Your message dated Sat, 12 Jan 2019 18:58:06 +0000 with message-id <e1giotu-0004dn...@fasolo.debian.org> and subject line Bug#919098: fixed in zeromq3 4.3.1-1 has caused the Debian Bug report #919098, regarding libzmq5: remote execution vulnerability to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 919098: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919098 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: libzmq5 Version: 4.2.0-1 Severity: important Tags: patch security upstream fixed-upstream Dear Maintainer, A remote execution vulnerability has been reported in zeromq. Full details can be found on the upstream issue tracker [1]. The issue is fixed in upstream version v4.3.1, just released, or with the attached patch which is targeted for v4.2.1 (stretch). I would highly recommend to upgrade to the latest version for Buster, and to consider at least an upload to stable-p-u with the patch. As mentioned in the upstream tracker and the changelog, the issue can be mitigated by ASLR and by authentication via CURVE/GSSAPI. As far as I am aware no CVEs have been assigned nor have been requested as of now. -- Kind regards, Luca Boccassi [1] https://github.com/zeromq/libzmq/issues/3351Author: Guido Vranken <guidovran...@gmail.com> Description: pointer overflow in zmq::v2_decoder_t::size_ready leading to remote code execution (issue #3351). Refactor bounds check arithmetic such that no overflow shall occur Origin: https://github.com/zeromq/libzmq/pull/3353 Applied-Upstream: 1a2ed12716693073032d57dac4e269df3d373751 --- a/src/v2_decoder.cpp +++ b/src/v2_decoder.cpp @@ -108,7 +108,7 @@ int zmq::v2_decoder_t::size_ready(uint64_t msg_size, unsigned char const* read_p // the current message can exceed the current buffer. We have to copy the buffer // data into a new message and complete it in the next receive. - if (unlikely ((unsigned char*)read_pos + msg_size > (data() + size()))) + if (unlikely (msg_size_ > (size_t) (data () + size () - read_pos_))) { // a new message has started, but the size would exceed the pre-allocated arena // this happens every time when a message does not fit completely into the buffer
signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---Source: zeromq3 Source-Version: 4.3.1-1 We believe that the bug you reported is fixed in the latest version of zeromq3, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 919...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Laszlo Boszormenyi (GCS) <g...@debian.org> (supplier of updated zeromq3 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 12 Jan 2019 17:37:00 +0000 Source: zeromq3 Binary: libzmq5 libzmq3-dev Architecture: source amd64 Version: 4.3.1-1 Distribution: unstable Urgency: high Maintainer: Laszlo Boszormenyi (GCS) <g...@debian.org> Changed-By: Laszlo Boszormenyi (GCS) <g...