Package: libzmq5 Version: 4.2.0-1 Severity: important Tags: patch security upstream fixed-upstream
Dear Maintainer, A remote execution vulnerability has been reported in zeromq. Full details can be found on the upstream issue tracker [1]. The issue is fixed in upstream version v4.3.1, just released, or with the attached patch which is targeted for v4.2.1 (stretch). I would highly recommend to upgrade to the latest version for Buster, and to consider at least an upload to stable-p-u with the patch. As mentioned in the upstream tracker and the changelog, the issue can be mitigated by ASLR and by authentication via CURVE/GSSAPI. As far as I am aware no CVEs have been assigned nor have been requested as of now. -- Kind regards, Luca Boccassi [1] https://github.com/zeromq/libzmq/issues/3351
Author: Guido Vranken <guidovran...@gmail.com> Description: pointer overflow in zmq::v2_decoder_t::size_ready leading to remote code execution (issue #3351). Refactor bounds check arithmetic such that no overflow shall occur Origin: https://github.com/zeromq/libzmq/pull/3353 Applied-Upstream: 1a2ed12716693073032d57dac4e269df3d373751 --- a/src/v2_decoder.cpp +++ b/src/v2_decoder.cpp @@ -108,7 +108,7 @@ int zmq::v2_decoder_t::size_ready(uint64_t msg_size, unsigned char const* read_p // the current message can exceed the current buffer. We have to copy the buffer // data into a new message and complete it in the next receive. - if (unlikely ((unsigned char*)read_pos + msg_size > (data() + size()))) + if (unlikely (msg_size_ > (size_t) (data () + size () - read_pos_))) { // a new message has started, but the size would exceed the pre-allocated arena // this happens every time when a message does not fit completely into the buffer
signature.asc
Description: This is a digitally signed message part
