NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
f826e8817a
kumquat-buildroot/package/zeromq/zeromq.mk
Peter Korsgaard fd1ac2e762 package/zeromq: security bump to version 4.3.3 
Fixes the following security issues:

- CVE-2020-15166: Denial-of-Service on CURVE/ZAP-protected servers by
  unauthenticated clients.
  If a raw TCP socket is opened and connected to an endpoint that is fully
  configured with CURVE/ZAP, legitimate clients will not be able to exchange
  any message.  Handshakes complete successfully, and messages are delivered
  to the library, but the server application never receives them.  For more
  information see the security advisory:
  https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m

- Stack overflow on server running PUB/XPUB socket (CURVE disabled).
  The PUB/XPUB subscription store (mtrie) is traversed using recursive
  function calls.  In the remove (unsubscription) case, the recursive calls
  are NOT tail calls, so even with optimizations the stack grows linearly
  with the length of a subscription topic.  Topics are under the control of
  remote clients - they can send a subscription to arbitrary length topics.
  An attacker can thus cause a server to create an mtrie sufficiently large
  such that, when unsubscribing, traversal will cause a stack overflow.  For
  more information see the security advisory:
  https://github.com/zeromq/libzmq/security/advisories/GHSA-qq65-x72m-9wr8

- Memory leak in PUB server induced by malicious client(s) without CURVE/ZAP.
  Messages with metadata are never processed by PUB sockets, but the
  metadata is kept referenced in the PUB object and never freed.  For more
  information see the security advisory:
  https://github.com/zeromq/libzmq/security/advisories/GHSA-4p5v-h92w-6wxw

- Memory leak in client induced by malicious server(s) without CURVE/ZAP.
  When a pipe processes a delimiter and is already not in active state but
  still has an unfinished message, the message is leaked.
  For more information see the security advisory:
  https://github.com/zeromq/libzmq/security/advisories/GHSA-wfr2-29gj-5w87

- Heap overflow when receiving malformed ZMTP v1 packets (CURVE disabled).
  By crafting a packet which is not valid ZMTP v2/v3, and which has two
  messages larger than 8192 bytes, the decoder can be tricked into changing
  the recorded size of the 8192 bytes static buffer, which then gets
  overflown by the next message.  The content that gets written in the
  overflown memory is entirely decided by the sender.
  For more information see the security advisory:
  https://github.com/zeromq/libzmq/security/advisories/GHSA-fc3w-qxf5-7hp6

Drop now upstreamed patches, autoreconf and reformat hash file with 2 space
delimiters.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-09 08:40:48 +02:00

72 lines
2.0 KiB
Makefile
Raw Blame History

################################################################################
#
# zeromq
#
################################################################################
ZEROMQ_VERSION = 4.3.3
ZEROMQ_SITE = https://github.com/zeromq/libzmq/releases/download/v$(ZEROMQ_VERSION)
ZEROMQ_INSTALL_STAGING = YES
ZEROMQ_DEPENDENCIES = util-linux
ZEROMQ_CONF_OPTS = --disable-Werror --without-documentation
ZEROMQ_LICENSE = LGPL-3.0+ with exceptions
ZEROMQ_LICENSE_FILES = COPYING COPYING.LESSER
# Assume these flags are always available. It is true, at least for
# SOCK_CLOEXEC, since linux v2.6.27.
# Note: the flag TCP_KEEPALIVE is NOT available so we do not include it.
ZEROMQ_CONF_ENV = libzmq_cv_sock_cloexec=yes \
libzmq_cv_so_keepalive=yes \
libzmq_cv_tcp_keepcnt=yes \
libzmq_cv_tcp_keepidle=yes \
libzmq_cv_tcp_keepintvl=yes
# Internal error, aborting at dwarf2cfi.c:2752 in connect_traces
# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=58864
ifeq ($(BR2_m68k_cf),y)
ZEROMQ_CONF_OPTS += CXXFLAGS="$(TARGET_CXXFLAGS) -fno-defer-pop"
endif
# Only tools/curve_keygen.c needs this, but it doesn't hurt to pass it
# for the rest of the build as well (which automatically includes stdc++).
ifeq ($(BR2_STATIC_LIBS),y)
ZEROMQ_CONF_OPTS += LIBS=-lstdc++
endif
ifeq ($(BR2_PACKAGE_ZEROMQ_NORM),y)
ZEROMQ_CONF_OPTS += --with-norm
ZEROMQ_DEPENDENCIES += norm
else
ZEROMQ_CONF_OPTS += --without-norm
endif
ifeq ($(BR2_PACKAGE_ZEROMQ_PGM),y)
ZEROMQ_DEPENDENCIES += host-pkgconf openpgm
ZEROMQ_CONF_OPTS += --with-pgm
else
ZEROMQ_CONF_OPTS += --without-pgm
endif
ifeq ($(BR2_PACKAGE_ZEROMQ_DRAFTS),y)
ZEROMQ_CONF_OPTS += --enable-drafts
else
ZEROMQ_CONF_OPTS += --disable-drafts
endif
# ZeroMQ uses libsodium if it's available.
ifeq ($(BR2_PACKAGE_LIBSODIUM),y)
ZEROMQ_DEPENDENCIES += libsodium
ZEROMQ_CONF_OPTS += --with-libsodium="$(STAGING_DIR)/usr"
else
ZEROMQ_CONF_OPTS += --without-libsodium
endif
ifeq ($(BR2_PACKAGE_LIBUNWIND),y)
ZEROMQ_DEPENDENCIES += libunwind
ZEROMQ_CONF_OPTS += --enable-libunwind
else
ZEROMQ_CONF_OPTS += --disable-libunwind
endif
$(eval $(autotools-package))
Reference in New Issue View Git Blame Copy Permalink