Bug#919098: marked as done (libzmq5: remote execution vulnerability)

[Debian Bug Tracking System]

Your message dated Tue, 29 Jan 2019 13:04:02 +0000
with message-id <e1got3a-000ba7...@fasolo.debian.org>
and subject line Bug#919098: fixed in zeromq3 4.2.1-4+deb9u1
has caused the Debian Bug report #919098,
regarding libzmq5: remote execution vulnerability
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
919098: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919098
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libzmq5
Version: 4.2.0-1
Severity: important
Tags: patch security upstream fixed-upstream

Dear Maintainer,

A remote execution vulnerability has been reported in zeromq. Full
details can be found on the upstream issue tracker [1].

The issue is fixed in upstream version v4.3.1, just released, or with
the attached patch which is targeted for v4.2.1 (stretch).

I would highly recommend to upgrade to the latest version for Buster,
and to consider at least an upload to stable-p-u with the patch.

As mentioned in the upstream tracker and the changelog, the issue can
be mitigated by ASLR and by authentication via CURVE/GSSAPI. As far as
I am aware no CVEs have been assigned nor have been requested as of
now.

-- 
Kind regards,
Luca Boccassi

[1] https://github.com/zeromq/libzmq/issues/3351
Author: Guido Vranken <guidovran...@gmail.com>
Description: pointer overflow in zmq::v2_decoder_t::size_ready
 leading to remote code execution (issue #3351).
 Refactor bounds check arithmetic such that no overflow shall occur
Origin: https://github.com/zeromq/libzmq/pull/3353
Applied-Upstream: 1a2ed12716693073032d57dac4e269df3d373751
--- a/src/v2_decoder.cpp
+++ b/src/v2_decoder.cpp
@@ -108,7 +108,7 @@ int zmq::v2_decoder_t::size_ready(uint64_t msg_size, unsigned char const* read_p
     // the current message can exceed the current buffer. We have to copy the buffer
     // data into a new message and complete it in the next receive.
 
-    if (unlikely ((unsigned char*)read_pos + msg_size > (data() + size())))
+    if (unlikely (msg_size_ > (size_t) (data () + size () - read_pos_)))
     {
         // a new message has started, but the size would exceed the pre-allocated arena
         // this happens every time when a message does not fit completely into the buffer

