Commit cea68283 authored by Leo's avatar Leo Committed by Natanael Copa

main/zeromq: fix CVE-2019-13132

fixes #10687
parent 1d883b90
......@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=zeromq
pkgver=4.2.5
pkgrel=0
pkgrel=1
pkgdesc="The ZeroMQ messaging library and tools"
url="http://www.zeromq.org/"
arch="all"
......@@ -14,10 +14,13 @@ subpackages="$pkgname-dev $pkgname-doc libzmq:libs"
source="https://github.com/zeromq/libzmq/releases/download/v$pkgver/$pkgname-$pkgver.tar.gz
test-driver.patch
CVE-2019-6250.patch
CVE-2019-13132.patch
"
builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
# 4.2.5-r1:
# - CVE-2019-13132
# 4.2.5-r0:
# - CVE-2019-6250
......@@ -47,4 +50,5 @@ package() {
sha512sums="4556cb50d05a6d133015a0ba804d6d951a47479a33fa29561eaeecb93d48b7bb6477365d0986c38b779f500cadaf08522c4a7aa13f5510303bd923f794d37036 zeromq-4.2.5.tar.gz
64e4ae2c89469359480743beeb4f1e08976a4c52dbfd2dd33020463df78e927993319e456299682901001e0832ebed85291eea0decc1d27a58de78a6c891e660 test-driver.patch
ee0c71814c93378106593afafd9bb96c15038c2455dcd57ac71a6c3474ebd4eee3f4cf9933ddc737bbe0fe25f8d7cb141517c933fec591c00b7d5563bf33894d CVE-2019-6250.patch"
ee0c71814c93378106593afafd9bb96c15038c2455dcd57ac71a6c3474ebd4eee3f4cf9933ddc737bbe0fe25f8d7cb141517c933fec591c00b7d5563bf33894d CVE-2019-6250.patch
e70db052cced7110ff0066c495a1230459710e31bb1f6afd6f01194ac024c625cf365413d81fccf1c4e1670f9ec6e5ed340fddf9e06a0b726ed79009db92c587 CVE-2019-13132.patch"
From 4287cd2274ad48faa2b5346b6108f05b32ec20f2 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Tue, 2 Jul 2019 01:24:19 +0100
Subject: [PATCH] Problem: application metadata not parsed correctly when using
CURVE
Solution: create buffers large enough to contain arbitrary metadata
---
src/curve_server.cpp | 35 ++++++++++++++++++++++++-----------
1 file changed, 24 insertions(+), 11 deletions(-)
diff --git a/src/curve_server.cpp b/src/curve_server.cpp
index 6938a637..d3a710db 100644
--- a/src/curve_server.cpp
+++ b/src/curve_server.cpp
@@ -327,8 +327,12 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
const size_t clen = (size - 113) + crypto_box_BOXZEROBYTES;
uint8_t initiate_nonce[crypto_box_NONCEBYTES];
- uint8_t initiate_plaintext[crypto_box_ZEROBYTES + 128 + 256];
- uint8_t initiate_box[crypto_box_BOXZEROBYTES + 144 + 256];
+ uint8_t *initiate_plaintext =
+ static_cast<uint8_t *> (malloc (crypto_box_ZEROBYTES + clen));
+ alloc_assert (initiate_plaintext);
+ uint8_t *initiate_box =
+ static_cast<uint8_t *> (malloc (crypto_box_BOXZEROBYTES + clen));
+ alloc_assert (initiate_box);
// Open Box [C + vouch + metadata](C'->S')
memset (initiate_box, 0, crypto_box_BOXZEROBYTES);
@@ -339,6 +343,8 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
memcpy (initiate_nonce + 16, initiate + 105, 8);
cn_peer_nonce = get_uint64 (initiate + 105);
+ const uint8_t *client_key = initiate_plaintext + crypto_box_ZEROBYTES;
+
rc = crypto_box_open (initiate_plaintext, initiate_box, clen,
initiate_nonce, cn_client, cn_secret);
if (rc != 0) {
@@ -346,11 +352,10 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
session->get_socket ()->event_handshake_failed_protocol (
session->get_endpoint (), ZMQ_PROTOCOL_ERROR_ZMTP_CRYPTOGRAPHIC);
errno = EPROTO;
- return -1;
+ rc = -1;
+ goto exit;
}
- const uint8_t *client_key = initiate_plaintext + crypto_box_ZEROBYTES;
-
uint8_t vouch_nonce[crypto_box_NONCEBYTES];
uint8_t vouch_plaintext[crypto_box_ZEROBYTES + 64];
uint8_t vouch_box[crypto_box_BOXZEROBYTES + 80];
@@ -371,7 +376,8 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
session->get_socket ()->event_handshake_failed_protocol (
session->get_endpoint (), ZMQ_PROTOCOL_ERROR_ZMTP_CRYPTOGRAPHIC);
errno = EPROTO;
- return -1;
+ rc = -1;
+ goto exit;
}
// What we decrypted must be the client's short-term public key
@@ -383,7 +389,8 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
session->get_socket ()->event_handshake_failed_protocol (
session->get_endpoint (), ZMQ_PROTOCOL_ERROR_ZMTP_KEY_EXCHANGE);
errno = EPROTO;
- return -1;
+ rc = -1;
+ goto exit;
}
// Precompute connection secret from client key
@@ -405,7 +412,7 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
// is attempted)
rc = receive_and_process_zap_reply ();
if (rc == -1)
- return -1;
+ goto exit;
} else if (!options.zap_enforce_domain) {
// This supports the Stonehouse pattern (encryption without
// authentication) in legacy mode (domain set but no handler).
@@ -413,15 +420,21 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
} else {
session->get_socket ()->event_handshake_failed_no_detail (
session->get_endpoint (), EFAULT);
- return -1;
+ rc = -1;
+ goto exit;
}
} else {
// This supports the Stonehouse pattern (encryption without authentication).
state = sending_ready;
}
- return parse_metadata (initiate_plaintext + crypto_box_ZEROBYTES + 128,
- clen - crypto_box_ZEROBYTES - 128);
+ rc = parse_metadata (initiate_plaintext + crypto_box_ZEROBYTES + 128,
+ clen - crypto_box_ZEROBYTES - 128);
+
+exit:
+ free (initiate_plaintext);
+ free (initiate_box);
+ return rc;
}
int zmq::curve_server_t::produce_ready (msg_t *msg_)
--
2.20.1
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment