On Sat, 12 Jan 2019 16:54:42 +0000 Luca Boccassi <bl...@debian.org> wrote: > Package: libzmq5 > Version: 4.2.0-1 > Severity: important > Tags: patch security upstream fixed-upstream > > Dear Maintainer, > > A remote execution vulnerability has been reported in zeromq. Full > details can be found on the upstream issue tracker [1]. > > The issue is fixed in upstream version v4.3.1, just released, or with > the attached patch which is targeted for v4.2.1 (stretch). > > I would highly recommend to upgrade to the latest version for Buster, > and to consider at least an upload to stable-p-u with the patch. > > As mentioned in the upstream tracker and the changelog, the issue can > be mitigated by ASLR and by authentication via CURVE/GSSAPI. As far as > I am aware no CVEs have been assigned nor have been requested as of > now. > > -- > Kind regards, > Luca Boccassi > > [1] https://github.com/zeromq/libzmq/issues/3351
Sorry, I fat-fingered the patch refresh and the variable name is wrong. Corrected version attached. -- Kind regards, Luca Boccassi
Author: Guido Vranken <guidovran...@gmail.com> Description: pointer overflow in zmq::v2_decoder_t::size_ready leading to remote code execution (issue #3351). Refactor bounds check arithmetic such that no overflow shall occur Origin: https://github.com/zeromq/libzmq/pull/3353 Applied-Upstream: 1a2ed12716693073032d57dac4e269df3d373751 --- a/src/v2_decoder.cpp +++ b/src/v2_decoder.cpp @@ -108,7 +108,7 @@ int zmq::v2_decoder_t::size_ready(uint64_t msg_size, unsigned char const* read_p // the current message can exceed the current buffer. We have to copy the buffer // data into a new message and complete it in the next receive. - if (unlikely ((unsigned char*)read_pos + msg_size > (data() + size()))) + if (unlikely (msg_size > (size_t) (data () + size () - read_pos))) { // a new message has started, but the size would exceed the pre-allocated arena // this happens every time when a message does not fit completely into the buffer
signature.asc
Description: This is a digitally signed message part
