Community
Participate
Working Groups
In Mosquitto version 2.07 (also tested in 2.06), the server will crash if the client tries to send a PUBLISH packet with topic length = 0. This can be replicated with the following command: echo 102b00044d5154540500003c0822000a110000000f00166d7174746f6f6c732d383739363736313532303132393d0900000621000a220005e000 | xxd -p -r | nc localhost 1883 It seems this was patched in version 2.08 due to the following commit. However, I have not seen this vulnerability reported anywhere. https://github.com/eclipse/mosquitto/commit/9b08faf0bdaf5a4f2e6e3dd1ea7e8c57f70418d6
/cc Eclipse Mosquitto Project lead. Roger can you have a look, please?
I confirm that does look to have that effect. As I remember (and what it looks like), the fix was made in the context of those functions in the client library, so the fix in the broker is a happy result. That is why the vulnerability hasn't been reported anywhere. What's the best thing to do here?
Do we have any updates on this issue?
(In reply to Roger Light from comment #2) > I confirm that does look to have that effect. As I remember (and what it > looks like), the fix was made in the context of those functions in the > client library, so the fix in the broker is a happy result. That is why the > vulnerability hasn't been reported anywhere. > > What's the best thing to do here? If the vulnerability exists in any version, we should issue a CVE. Should we just tweak the description that Bryan provided? "In Eclipse Mosquitto versions 2.07 and earlier, the server will crash if the client tries to send a PUBLISH packet with topic length = 0."
That looks fine to me Wayne.
We'll use CVE-2021-34432. I've pushed a record to Mitre.
This can be closed now, the CVE is recorded and reported.