Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 549182

Summary: <net-libs/zeromq-4.0.6 <net-libs/zeromq-4.1.1: is susceptible to a protocol downgrade attack on sockets using the ZMTP v3 (CVE-2014-9721)
Product: Gentoo Security Reporter: Thomas Deutschmann (RETIRED) <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: jlec, qnikst
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description Thomas Deutschmann (RETIRED) gentoo-dev 2015-05-11 14:46:23 UTC 
From https://github.com/zeromq/libzmq/issues/1273 :

    It is easy to bypass the security mechanism in 4.1.0 and 4.0.5 by sending a
    ZMTP v2 or earlier header. The library accepts such connections without
    applying its security mechanism.

    Solution: if security is defined on a socket, reject all V2 and earlier
    connections, unconditionally.


A patch for the zeromq 4.0.x stable series is available at
https://github.com/zeromq/zeromq4-x/commit/b6e3e0f601e2c1ec1f3aac880ed6a3fe63043e51


Source: http://seclists.org/oss-sec/2015/q2/387


Debian issued DSA-3255-1 (https://www.debian.org/security/2015/dsa-3255.html)

Reproducible: Always
Comment 1 Justin Lecher (RETIRED) gentoo-dev 2015-06-04 12:31:09 UTC 
+  04 Jun 2015; Justin Lecher <jlec@gentoo.org> -zeromq-4.0.5.ebuild:
+  Drop vulnerable version, bug #549182
+

Tree is clean again.
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-06-04 12:40:12 UTC 
Am I understanding it correctly that this functionality was introduced in the 4.x series and as such the stable 3.2 series is not affected?
Comment 3 Justin Lecher (RETIRED) gentoo-dev 2015-06-04 12:55:24 UTC 
(In reply to Kristian Fiskerstrand from comment #2)
> Am I understanding it correctly that this functionality was introduced in
> the 4.x series and as such the stable 3.2 series is not affected?

That's how I understand it. I asked upstream for confirmation.

Nevertheless I already asked for stabilization of version 4 too.
Comment 4 Justin Lecher (RETIRED) gentoo-dev 2015-06-05 06:29:37 UTC 
(In reply to Justin Lecher from comment #3)
> That's how I understand it. I asked upstream for confirmation.

Upstream confirmed that only version 4 was and could be vulnerable.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2015-06-17 17:17:51 UTC 
CVE-2014-9721 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9721):
  libzmq before 4.0.6 and 4.1.x before 4.1.1 allows remote attackers to
  conduct downgrade attacks and bypass ZMPT v3 protocol security mechanisms
  via a ZMTP v2 or earlier header.
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2016-06-30 11:23:44 UTC 
GLSA Vote: No