package/zeromq: security bump to version 4.3.3

Fixes the following security issues: - CVE-2020-15166: Denial-of-Service on CURVE/ZAP-protected servers by unauthenticated clients. If a raw TCP socket is opened and connected to an endpoint that is fully configured with CURVE/ZAP, legitimate clients will not be able to exchange any message. Handshakes complete successfully, and messages are delivered to the library, but the server application never receives them. For more information see the security advisory: https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m - Stack overflow on server running PUB/XPUB socket (CURVE disabled). The PUB/XPUB subscription store (mtrie) is traversed using recursive function calls. In the remove (unsubscription) case, the recursive calls are NOT tail calls, so even with optimizations the stack grows linearly with the length of a subscription topic. Topics are under the control of remote clients - they can send a subscription to arbitrary length topics. An attacker can thus cause a server to create an mtrie sufficiently large such that, when unsubscribing, traversal will cause a stack overflow. For more information see the security advisory: https://github.com/zeromq/libzmq/security/advisories/GHSA-qq65-x72m-9wr8 - Memory leak in PUB server induced by malicious client(s) without CURVE/ZAP. Messages with metadata are never processed by PUB sockets, but the metadata is kept referenced in the PUB object and never freed. For more information see the security advisory: https://github.com/zeromq/libzmq/security/advisories/GHSA-4p5v-h92w-6wxw - Memory leak in client induced by malicious server(s) without CURVE/ZAP. When a pipe processes a delimiter and is already not in active state but still has an unfinished message, the message is leaked. For more information see the security advisory: https://github.com/zeromq/libzmq/security/advisories/GHSA-wfr2-29gj-5w87 - Heap overflow when receiving malformed ZMTP v1 packets (CURVE disabled). By crafting a packet which is not valid ZMTP v2/v3, and which has two messages larger than 8192 bytes, the decoder can be tricked into changing the recorded size of the 8192 bytes static buffer, which then gets overflown by the next message. The content that gets written in the overflown memory is entirely decided by the sender. For more information see the security advisory: https://github.com/zeromq/libzmq/security/advisories/GHSA-fc3w-qxf5-7hp6 Drop now upstreamed patches, autoreconf and reformat hash file with 2 space delimiters. Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-08 22:53:15 +02:00 · 2020-09-08 22:53:15 +02:00 · fd1ac2e762
commit fd1ac2e762
parent 76ed69499d
4 changed files with 6 additions and 85 deletions
--- a/package/zeromq/0001-acinclude.m4-add-latomic-to-PKGCFG_LIBS_PRIVATE.patch
+++ b/package/zeromq/0001-acinclude.m4-add-latomic-to-PKGCFG_LIBS_PRIVATE.patch
@ -1,36 +0,0 @@
-From d59dcbcaebd91ca30a0f866403c383177a4843f8 Mon Sep 17 00:00:00 2001
-From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-Date: Sun, 12 Jan 2020 10:10:15 +0100
-Subject: [PATCH] acinclude.m4: add -latomic to PKGCFG_LIBS_PRIVATE
-
-Add -latomic to PKGCFG_LIBS_PRIVATE so applications linking statically
-with libzmq (such czmq) will know that they have to link with -latomic
-and the following build failure will be avoided:
-
-  CCLD     src/czmq_selftest
-/home/buildroot/autobuild/run/instance-3/output-1/host/opt/ext-toolchain/bin/../lib/gcc/sparc-buildroot-linux-uclibc/7.4.0/../../../../sparc-buildroot-linux-uclibc/bin/ld: /home/buildroot/autobuild/run/instance-3/output-1/host/sparc-buildroot-linux-uclibc/sysroot/usr/lib/libzmq.a(src_libzmq_la-ctx.o): in function `zmq::ctx_t::create_socket(int)':
-ctx.cpp:(.text+0x1710): undefined reference to `__atomic_fetch_add_4'
-
-Fixes:
- - http://autobuild.buildroot.org/results/4a12f1ede260cd956a0b5ccb4eec6ca8b44cb04f
-
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-[Retrieved from:
