main/zeromq: upgrade to 4.2.5, security fix (CVE-2019-6250)

Fixes #9878

main/zeromq: upgrade to 4.2.5, security fix (CVE-2019-6250)
Fixes #9878
9ee02b0d · Leonardo Arena · 4bae97cf · 9ee02b0d · 9ee02b0d
Commit 9ee02b0d authored Feb 04, 2019 by Leonardo Arena
Hide whitespace changes
Inline Side-by-side

Showing with 23 additions and 4 deletions

main/zeromq/APKBUILD main/zeromq/APKBUILD +10 -4

main/zeromq/CVE-2019-6250.patch main/zeromq/CVE-2019-6250.patch +13 -0

No files found.
--- a/main/zeromq/APKBUILD
+++ b/main/zeromq/APKBUILD
 # Contributor: Natanael Copa <ncopa@alpinelinux.org>
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=zeromq
-pkgver=4.2.2
-pkgrel=2
+pkgver=4.2.5
+pkgrel=0
 pkgdesc="The ZeroMQ messaging library and tools"
 url="http://www.zeromq.org/"
 arch="all"
@@ -13,9 +13,14 @@ makedepends="util-linux-dev libsodium-dev
 subpackages="$pkgname-dev $pkgname-doc libzmq:libs"
 source="https://github.com/zeromq/libzmq/releases/download/v$pkgver/$pkgname-$pkgver.tar.gz
 	test-driver.patch
+	CVE-2019-6250.patch
 	"
 builddir="$srcdir/$pkgname-$pkgver"

+# secfixes:
+#   4.2.5-r0:
+#     - CVE-2019-6250
+
 build() {
 	cd "$builddir"
 	./configure \
@@ -40,5 +45,6 @@ package() {
 	make DESTDIR="$pkgdir" install || return 1
 }

-sha512sums="d78813a61ce3311a1f8c230f7da0f5aedc97ef4b792afb6d398c5710da239348c0c7a67bdfeb38a7ab0282af498f1ed173649aff4add1bc35f0ef1b66f965443  zeromq-4.2.2.tar.gz
-64e4ae2c89469359480743beeb4f1e08976a4c52dbfd2dd33020463df78e927993319e456299682901001e0832ebed85291eea0decc1d27a58de78a6c891e660  test-driver.patch"
+sha512sums="4556cb50d05a6d133015a0ba804d6d951a47479a33fa29561eaeecb93d48b7bb6477365d0986c38b779f500cadaf08522c4a7aa13f5510303bd923f794d37036  zeromq-4.2.5.tar.gz
+64e4ae2c89469359480743beeb4f1e08976a4c52dbfd2dd33020463df78e927993319e456299682901001e0832ebed85291eea0decc1d27a58de78a6c891e660  test-driver.patch
+ee0c71814c93378106593afafd9bb96c15038c2455dcd57ac71a6c3474ebd4eee3f4cf9933ddc737bbe0fe25f8d7cb141517c933fec591c00b7d5563bf33894d  CVE-2019-6250.patch"
--- a/main/zeromq/CVE-2019-6250.patch
+++ b/main/zeromq/CVE-2019-6250.patch
+diff --git a/src/v2_decoder.cpp b/src/v2_decoder.cpp
+index 839be9a..37889bd 100644
+--- a/src/v2_decoder.cpp
+++ b/src/v2_decoder.cpp
+@@ -116,7 +116,7 @@ int zmq::v2_decoder_t::size_ready (uint64_t msg_size,
+ 
+     if (unlikely (
+           !zero_copy
+-          || ((unsigned char *) read_pos + msg_size > (data () + size ())))) {
+          || (msg_size > (size_t) (data () + size () - read_pos)))) {
+         // a new message has started, but the size would exceed the pre-allocated arena
+         // this happens every time when a message does not fit completely into the buffer
+         rc = in_progress.init_size (static_cast<size_t> (msg_size));