CVE-2019-11779

NameCVE-2019-11779
DescriptionIn Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT client sends a SUBSCRIBE packet containing a topic that consists of approximately 65400 or more '/' characters, i.e. the topic hierarchy separator, then a stack overflow will occur.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1972-1, DSA-4570-1
Debian Bugs940654

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mosquitto (PTS)jessie, jessie (lts)1.3.4-2+deb8u4fixed
stretch (security), stretch (lts), stretch1.4.10-3+deb9u5fixed
buster (security), buster, buster (lts)1.5.7-1+deb10u1fixed
bullseye (security), bullseye2.0.11-1+deb11u1fixed
bookworm (security), bookworm2.0.11-1.2+deb12u1fixed
sid, trixie2.0.20-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mosquittosourcewheezy(unfixed)end-of-life
mosquittosourcejessie1.3.4-2+deb8u4DLA-1972-1
mosquittosourcestretch(not affected)
mosquittosourcebuster1.5.7-1+deb10u1DSA-4570-1
mosquittosource(unstable)1.6.6-1940654

Notes

[stretch] - mosquitto <not-affected> (Vulnerable code introduced later)
https://bugs.eclipse.org/bugs/show_bug.cgi?id=551160
https://github.com/eclipse/mosquitto/issues/1412
Introduced by: https://github.com/eclipse/mosquitto/commit/883af8af5379092097c6552a7a4a8c52409d2566 (v1.5)
Fixed by: https://github.com/eclipse/mosquitto/commit/106675093177335b18521bc0e5ad1d95343ad652 (1.6.6)
Fixed by: https://github.com/eclipse/mosquitto/commit/84681d9728ceb7f6ea2b6751b4d87200d8a62f14 (1.5.9)
https://mosquitto.org/blog/2019/09/version-1-6-6-released/
The issue manifests in versions 1.5.0 and onwards only, because some structs
increased in size enough to cause the stack overflow vulnerability for excessive
topic hierarchies. In earlier versions, the maximum possible hierarchy depth of
65535 wouldn't cause a stack overflow.

Search for package or bug name: Reporting problems