| Name | CVE-2019-11779 |
| Description | In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT client sends a SUBSCRIBE packet containing a topic that consists of approximately 65400 or more '/' characters, i.e. the topic hierarchy separator, then a stack overflow will occur. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-1972-1, DSA-4570-1 |
| Debian Bugs | 940654 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| mosquitto (PTS) | jessie, jessie (lts) | 1.3.4-2+deb8u4 | fixed |
| stretch (security), stretch (lts), stretch | 1.4.10-3+deb9u5 | fixed |
| buster (security), buster, buster (lts) | 1.5.7-1+deb10u1 | fixed |
| bullseye (security), bullseye | 2.0.11-1+deb11u1 | fixed |
| bookworm (security), bookworm | 2.0.11-1.2+deb12u1 | fixed |
| sid, trixie | 2.0.20-1 | fixed |
The information below is based on the following data on fixed versions.
Notes
[stretch] - mosquitto <not-affected> (Vulnerable code introduced later)
https://bugs.eclipse.org/bugs/show_bug.cgi?id=551160
https://github.com/eclipse/mosquitto/issues/1412
Introduced by: https://github.com/eclipse/mosquitto/commit/883af8af5379092097c6552a7a4a8c52409d2566 (v1.5)
Fixed by: https://github.com/eclipse/mosquitto/commit/106675093177335b18521bc0e5ad1d95343ad652 (1.6.6)
Fixed by: https://github.com/eclipse/mosquitto/commit/84681d9728ceb7f6ea2b6751b4d87200d8a62f14 (1.5.9)
https://mosquitto.org/blog/2019/09/version-1-6-6-released/
The issue manifests in versions 1.5.0 and onwards only, because some structs
increased in size enough to cause the stack overflow vulnerability for excessive
topic hierarchies. In earlier versions, the maximum possible hierarchy depth of
65535 wouldn't cause a stack overflow.