From patchwork Fri Sep 20 09:10:37 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Titouan Christophe <titouan.christophe@railnova.eu>
X-Patchwork-Id: 1165113
Return-Path: <buildroot-bounces@busybox.net>
X-Original-To: incoming-buildroot@patchwork.ozlabs.org
Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=busybox.net
	(client-ip=140.211.166.138; helo=whitealder.osuosl.org;
	envelope-from=buildroot-bounces@busybox.net;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=fail (p=none dis=none) header.from=railnova.eu
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=railnova-eu.20150623.gappssmtp.com
	header.i=@railnova-eu.20150623.gappssmtp.com
	header.b="jicfMzEV"; dkim-atps=neutral
Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 46ZScZ2KmHz9s00
	for <incoming-buildroot@patchwork.ozlabs.org>;
	Fri, 20 Sep 2019 19:10:53 +1000 (AEST)
Received: from localhost (localhost [127.0.0.1])
	by whitealder.osuosl.org (Postfix) with ESMTP id 62A7181386;
	Fri, 20 Sep 2019 09:10:51 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from whitealder.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id t5zzaq2aP9PL; Fri, 20 Sep 2019 09:10:50 +0000 (UTC)
Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34])
	by whitealder.osuosl.org (Postfix) with ESMTP id A18B084C2A;
	Fri, 20 Sep 2019 09:10:50 +0000 (UTC)
X-Original-To: buildroot@lists.busybox.net
Delivered-To: buildroot@osuosl.org
Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138])
	by ash.osuosl.org (Postfix) with ESMTP id 7606B1BF399
	for <buildroot@lists.busybox.net>;
	Fri, 20 Sep 2019 09:10:48 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by whitealder.osuosl.org (Postfix) with ESMTP id 72C8784C2A
	for <buildroot@lists.busybox.net>;
	Fri, 20 Sep 2019 09:10:48 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from whitealder.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id ZyDapwb-v26W for <buildroot@lists.busybox.net>;
	Fri, 20 Sep 2019 09:10:46 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
Received: from mail-wr1-f41.google.com (mail-wr1-f41.google.com
	[209.85.221.41])
	by whitealder.osuosl.org (Postfix) with ESMTPS id 8AA1981386
	for <buildroot@buildroot.org>; Fri, 20 Sep 2019 09:10:46 +0000 (UTC)
Received: by mail-wr1-f41.google.com with SMTP id r3so5955450wrj.6
	for <buildroot@buildroot.org>; Fri, 20 Sep 2019 02:10:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=railnova-eu.20150623.gappssmtp.com; s=20150623;
	h=from:to:cc:subject:date:message-id:mime-version
	:content-transfer-encoding;
	bh=sG+ammdljHjoUWpLymxr2pZjL8X4wAARPO35lmTkycE=;
	b=jicfMzEVWH/XA8b8tpWWZgmImMQcok332LnhPKAMOk+mbC848BcqbTWZMtx8THFR/X
	3sZ+Ojzd6gaDmNksJa26sLfbKHUpzqMBkeG0jp1ddpRt1I0ioulmCQl4cHqCT0B7AMO7
	40DED5X/80CqxE6qdBEcwFYaMWTYUmzj0r53v8hCRw7zgyjlMNyvJaHl8jkJcE8Qp2+q
	aHE+MZfaP+TbNBwplV+Av1qYzium9442Pn9jo9A7fXd6+Zm+vSf0ZffOyMi47pcIBvHd
	Dix5zqFADE6f++O4+Ov4U9MzLy6noIZW2+veW5jXiwRE7T6MESqyJ0N+JV0jmLGoBaGf
	Yb0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
	:content-transfer-encoding;
	bh=sG+ammdljHjoUWpLymxr2pZjL8X4wAARPO35lmTkycE=;
	b=d5Cluzxv9Ecn1sGp4zc+OBg43Dwqj5p+DqGX+koqSjSN/xdFqX4NQ/wTWHfPP4h8+7
	E+cQ5QSBhbkt/U8DGm/bdwnjDE5JkaP3Gn+rfQHmFaAPxj3rjIPctzpLnbjyonKwDxmV
	2OQweU/Tfi+auuHBIoshKSGBmnCi63NVJocMlQRZo7p0F2Tdn3re5npgiPK+8T7PDxfM
	f0poWtR/cD6xXFjg/nh50AB997cabhyjbFG3nlpNoU9kwrZ6sqE/kTdOYCQBF6NMasyM
	ZMBo2Kw42Yumymj5pVhpsDKM+d1bcFef6bkyNxjZgoFDHkuZ3eDNPHBs+1/lk5j5116Y
	bKPw==
X-Gm-Message-State: APjAAAXwc4BEdrxf+8WTEikQUljFPd/QEruH+RUU5kVRZ2jolDlyMn7C
	TgNPhBlTWNikg0ljmEQwBYtOnh7bjm9BAw==
X-Google-Smtp-Source: 
 APXvYqzG1Qr7vBKTD9sKDs2r2y5Si/1l8R235qaWqlXjrdKe9EebU7RHlkOekkuNltekdyr28EDOVA==
X-Received: by 2002:a05:6000:160a:: with SMTP id
	u10mr11595122wrb.235.1568970644656;
	Fri, 20 Sep 2019 02:10:44 -0700 (PDT)
Received: from localhost.localdomain ([188.66.12.120])
	by smtp.gmail.com with ESMTPSA id
	g138sm1443850wmg.29.2019.09.20.02.10.43
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Fri, 20 Sep 2019 02:10:43 -0700 (PDT)
From: Titouan Christophe <titouan.christophe@railnova.eu>
To: buildroot@buildroot.org
Date: Fri, 20 Sep 2019 11:10:37 +0200
Message-Id: <20190920091037.4015-1-titouan.christophe@railnova.eu>
X-Mailer: git-send-email 2.21.0
MIME-Version: 1.0
Subject: [Buildroot] [PATCH-2019.02.x 1/1] package/mosquitto: security bump
	to v1.5.9
X-BeenThere: buildroot@busybox.net
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.busybox.net>
List-Unsubscribe: <http://lists.busybox.net/mailman/options/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=unsubscribe>
List-Archive: <http://lists.busybox.net/pipermail/buildroot/>
List-Post: <mailto:buildroot@busybox.net>
List-Help: <mailto:buildroot-request@busybox.net?subject=help>
List-Subscribe: <http://lists.busybox.net/mailman/listinfo/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=subscribe>
Cc: Peter Korsgaard <peter@korsgaard.com>,
	Titouan Christophe <titouan.christophe@railnova.eu>
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

