543626 – Possible Vulnerabilities in Eclipse paho.mqtt.c

Bug 543626 - Possible Vulnerabilities in Eclipse paho.mqtt.c

Summary: Possible Vulnerabilities in Eclipse paho.mqtt.c

Status:	RESOLVED FIXED

Alias:	None

Product:	Paho
Classification:	IoT
Component:	MQTT (show other bugs)
Version:	future
Hardware:	All All

Importance:	P3 normal (vote)
Target Milestone:	1.2
Assignee:	Ian Craggs
QA Contact:

URL:
Whiteboard:
Keywords:	security

Depends on:
Blocks:

Reported:	2019-01-20 11:00 EST by Or Peles
Modified:	2021-05-03 15:45 EDT (History)
CC List:	8 users (show)

See Also:

Attachments
vulnerability report (453.32 KB, application/pdf) 2019-01-22 12:06 EST, Or Peles	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Or Peles

2019-01-20 11:00:04 EST

We believe to have identified two security vulnerabilities in Eclipse paho.mqtt.c v1.3.0 (latest).

We would like to responsibly disclose it as soon as possible and provide voluntarily support throughout the process of fixing these issues.

What is the correct address to send a vulnerability report not-publicly? 
We tried contacting security@eclipse.org directly 5 days ago and got no response.

Also, is there a relevant PGP key for sending the report encrypted?

Thanks in advance,
Or Peles
Vulnerability Research Team Leader at VDOO

Comment 1 Benjamin Cabé

2019-01-21 14:40:16 EST

Thanks, Or!

I've now made the bug "committers-only" so that you can safely report your identified vulnerabilities and work with the Eclipse Paho team, cc'd, on getting it fixed.

Thanks so much for the report.

Comment 2 Or Peles

2019-01-22 12:06:57 EST

Created attachment 277237 [details]
vulnerability report

Comment 3 Or Peles

2019-01-22 12:15:55 EST

Thanks, Benjamin.

I've just attached the vulnerability report in PDF form. It includes 2 separate security issues: a heap overflow and a potential OOB write vulnerability.

Comment 4 Or Peles

2019-01-31 08:08:14 EST

Have anyone looked at the report?

Comment 5 Ian Craggs

2019-02-05 09:29:57 EST

Hi.  I've looked at the report.  My question is, why are these security vulnerabilities rather than issues which can be raised publicly?

I'm certain there are many ways of crashing the client library, and all of them could be characterized as causing a 'temporary denial of service'.

Thanks.

Comment 6 Frank Pagliughi

2019-02-05 11:22:30 EST

I reassigned this to Ian as the issues are within the C library. But I agree, these can be raised in normal GitHub issues.

Nice report, though!

Comment 7 Ian Craggs

2019-02-08 10:56:35 EST

Thanks for the update Frank!

Comment 8 Or Peles

2019-02-28 10:22:59 EST

Hi again,

We consider these Denial of Service vulnerabilities as security vulnerabilities and would like to open CVE-IDs for them.
As Eclipse is a CNA for CVEs, would you kindly help us with the process of opening the CVEs? We'd be happy to provide the description and any needed details.

Thanks

Comment 9 Wayne Beaton

2019-05-14 14:03:32 EDT

https://www.eclipse.org/projects/handbook/#vulnerability

Comment 10 Wayne Beaton

2019-12-18 21:30:42 EST

The Eclipse Foundation's policy requires the disclosure of vulnerabilities after 90 days. I've removed the committers-only flag.

Project team members: instructions to have a CVE assigned are in the handbook.

https://www.eclipse.org/projects/handbook/#vulnerability-cve

Comment 11 Ian Craggs

2021-05-03 15:45:43 EDT

I thought I'd dealt with this but evidently my retirement from IBM disrupted my train of thought.  Anyway, I was reminded recently here https://github.com/eclipse/paho.mqtt.c/issues/1084, and the fix for the first issue will be in the forthcoming release 1.3.9.  The second issue is not able to be reached in practice so I don't intend to do anything about that.