Fix CVE-2023-3592

(cherry picked from commit d9a61f0cff06ec6021517835613784d976ef4109)

CVE-2023-3592.patch

@@ -0,0 +1,26 @@
+From 00b24e0eb0686e9a76feb71fdaee650cb7e612fa Mon Sep 17 00:00:00 2001
+From: "Roger A. Light" <roger@atchoo.org>
+Date: Fri, 7 Jul 2023 23:41:04 +0100
+Subject: [PATCH] Fix memory leak when clients send v5 CONNECT packets.
+
+This occurs when they have a will message that contains invalid property
+types.
+---
+ src/property_broker.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/property_broker.c b/src/property_broker.c
+index a2147d0..5e4bb38 100644
+--- a/src/property_broker.c
++++ b/src/property_broker.c
+@@ -101,6 +101,7 @@ int property__process_will(struct mosquitto *context, struct mosquitto_message_a
+ 				break;
+ 
+ 			default:
++				msg->properties = msg_properties;
+ 				return MOSQ_ERR_PROTOCOL;
+ 				break;
+ 		}
+-- 
+2.30.0
+

mosquitto.spec

@@ -1,6 +1,6 @@
 Name:                mosquitto
 Version:             1.6.15
-Release:             6
+Release:             7
 Summary:             Open Source MQTT v3.1/v3.1.1 Broker
 License:             BSD
 URL:                 http://mosquitto.org/
@@ -9,6 +9,8 @@ Patch0001:           add-usage-output.patch
 Patch0002:           fix-usage-exit-code.patch
 Patch0003:	     CVE-2021-41039.patch
 Patch0004:           CVE-2021-34432.patch
+# https://github.com/eclipse/mosquitto/commit/00b24e0eb0686e9a76feb71fdaee650cb7e612fa
+Patch0005:           CVE-2023-3592.patch
 BuildRequires:       c-ares-devel gcc-c++ libuuid-devel libwebsockets-devel openssl-devel
 BuildRequires:       systemd-devel
 BuildRequires:       make
@@ -92,6 +94,9 @@ exit 0
 %{_mandir}/man3/*.3.*
 
 %changelog
+* Wed Dec 27 2023 yaoxin <yao_xin001@hoperun.com> - 1.6.15-7
+- Fix CVE-2023-3592
+
 * Thu Feb 24 2022 yaoxin <yaoxin30@huawei.com> - 1.6.15-6
 - Fix CVE-2021-34432 and modify the CVE-2021-41039.patch.