diff --git a/CVE-2023-3592.patch b/CVE-2023-3592.patch new file mode 100644 index 0000000000000000000000000000000000000000..bbfc68c46eb059a4d40833425280271cffcacaea --- /dev/null +++ b/CVE-2023-3592.patch @@ -0,0 +1,26 @@ +From 00b24e0eb0686e9a76feb71fdaee650cb7e612fa Mon Sep 17 00:00:00 2001 +From: "Roger A. Light" +Date: Fri, 7 Jul 2023 23:41:04 +0100 +Subject: [PATCH] Fix memory leak when clients send v5 CONNECT packets. + +This occurs when they have a will message that contains invalid property +types. +--- + src/property_broker.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/property_broker.c b/src/property_broker.c +index a2147d0..5e4bb38 100644 +--- a/src/property_broker.c ++++ b/src/property_broker.c +@@ -101,6 +101,7 @@ int property__process_will(struct mosquitto *context, struct mosquitto_message_a + break; + + default: ++ msg->properties = msg_properties; + return MOSQ_ERR_PROTOCOL; + break; + } +-- +2.30.0 + diff --git a/mosquitto.spec b/mosquitto.spec index d258d0cacd54556ac106b3d0fb8f3e855b26f783..d91c538ff90b3ea79b4d4125cb4f603f5757bd71 100644 --- a/mosquitto.spec +++ b/mosquitto.spec @@ -1,6 +1,6 @@ Name: mosquitto Version: 1.6.15 -Release: 6 +Release: 7 Summary: Open Source MQTT v3.1/v3.1.1 Broker License: BSD URL: http://mosquitto.org/ @@ -9,6 +9,8 @@ Patch0001: add-usage-output.patch Patch0002: fix-usage-exit-code.patch Patch0003: CVE-2021-41039.patch Patch0004: CVE-2021-34432.patch +# https://github.com/eclipse/mosquitto/commit/00b24e0eb0686e9a76feb71fdaee650cb7e612fa +Patch0005: CVE-2023-3592.patch BuildRequires: c-ares-devel gcc-c++ libuuid-devel libwebsockets-devel openssl-devel BuildRequires: systemd-devel BuildRequires: make @@ -92,6 +94,9 @@ exit 0 %{_mandir}/man3/*.3.* %changelog +* Wed Dec 27 2023 yaoxin - 1.6.15-7 +- Fix CVE-2023-3592 + * Thu Feb 24 2022 yaoxin - 1.6.15-6 - Fix CVE-2021-34432 and modify the CVE-2021-41039.patch.