Summary: | Remote crash in Mosquitto 1.5 to 1.5.2 | ||
---|---|---|---|
Product: | Community | Reporter: | Roger Light <roger> |
Component: | Vulnerability Reports | Assignee: | Security vulnerabilitied reported against Eclipse projects <vulnerability.reports-inbox> |
Status: | RESOLVED FIXED | QA Contact: | |
Severity: | normal | ||
Priority: | P3 | CC: | wayne.beaton |
Version: | unspecified | Keywords: | security |
Target Milestone: | --- | ||
Hardware: | PC | ||
OS: | Linux | ||
URL: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12543 | ||
Whiteboard: |
Description
Roger Light
2018-09-20 10:33:30 EDT
We'll use CVE-2018-12543 I'll to know the versions affected (ranges are okay), a single sentence description of the issue, and a CWE to report this upstream. Thanks Wayne. Versions are 1.5 to 1.5.2 inclusive. If a message is published to Mosquitto that has a topic starting with $, but that is not $SYS, e.g. $test/test, then an assert is triggered that should otherwise not be reachable and Mosquitto will exit. CWE: https://cwe.mitre.org/data/definitions/617.html I intend to release fixes for this today if all the packages are done. I will be announcing this bug at 2018-09-27 1100 UTC and have coordinated with projects that package mosquitto. I'm a little late on this, sorry. I've created a pull request to have this published. https://github.com/CVEProject/cvelist/pull/1252 |