3party/libzmq
0
0
Fork 0
mirror of https://github.com/zeromq/libzmq.git synced 2025-03-27 15:27:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #176 from bluca/news

Browse Source 
CVE-2019-13132
This commit is contained in:
Doron Somech 2019-07-08 19:03:08 +03:00 committed by GitHub
commit e3049f3da9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 41 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
NEWS
View File

@ -1,13 +1,30 @@
0MQ version 4.1.7 stable, released on 20xx/xx/xx 0MQ version 4.1.7 stable, released on 20xx/xx/xx
================================================ ================================================
* CVE-2019-13132: a remote, unauthenticated client connecting to a
libzmq application, running with a socket listening with CURVE
encryption/authentication enabled, may cause a stack overflow and
overwrite the stack with arbitrary data, due to a buffer overflow in
the library. Users running public servers with the above configuration
are highly encouraged to upgrade as soon as possible, as there are no
known mitigations. All versions from 4.0.0 and upwards are affected.
* Fixed #2254 - zmq 4.1.6 cannot pub msg to a zmq 2.x * Fixed #2254 - zmq 4.1.6 cannot pub msg to a zmq 2.x
* Fixed #2623 - ZMQ_ROUTER: with ZMQ_ROUTER_MANDATORY, ZMQ_POLLOUT will now * Fixed #2623 - ZMQ_ROUTER: with ZMQ_ROUTER_MANDATORY, ZMQ_POLLOUT will now
now return true only if at least one pipe is ready for writing now return true only if at least one pipe is ready for writing
* Fixed #159 - off-by-one error leaves ZMQ_STREAM unusable
* Fixed #163 - Fix divide by zero, in case of race condition, with ZMQ_PUSH
* Fixed #164 - EHOSTDOWN socket error assertion * Fixed #164 - EHOSTDOWN socket error assertion
* Fixed #165 - inproc pub/sub does not work when sub connects/binds before pub
does
* Fix parsing application metadata when using CURVE
0MQ version 4.1.6 stable, released on 2016/11/01 0MQ version 4.1.6 stable, released on 2016/11/01
================================================ ================================================

34
src/curve_server.cpp
View File

@ -440,8 +440,12 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
const size_t clen = (msg_->size () - 113) + crypto_box_BOXZEROBYTES; const size_t clen = (msg_->size () - 113) + crypto_box_BOXZEROBYTES;
uint8_t initiate_nonce [crypto_box_NONCEBYTES]; uint8_t initiate_nonce [crypto_box_NONCEBYTES];
uint8_t initiate_plaintext [crypto_box_ZEROBYTES + 128 + 256]; uint8_t *initiate_plaintext =
uint8_t initiate_box [crypto_box_BOXZEROBYTES + 144 + 256]; static_cast<uint8_t *> (malloc (crypto_box_ZEROBYTES + clen));
alloc_assert (initiate_plaintext);
uint8_t *initiate_box =
static_cast<uint8_t *> (malloc (crypto_box_BOXZEROBYTES + clen));
alloc_assert (initiate_box);
// Open Box [C + vouch + metadata](C'->S') // Open Box [C + vouch + metadata](C'->S')
memset (initiate_box, 0, crypto_box_BOXZEROBYTES); memset (initiate_box, 0, crypto_box_BOXZEROBYTES);
@ -452,17 +456,18 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
memcpy (initiate_nonce + 16, initiate + 105, 8); memcpy (initiate_nonce + 16, initiate + 105, 8);
cn_peer_nonce = get_uint64(initiate + 105); cn_peer_nonce = get_uint64(initiate + 105);
const uint8_t *client_key = initiate_plaintext + crypto_box_ZEROBYTES;
rc = crypto_box_open (initiate_plaintext, initiate_box, rc = crypto_box_open (initiate_plaintext, initiate_box,
clen, initiate_nonce, cn_client, cn_secret); clen, initiate_nonce, cn_client, cn_secret);
if (rc != 0) { if (rc != 0) {
// Temporary support for security debugging // Temporary support for security debugging
puts ("CURVE I: cannot open client INITIATE"); puts ("CURVE I: cannot open client INITIATE");
errno = EPROTO; errno = EPROTO;
return -1; rc = -1;
goto exit;
} }
const uint8_t *client_key = initiate_plaintext + crypto_box_ZEROBYTES;
uint8_t vouch_nonce [crypto_box_NONCEBYTES]; uint8_t vouch_nonce [crypto_box_NONCEBYTES];
uint8_t vouch_plaintext [crypto_box_ZEROBYTES + 64]; uint8_t vouch_plaintext [crypto_box_ZEROBYTES + 64];
uint8_t vouch_box [crypto_box_BOXZEROBYTES + 80]; uint8_t vouch_box [crypto_box_BOXZEROBYTES + 80];
@ -483,7 +488,8 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
// Temporary support for security debugging // Temporary support for security debugging
puts ("CURVE I: cannot open client INITIATE vouch"); puts ("CURVE I: cannot open client INITIATE vouch");
errno = EPROTO; errno = EPROTO;
return -1; rc = -1;
goto exit;
} }
// What we decrypted must be the client's short-term public key // What we decrypted must be the client's short-term public key
@ -491,7 +497,8 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
// Temporary support for security debugging // Temporary support for security debugging
puts ("CURVE I: invalid handshake from client (public key)"); puts ("CURVE I: invalid handshake from client (public key)");
errno = EPROTO; errno = EPROTO;
return -1; rc = -1;
goto exit;
} }
// Precompute connection secret from client key // Precompute connection secret from client key
@ -510,14 +517,21 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
else else
if (errno == EAGAIN) if (errno == EAGAIN)
state = expect_zap_reply; state = expect_zap_reply;
else else {
return -1; rc = -1;
goto exit;
}
} }
else else
state = send_ready; state = send_ready;
return parse_metadata (initiate_plaintext + crypto_box_ZEROBYTES + 128, rc = parse_metadata (initiate_plaintext + crypto_box_ZEROBYTES + 128,
clen - crypto_box_ZEROBYTES - 128); clen - crypto_box_ZEROBYTES - 128);
exit:
free (initiate_plaintext);
free (initiate_box);
return rc;
} }
int zmq::curve_server_t::produce_ready (msg_t *msg_) int zmq::curve_server_t::produce_ready (msg_t *msg_)