signature.asc
Description: This is a digitally signed message part

--- End Message ---

--- Begin Message ---

Source: zeromq3
Source-Version: 4.2.1-4+deb9u1

We believe that the bug you reported is fixed in the latest version of
zeromq3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 919...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Moritz Mühlenhoff <j...@debian.org> (supplier of updated zeromq3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 13 Jan 2019 18:02:22 +0100
Source: zeromq3
Binary: libzmq5 libzmq3-dev libzmq5-dbg
Architecture: source amd64
Version: 4.2.1-4+deb9u1
Distribution: stretch-security
Urgency: medium
Maintainer: Laszlo Boszormenyi (GCS) <g...@debian.org>
Changed-By: Moritz Mühlenhoff <j...@debian.org>
Description:
 libzmq3-dev - lightweight messaging kernel (development files)
 libzmq5    - lightweight messaging kernel (shared library)
 libzmq5-dbg - lightweight messaging kernel (debugging symbols)
Closes: 919098
Changes:
 zeromq3 (4.2.1-4+deb9u1) stretch-security; urgency=medium
 .
   * CVE-2019-6250 (Closes: #919098)
Checksums-Sha1:
 7eca1ab11c5025d52e8390f26c8ed5d8fadbb775 2054 zeromq3_4.2.1-4+deb9u1.dsc
 69179bc63838235154d851b90ae48e37fc982eee 586163 zeromq3_4.2.1.orig.tar.gz
 8564c4825f9a3bbceea81d4a331f5401f3632beb 21980 
zeromq3_4.2.1-4+deb9u1.debian.tar.xz
 cefdb743198929c40bfac0c40cb1c86889e427d4 369688 
libzmq3-dev_4.2.1-4+deb9u1_amd64.deb
 75312fb7e0eaabe4038605d86492bef68ea7a5f6 3251992 
libzmq5-dbg_4.2.1-4+deb9u1_amd64.deb
 8be9644c3f21f622fc7152f9ee5feedeac139f1d 200670 
libzmq5_4.2.1-4+deb9u1_amd64.deb
 5a8e437b85f7fd6c72efade057a1124cc3f9bfbe 7213 
zeromq3_4.2.1-4+deb9u1_amd64.buildinfo
Checksums-Sha256:
 4b5180ba0ea712aec308ab23558fce53f0d7c19062c4182be005ac4aed64857e 2054 
zeromq3_4.2.1-4+deb9u1.dsc
 f68bc45b51297577522aa83d8f05727dba54e567a177330c82918454b656f74f 586163 
zeromq3_4.2.1.orig.tar.gz
 76c8846dde987dbaa623bdcf6a37acd1bc525fe985cfb2d54a2a451df8100d0a 21980 
zeromq3_4.2.1-4+deb9u1.debian.tar.xz
 f820a2cb1f1ab062c8e0ee27177942d1924b59b072000fea8b88e1ec7d2a613d 369688 
libzmq3-dev_4.2.1-4+deb9u1_amd64.deb
 e446afbdc20abaf9a276c7eec7f7bd58cea4efe34fa1ba5bcdaf945779fd16b9 3251992 
libzmq5-dbg_4.2.1-4+deb9u1_amd64.deb
 9d16bd4fec6f53e0c1295de7254706edd9a77a8e342c6d64cd334b0d745122df 200670 
libzmq5_4.2.1-4+deb9u1_amd64.deb
 65d9e726ba9f4e0d1feddd700b8edee50444cfcdb371d2f35efca230d68c1f1e 7213 
zeromq3_4.2.1-4+deb9u1_amd64.buildinfo
Files:
 1bcd141a81b25767e91fe595d3532b97 2054 libs optional zeromq3_4.2.1-4+deb9u1.dsc
 4eed208abf0d8202359ad760a1ac03b2 586163 libs optional zeromq3_4.2.1.orig.tar.gz
 dcdd63942e924c7f157da52d28169682 21980 libs optional 
zeromq3_4.2.1-4+deb9u1.debian.tar.xz
 0c8a37a6c009e84f2eef27c02a723466 369688 libdevel optional 
libzmq3-dev_4.2.1-4+deb9u1_amd64.deb
 cc96f443598c2021294fe97afce346eb 3251992 debug extra 
libzmq5-dbg_4.2.1-4+deb9u1_amd64.deb
 ff9b6d08d7a5724f1fb4457d8c09c9bc 200670 libs optional 
libzmq5_4.2.1-4+deb9u1_amd64.deb
 c013fee8667e18e82c2bbde7c4abe4b2 7213 libs optional 
zeromq3_4.2.1-4+deb9u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlw7eBsACgkQEMKTtsN8
TjYrFQ//ZssZZLCCxqjt9XKkp5xauxFn0MudEpFF+qRbv1d4/neLwXsl8vJ3fRUv
+R/S/P1W+QngSkDhKLxT+kpS6Yl/DSUwM4OPfCY7rnqdRPWWMf1yNj3iwJVnMwFW
TW16Ub+1l0CH/LraKoHn5aEaSOjJdaASVa67zdwbQBNwlgTSucuMWNIErp7GC/H2
yMPqlIAQ5jxI94X5tuqaRNl6qee8tdGVF6xn1VgVEra2vUaWQzggjWtZnmZLmQf9
2zxTBYd0LmWJ8oVjITKzqIYbqwrfPtJF0pguGJy+LQX/1wPkIjuzm37t86ZiFh5z
PyuXCNrNhDiI26Lwk2Q1FK/k3LbW7Y76AcTIPX6DM+EHMh9jBxRRX3d4uYopMU1B
7r+jp+CtzZcYTwMU5E+EmeO/PnZEbJ2xxDY0T+bvJyw+uD1Yby+X2UnodiraibF4
ZEVH2FG+1yjoJv09J4B3jxdcBtgVzDm1boKGPBp0iOm4jfbb3swsaaN/fRGJCle5
gTALG5unftG4mS5zKqesEJn2uktPGOijKSxqeCV5ZO7d1JzHQHZrfV0ilkYdaSEL
+C2rfyY6Z4isZShgA5ahAX8lStVUKRbfqrBw6tXCegAAcg8dmvKcJQo22Epb5ZJX
3fcJixJBR1lixfizuCJXl4PRhXBG0RVHE58rzx2qAL4V1eUJOUA=
=dgEX
-----END PGP SIGNATURE-----

--- End Message ---