Community
Participate
Working Groups
We believe to have identified two security vulnerabilities in Eclipse paho.mqtt.c v1.3.0 (latest). We would like to responsibly disclose it as soon as possible and provide voluntarily support throughout the process of fixing these issues. What is the correct address to send a vulnerability report not-publicly? We tried contacting security@eclipse.org directly 5 days ago and got no response. Also, is there a relevant PGP key for sending the report encrypted? Thanks in advance, Or Peles Vulnerability Research Team Leader at VDOO
Thanks, Or! I've now made the bug "committers-only" so that you can safely report your identified vulnerabilities and work with the Eclipse Paho team, cc'd, on getting it fixed. Thanks so much for the report.
Created attachment 277237 [details] vulnerability report
Thanks, Benjamin. I've just attached the vulnerability report in PDF form. It includes 2 separate security issues: a heap overflow and a potential OOB write vulnerability.
Have anyone looked at the report?
Hi. I've looked at the report. My question is, why are these security vulnerabilities rather than issues which can be raised publicly? I'm certain there are many ways of crashing the client library, and all of them could be characterized as causing a 'temporary denial of service'. Thanks.
I reassigned this to Ian as the issues are within the C library. But I agree, these can be raised in normal GitHub issues. Nice report, though!
Thanks for the update Frank!
Hi again, We consider these Denial of Service vulnerabilities as security vulnerabilities and would like to open CVE-IDs for them. As Eclipse is a CNA for CVEs, would you kindly help us with the process of opening the CVEs? We'd be happy to provide the description and any needed details. Thanks
https://www.eclipse.org/projects/handbook/#vulnerability
The Eclipse Foundation's policy requires the disclosure of vulnerabilities after 90 days. I've removed the committers-only flag. Project team members: instructions to have a CVE assigned are in the handbook. https://www.eclipse.org/projects/handbook/#vulnerability-cve
I thought I'd dealt with this but evidently my retirement from IBM disrupted my train of thought. Anyway, I was reminded recently here https://github.com/eclipse/paho.mqtt.c/issues/1084, and the fix for the first issue will be in the forthcoming release 1.3.9. The second issue is not able to be reached in practice so I don't intend to do anything about that.