a topic that starts with $ but that is not $SYS, e.g. $TEST.

CVSS v2 score 6.8 : https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C)

CVSS v3 score 7.2 : https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C

Could I have a CVE assigned please?
Comment 1 Wayne Beaton CLA 2018-09-23 17:54:43 EDT 
We'll use CVE-2018-12543

I'll to know the versions affected (ranges are okay), a single sentence description of the issue, and a CWE to report this upstream.
Comment 2 Roger Light CLA 2018-09-25 04:20:27 EDT 
Thanks Wayne.

Versions are 1.5 to 1.5.2 inclusive.

If a message is published to Mosquitto that has a topic starting with $, but that is not $SYS, e.g. $test/test, then an assert is triggered that should otherwise not be reachable and Mosquitto will exit.

CWE: https://cwe.mitre.org/data/definitions/617.html

I intend to release fixes for this today if all the packages are done.
Comment 3 Roger Light CLA 2018-09-27 06:00:01 EDT 
I will be announcing this bug at 2018-09-27 1100 UTC and have coordinated with projects that package mosquitto.
Comment 4 Wayne Beaton CLA 2018-11-07 10:44:34 EST 
I'm a little late on this, sorry.

I've created a pull request to have this published.

https://github.com/CVEProject/cvelist/pull/1252