@debian.org> Description: libzmq3-dev - lightweight messaging kernel (development files) libzmq5 - lightweight messaging kernel (shared library) Closes: 919098 Changes: zeromq3 (4.3.1-1) unstable; urgency=high . * New upstream release. * Fix pointer overflow in zmq::v2_decoder_t::size_ready() leading to remote code execution (closes: #919098). * Update library symbols. * Update Standards-Version to 4.3.0 . Checksums-Sha1: 45e5fdf22dcbe227c4a30c9060a48202f35c8188 1855 zeromq3_4.3.1-1.dsc 7c434e1cb76e099ef5390cadc7606257567423cb 788963 zeromq3_4.3.1.orig.tar.gz e4bc2323489f46f76fad00a9501c2d71ec5afef3 21172 zeromq3_4.3.1-1.debian.tar.xz 5ec1e55b3a0b4a93b559a996772efe48a4dc02af 431188 libzmq3-dev_4.3.1-1_amd64.deb 65a90ce540559357ab3a6d6aff0b3242da9e1e8f 4646012 libzmq5-dbgsym_4.3.1-1_amd64.deb 39953035485bfbbf43e5304b47816d8452c96633 238172 libzmq5_4.3.1-1_amd64.deb bae45f0f0a7f88fe8930fd5edbb5758cc4f05461 8283 zeromq3_4.3.1-1_amd64.buildinfo Checksums-Sha256: e118c75aaa9e4108f16ee582a5d454fe4a4434a41907c40e71a929b63b5ad494 1855 zeromq3_4.3.1-1.dsc e1dec061725b55d791e0c6952b8c220846c8cd901c09d1283a6e902898205b9d 788963 zeromq3_4.3.1.orig.tar.gz ecca84320954b2ab1a979804f4217eee0d20a55900469a846dd568f76a423a18 21172 zeromq3_4.3.1-1.debian.tar.xz 6593dc3199c6f3d70a697917019f38ad045d63e10819b8fd33226fdbc80d076c 431188 libzmq3-dev_4.3.1-1_amd64.deb 2fe419771388fbe874c12a5e22c83cd6da8204c3c8d4e7142f168419454aa212 4646012 libzmq5-dbgsym_4.3.1-1_amd64.deb 3d9bdefe95270776abdbf55988815028d1ec25fc14e296b5e6d6b2817bdbdb59 238172 libzmq5_4.3.1-1_amd64.deb 5467665f6443ee1bd00021695e28db3954ddaf0c0145361b7e85958e5234f773 8283 zeromq3_4.3.1-1_amd64.buildinfo Files: a5fead3bcfcfc401c7014ee7f3e68336 1855 libs optional zeromq3_4.3.1-1.dsc 7e32132123473bb38ee76e07c0f30e4f 788963 libs optional zeromq3_4.3.1.orig.tar.gz 5592182933509763bf803a8ccec30757 21172 libs optional zeromq3_4.3.1-1.debian.tar.xz 553625478174c078a261c6d90c48baa5 431188 libdevel optional libzmq3-dev_4.3.1-1_amd64.deb 7c61e1b49f4140ae9a8dded247a98146 4646012 debug optional libzmq5-dbgsym_4.3.1-1_amd64.deb a02bb4b5f61997e6b909c1494bad57d0 238172 libs optional libzmq5_4.3.1-1_amd64.deb 72b746c521e25123e21bc3ea3c6a3fb0 8283 libs optional zeromq3_4.3.1-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlw6Lb0ACgkQ3OMQ54ZM yL/v/xAAtEXUpSPC8LC9m10HejJSdQ2p7m3OwUHI0T7XHaekH+WulQmEApXPLzLR SuwDJjG/Xbj39xzHOJQsUoKUT1CGZ7p289C50qjC/3kFHFGPP/XxkhU0BVe5Ipui HHs5AD+vWBhR3i2PfgUEz/dRXihVOG92GcSxIEuGtDZpw2YI49Dpu/38cHM/f22I Rgo4Iu9TaESpmKaRdbYyDqkoMS121LtfrFp0tUhaohHzlkFUJOp6MXRCEJhz1Aro WlA8r98HhO3BLFqh/SAQtz85Wv7g2/pgJYmOhUnjdeC0Rjq0aSNkLAkUYq/tyYc0 SSOhEVdckSwjC8P1IpEHJ9jelJx9prVePADLUU88VIAJPPnXUbN2Fv6GJmHeiGuU T9IRxoQsxY1L43GcPX/2eqGDIu51dfMhDLPaUX3VJwonIi7X8tWvtYZ7QEHAY88Y NzQqiD1VbezYF8WxKnq6m53rGU7F/gDe9CkIIri8ILgT2UG96ZUZYuyJYLM5DaCj ucNDzdh2xfVSQA2LGITu+79n826BJF6Lv+pBlT/6XJxxcgTHwAYaPYgiFCvdOVkT O3R8RdtDpLl3RpUJtBdIivB5m4aBpl5UMR4frUzCC8YOz/WUF7Mf+JpmckhNZRhs TckDI9uviKDVjUW/oXlq13+/bZN2Pa9iO8iB/U3zcnKBN1AMPno= =08jk -----END PGP SIGNATURE-----
--- End Message ---
