[Buildroot] [PATCH] package/zeromq: security bump to version 4.3.3

Peter Korsgaard peter at korsgaard.com
Tue Sep 15 17:48:15 UTC 2020


>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:

 > Fixes the following security issues:
 > - CVE-2020-15166: Denial-of-Service on CURVE/ZAP-protected servers by
 >   unauthenticated clients.
 >   If a raw TCP socket is opened and connected to an endpoint that is fully
 >   configured with CURVE/ZAP, legitimate clients will not be able to exchange
 >   any message.  Handshakes complete successfully, and messages are delivered
 >   to the library, but the server application never receives them.  For more
 >   information see the security advisory:
 >   https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m

 > - Stack overflow on server running PUB/XPUB socket (CURVE disabled).
 >   The PUB/XPUB subscription store (mtrie) is traversed using recursive
 >   function calls.  In the remove (unsubscription) case, the recursive calls
 >   are NOT tail calls, so even with optimizations the stack grows linearly
 >   with the length of a subscription topic.  Topics are under the control of
 >   remote clients - they can send a subscription to arbitrary length topics.
 >   An attacker can thus cause a server to create an mtrie sufficiently large
 >   such that, when unsubscribing, traversal will cause a stack overflow.  For
 >   more information see the security advisory:
 >   https://github.com/zeromq/libzmq/security/advisories/GHSA-qq65-x72m-9wr8

 > - Memory leak in PUB server induced by malicious client(s) without CURVE/ZAP.
 >   Messages with metadata are never processed by PUB sockets, but the
 >   metadata is kept referenced in the PUB object and never freed.  For more
 >   information see the security advisory:
 >   https://github.com/zeromq/libzmq/security/advisories/GHSA-4p5v-h92w-6wxw

 > - Memory leak in client induced by malicious server(s) without CURVE/ZAP.
 >   When a pipe processes a delimiter and is already not in active state but
 >   still has an unfinished message, the message is leaked.
 >   For more information see the security advisory:
 >   https://github.com/zeromq/libzmq/security/advisories/GHSA-wfr2-29gj-5w87

 > - Heap overflow when receiving malformed ZMTP v1 packets (CURVE disabled).
 >   By crafting a packet which is not valid ZMTP v2/v3, and which has two
 >   messages larger than 8192 bytes, the decoder can be tricked into changing
 >   the recorded size of the 8192 bytes static buffer, which then gets
 >   overflown by the next message.  The content that gets written in the
 >   overflown memory is entirely decided by the sender.
 >   For more information see the security advisory:
 >   https://github.com/zeromq/libzmq/security/advisories/GHSA-fc3w-qxf5-7hp6

 > Drop now upstreamed patches, autoreconf and reformat hash file with 2 space
 > delimiters.

 > Signed-off-by: Peter Korsgaard <peter at korsgaard.com>

Committed to 2020.02.x, 2020.05.x and 2020.08.x, thanks.

-- 
Bye, Peter Korsgaard



More information about the buildroot mailing list