This is a backportport of c5c106e4e362b7c657cf322e82ce7102e29313a1 into 2019.02

If a client sends a SUBSCRIBE packet containing a topic that consists of
approximately 65400 or more '/' characters, i.e.  the topic hierarchy
separator, then a stack overflow will occur.

The issue is fixed in Mosquitto 1.6.6 and 1.5.9.  Patches for older versions
are available at https://mosquitto.org/files/cve/2019-hier

Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
---
 package/mosquitto/mosquitto.hash | 2 +-
 package/mosquitto/mosquitto.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/mosquitto/mosquitto.hash b/package/mosquitto/mosquitto.hash
index 25b9910138..83b521aa83 100644
--- a/package/mosquitto/mosquitto.hash
+++ b/package/mosquitto/mosquitto.hash
@@ -1,5 +1,5 @@
 # Locally calculated after checking gpg signature
-sha256 78d7e70c3794dc3a1d484b4f2f8d3addebe9c2da3f5a1cebe557f7d13beb0da4  mosquitto-1.5.8.tar.gz
+sha256 d7b62aa0ca680b0d869d6883373903362f98326a6465fc6cd01a0b9e0e8f0333  mosquitto-1.5.9.tar.gz
 
 # License files
 sha256 cc77e25bafd40637b7084f04086d606f0a200051b61806f97c93405926670bc1  LICENSE.txt
diff --git a/package/mosquitto/mosquitto.mk b/package/mosquitto/mosquitto.mk
index 51c0abd0ba..b6ee048cc6 100644
--- a/package/mosquitto/mosquitto.mk
+++ b/package/mosquitto/mosquitto.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-MOSQUITTO_VERSION = 1.5.8
+MOSQUITTO_VERSION = 1.5.9
 MOSQUITTO_SITE = https://mosquitto.org/files/source
 MOSQUITTO_LICENSE = EPL-1.0 or EDLv1.0
 MOSQUITTO_LICENSE_FILES = LICENSE.txt epl-v10 edl-v10