Bug#988109: buster-pu: package mqtt-client/1.14-1

Abhijith PA abhijith at debian.org
Fri May 21 19:33:36 BST 2021 

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: anbe at debian.org

Hello Stable release team,

I would like to update mqtt-client in buster for fixing CVE-2019-0222. 
It is fixed in stretch, bullseye and sid. Right now stretch-security 
has a newer version(1.14-1+9u1) than buster, breaking clean upgrades 
to buster. CVE-2019-0222 is no-dsa thus using pu. Vcs field URL also 
updated.

Debdiff is attached. Please allow to upload this fix to Buster.   


--abhijith

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 5.9.0-4-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8), LANGUAGE=en_IN:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
-------------- next part --------------
diff -Nru mqtt-client-1.14/debian/changelog mqtt-client-1.14/debian/changelog
--- mqtt-client-1.14/debian/changelog	2016-07-19 13:30:10.000000000 +0530
+++ mqtt-client-1.14/debian/changelog	2021-05-21 21:59:49.000000000 +0530
@@ -1,3 +1,13 @@
+mqtt-client (1.14-1+deb10u1) buster; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2019-0222: unmarshalling corrupt MQTT frame can lead to
+    broker Out of Memory exception making it unresponsive.
+    (Closes: #988109)
+  * Update Vcs-* URL in d/control.
+
+ -- Abhijith PA <abhijith at debian.org>  Fri, 21 May 2021 21:59:49 +0530
+
 mqtt-client (1.14-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru mqtt-client-1.14/debian/control mqtt-client-1.14/debian/control
--- mqtt-client-1.14/debian/control	2016-07-19 13:28:53.000000000 +0530
+++ mqtt-client-1.14/debian/control	2021-05-21 21:59:49.000000000 +0530
@@ -10,8 +10,8 @@
                libmaven-bundle-plugin-java,
                maven-debian-helper (>= 1.5)
 Standards-Version: 3.9.8
-Vcs-Git: https://anonscm.debian.org/git/pkg-java/mqtt-client.git
-Vcs-Browser: https://anonscm.debian.org/cgit/pkg-java/mqtt-client.git
+Vcs-Git: https://salsa.debian.org/java-team/mqtt-client.git
+Vcs-Browser: https://salsa.debian.org/java-team/mqtt-client
 Homepage: http://mqtt-client.fusesource.org
 
 Package: libmqtt-client-java
diff -Nru mqtt-client-1.14/debian/patches/CVE-2019-0222.patch mqtt-client-1.14/debian/patches/CVE-2019-0222.patch
--- mqtt-client-1.14/debian/patches/CVE-2019-0222.patch	1970-01-01 05:30:00.000000000 +0530
+++ mqtt-client-1.14/debian/patches/CVE-2019-0222.patch	2021-05-21 21:59:02.000000000 +0530
@@ -0,0 +1,21 @@
+Description: CVE-2019-0222
+
+ unmarshalling corrupt MQTT frame can lead
+ to broker Out of Memory exception making it unresponsive.
+
+Author: Abhijith PA <abhijith at debian.org>
+
+diff --git a/mqtt-client/src/main/java/org/fusesource/mqtt/codec/MessageSupport.java b/mqtt-client/src/main/java/org/fusesource/mqtt/codec/MessageSupport.java
+index 08fb8391abbbdb365310cda08373b3a7e4befc3e..a0a5e8ee4cec70d37b9c451e9f2bd02010107dfa 100644
+--- a/mqtt-client/src/main/java/org/fusesource/mqtt/codec/MessageSupport.java
++++ b/mqtt-client/src/main/java/org/fusesource/mqtt/codec/MessageSupport.java
+@@ -62,6 +62,9 @@ public final class MessageSupport {
+ 
+     static protected UTF8Buffer readUTF(DataByteArrayInputStream is) throws ProtocolException {
+         int size = is.readUnsignedShort();
++        if (size < 0) {
++            throw new ProtocolException("Invalid message encoding");
++        }
+         Buffer buffer = is.readBuffer(size);
+         if (buffer == null || buffer.length != size) {
+             throw new ProtocolException("Invalid message encoding");
diff -Nru mqtt-client-1.14/debian/patches/series mqtt-client-1.14/debian/patches/series
--- mqtt-client-1.14/debian/patches/series	1970-01-01 05:30:00.000000000 +0530
+++ mqtt-client-1.14/debian/patches/series	2021-05-21 21:59:02.000000000 +0530
@@ -0,0 +1 @@
+CVE-2019-0222.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20210522/79b0fbe3/attachment.sig>

More information about the pkg-java-maintainers mailing list