-https://github.com/zeromq/libzmq/commit/d59dcbcaebd91ca30a0f866403c383177a4843f8]
---
- acinclude.m4 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/acinclude.m4 b/acinclude.m4
-index 8c042ca50..387a3d2a1 100644
--- a/acinclude.m4
-+++ b/acinclude.m4
-@@ -691,7 +691,7 @@ int main (int, char **)
-             return t;
-         }
-         ])],
-        [AC_MSG_RESULT(yes) ; libzmq_cv_has_atomic_instrisics="yes" ; $1],
-+        [AC_MSG_RESULT(yes) ; libzmq_cv_has_atomic_instrisics="yes" PKGCFG_LIBS_PRIVATE="$PKGCFG_LIBS_PRIVATE -latomic" ; $1],
-         [AC_MSG_RESULT(no) ; libzmq_cv_has_atomic_instrisics="no" LIBS=$save_LIBS ; $2])
-     fi
- }])
--- a/package/zeromq/0002-configure.ac-fix-build-with-openpgm-5-3-128.patch
+++ b/package/zeromq/0002-configure.ac-fix-build-with-openpgm-5-3-128.patch
@ -1,41 +0,0 @@
-From 883d432c29fe5b81b2b4a6809610c60083571fb4 Mon Sep 17 00:00:00 2001
-From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-Date: Wed, 2 Sep 2020 07:54:36 +0200
-Subject: [PATCH] configure.ac: fix build with openpgm-5-3-128
-
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-[Upstream status: https://github.com/zeromq/libzmq/pull/4027]
---
- configure.ac | 13 +++++++++----
- 1 file changed, 9 insertions(+), 4 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index e7193423..49b5d69c 100644
--- a/configure.ac
-+++ b/configure.ac
-@@ -649,13 +649,18 @@ AC_ARG_WITH([pgm], [AS_HELP_STRING([--with-pgm],
- 
- # conditionally require pgm package
- if test "x$with_pgm_ext" != "xno"; then
-    PKG_CHECK_MODULES([pgm], [openpgm-5.2 >= 5.2], [
-+    PKG_CHECK_MODULES([pgm], [openpgm-5.3 >= 5.3], [
-         have_pgm_library="yes"
-        PKGCFG_NAMES_PRIVATE="$PKGCFG_NAMES_PRIVATE openpgm-5.2 >= 5.2"
-+        PKGCFG_NAMES_PRIVATE="$PKGCFG_NAMES_PRIVATE openpgm-5.3 >= 5.3"
-     ], [
-        PKG_CHECK_MODULES([pgm], [openpgm-5.1 >= 5.1], [
-+        PKG_CHECK_MODULES([pgm], [openpgm-5.2 >= 5.2], [
-             have_pgm_library="yes"
-            PKGCFG_NAMES_PRIVATE="$PKGCFG_NAMES_PRIVATE openpgm-5.1 >= 5.1"
-+            PKGCFG_NAMES_PRIVATE="$PKGCFG_NAMES_PRIVATE openpgm-5.2 >= 5.2"
-+        ], [
-+            PKG_CHECK_MODULES([pgm], [openpgm-5.1 >= 5.1], [
-+                have_pgm_library="yes"
-+                PKGCFG_NAMES_PRIVATE="$PKGCFG_NAMES_PRIVATE openpgm-5.1 >= 5.1"
-+            ])
-         ])
-     ])
- fi
-- 
-2.28.0
-
--- a/package/zeromq/zeromq.hash
+++ b/package/zeromq/zeromq.hash
@ -1,7 +1,7 @@
 # From https://github.com/zeromq/libzmq/releases
-md5  2047e917c2cc93505e2579bcba67a573 zeromq-4.3.2.tar.gz
-sha1 e5253bff214f77621b3d29443f1aa6e5a106ffe5  zeromq-4.3.2.tar.gz
+md5  78acc277d95e10812d71b2b3c3c3c9a9  zeromq-4.3.3.tar.gz
+sha1  d78bc504194d6908df40a2b9e41849b181b02491  zeromq-4.3.3.tar.gz
 # Locally computed
-sha256 ebd7b5c830d6428956b67a0454a7f8cbed1de74b3b01e5c33c5378e22740f763  zeromq-4.3.2.tar.gz
-sha256 4fd86507c9b486764343065a9e035222869a27b5789efeb4fd93edc85412d7a3  COPYING
-sha256 83f32abe61ee58ffb1b007412c08415168c052501dbf56d7a47aaaac52b03ef6  COPYING.LESSER
+sha256  9d9285db37ae942ed0780c016da87060497877af45094ff9e1a1ca736e3875a2  zeromq-4.3.3.tar.gz
+sha256  4fd86507c9b486764343065a9e035222869a27b5789efeb4fd93edc85412d7a3  COPYING
+sha256  83f32abe61ee58ffb1b007412c08415168c052501dbf56d7a47aaaac52b03ef6  COPYING.LESSER
--- a/package/zeromq/zeromq.mk
+++ b/package/zeromq/zeromq.mk
@ -4,15 +4,13 @@
 #
 ################################################################################

-ZEROMQ_VERSION = 4.3.2
+ZEROMQ_VERSION = 4.3.3
 ZEROMQ_SITE = https://github.com/zeromq/libzmq/releases/download/v$(ZEROMQ_VERSION)
 ZEROMQ_INSTALL_STAGING = YES
 ZEROMQ_DEPENDENCIES = util-linux
 ZEROMQ_CONF_OPTS = --disable-Werror --without-documentation
 ZEROMQ_LICENSE = LGPL-3.0+ with exceptions
 ZEROMQ_LICENSE_FILES = COPYING COPYING.LESSER
-# We're patching acinclude.m4
-ZEROMQ_AUTORECONF = YES

 # Assume these flags are always available. It is true, at least for
 # SOCK_CLOEXEC, since linux v2.6.27.