From abb315a6da4c2bcb695cdfe0373352b77d60cca3 Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Sat, 9 May 2020 12:31:36 +0100 Subject: [PATCH 1/4] Problem: potential memory leak in test_connect_curve_fuzzer Solution: properly initialize zmq_msg before receive --- tests/test_connect_curve_fuzzer.cpp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/test_connect_curve_fuzzer.cpp b/tests/test_connect_curve_fuzzer.cpp index cc3f77fa..e0dbb386 100644 --- a/tests/test_connect_curve_fuzzer.cpp +++ b/tests/test_connect_curve_fuzzer.cpp @@ -91,8 +91,10 @@ extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size) zmq_msg_t msg; zmq_msg_init (&msg); - while (-1 != zmq_msg_recv (&msg, client, ZMQ_DONTWAIT)) + while (-1 != zmq_msg_recv (&msg, client, ZMQ_DONTWAIT)) { zmq_msg_close (&msg); + zmq_msg_init (&msg); + } close (server_accept); close (server); From 675a007d7496253af7e23c258566fb624efb3320 Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Sat, 9 May 2020 12:57:32 +0100 Subject: [PATCH 2/4] Problem: SECURITY.md does not mention 4.3.x series Solution: add it --- SECURITY.md | 1 + 1 file changed, 1 insertion(+) diff --git a/SECURITY.md b/SECURITY.md index 3bb207a0..4274a74a 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -6,6 +6,7 @@ | Version | Supported | | ------- | ------------------ | +| 4.3.x | :white_check_mark: | | 4.2.x | :white_check_mark: | | 4.1.x | :white_check_mark: | | 4.0.x | :white_check_mark: | From c33da0ea5bdbd687bbe1856e92ea3dd01d6778c7 Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Sat, 9 May 2020 12:58:01 +0100 Subject: [PATCH 3/4] Problem: we lack an (internal) definition of severity for security issues Solution: attempt to define a reasonable one --- SECURITY.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index 4274a74a..561a3956 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -22,6 +22,29 @@ please send a GPG encrypted email with the details to the maintainers: | Doron Somech | somdoron@gmail.com | E0B0 E3D1 55DD 6ED6 71FB 2B79 D0B9 CC44 867D 8F3D | | Luca Boccassi | luca.boccassi@gmail.com | A9EA 9081 724F FAE0 484C 35A1 A81C EA22 BC8C 7E2E | +## Internal severity classification + +We will attempt to follow this general policy when assigning a severity to +security issues. These are guidelines more than rules, and as such end +results might vary. + + +| Severity | Definition | +| -------- | ---------- | +| CRITICAL | endpoints using STRONG authentication are SILENTLY affected | +| HIGH | endpoints using STRONG authentication are VISIBLY affected | +| MODERATE | endpoints NOT using STRONG authentication are SILENTLY affected | +| LOW | endpoints NOT using STRONG authentication are VISIBLY affected | + +STRONG authentication means transports that use cryptography, for example CURVE +and TLS. + +VISIBLY affected means that platform owners are likely to immediately notice +misbehaviours, like crashes or loss of connectivity for legitimate peers. + +SILENTLY affected means that without close inspection, platform owners are +unlikely to notice misbehaviours, like remote code executions or data exfiltration. + ### Public keys
Doron Somech From fb9d055578003b6f0ae0c2b91eea8f0c6067069b Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Sat, 9 May 2020 13:17:36 +0100 Subject: [PATCH 4/4] Problem: test_bind_curve_fuzzer might get stuck on some input Solution: receive with MSG_DONTWAIT on the raw TCP socket --- tests/test_bind_curve_fuzzer.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/test_bind_curve_fuzzer.cpp b/tests/test_bind_curve_fuzzer.cpp index 1993dd26..5b4d5c9c 100644 --- a/tests/test_bind_curve_fuzzer.cpp +++ b/tests/test_bind_curve_fuzzer.cpp @@ -71,14 +71,14 @@ extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size) send (client, (void *) data, 202, MSG_NOSIGNAL); data += 202; size -= 202; - recv (client, buf, 170, 0); + recv (client, buf, 170, MSG_DONTWAIT); } // Then send READY and expect INITIATE if there's enough data if (size >= 301) { send (client, (void *) data, 301, MSG_NOSIGNAL); data += 301; size -= 301; - recv (client, buf, 512, 0); + recv (client, buf, 512, MSG_DONTWAIT); } msleep (250); for (ssize_t sent = 0; size > 0 && (sent != -1 || errno == EINTR);