Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 689426 (CVE-2019-13132)

Summary: <net-libs/zeromq-4.3.2: denial of service via stack overflow with arbitrary data overwrite (CVE-2019-13132)
Product: Gentoo Security Reporter: Thomas Deutschmann (RETIRED) <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: whissi
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://marc.info/?l=oss-security&m=156260342300969&w=2
Whiteboard: B1 [glsa+ cve]
Package list:
net-libs/zeromq-4.3.2
 Runtime testing required: ---
Deadline: 2019-07-08   

Description Thomas Deutschmann (RETIRED) gentoo-dev 2019-07-07 19:51:49 UTC 
Incoming details.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2019-07-09 00:27:25 UTC 
CVE-2019-13132: a remote, unauthenticated client connecting to a
libzmq application, running with a socket listening with CURVE
encryption/authentication enabled, may cause a stack overflow and
overwrite the stack with arbitrary data, due to a buffer overflow in
the library. Users running public servers with the above configuration
are highly encouraged to upgrade as soon as possible, as there are no
known mitigations. All versions from 4.0.0 and upwards are affected.
Comment 2 Larry the Git Cow gentoo-dev 2019-07-09 00:33:22 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d85aa97574742adc3d17a2300fb7006f01486238

commit d85aa97574742adc3d17a2300fb7006f01486238
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-07-09 00:32:43 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-07-09 00:33:17 +0000

    net-libs/zeromq: amd64 & x86 stable (#689426)
    
    Bug: https://bugs.gentoo.org/689426
    Package-Manager: Portage-2.3.68, Repoman-2.3.16
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 net-libs/zeromq/zeromq-4.3.2.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5e5e3d0670568e4ad8d047a773195483287559bb

commit 5e5e3d0670568e4ad8d047a773195483287559bb
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-07-09 00:28:07 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-07-09 00:33:16 +0000

    net-libs/zeromq: bump to v4.3.2
    
    Bug: https://bugs.gentoo.org/689426
    Package-Manager: Portage-2.3.68, Repoman-2.3.16
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 net-libs/zeromq/Manifest            |  1 +
 net-libs/zeromq/zeromq-4.3.2.ebuild | 60 +++++++++++++++++++++++++++++++++++++
 2 files changed, 61 insertions(+)
Comment 3 Rolf Eike Beer archtester 2019-07-10 16:22:42 UTC 
sparc stable
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2019-07-14 10:04:36 UTC 
ia64 stable
Comment 5 Rolf Eike Beer archtester 2019-07-15 19:20:56 UTC 
hppa stable
Comment 6 Agostino Sarubbo gentoo-dev 2019-07-18 09:58:22 UTC 
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2019-07-18 10:48:24 UTC 
ppc64 stable
Comment 8 Aaron Bauman (RETIRED) gentoo-dev 2019-07-21 22:50:26 UTC 
arm64 stable
Comment 9 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-07-28 20:03:24 UTC 
arm stable
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2019-08-15 15:59:32 UTC 
This issue was resolved and addressed in
 GLSA 201908-17 at https://security.gentoo.org/glsa/201908-17
by GLSA coordinator Aaron Bauman (b-man).
Comment 11 Aaron Bauman (RETIRED) gentoo-dev 2019-08-15 15:59:59 UTC 
re-opened for cleanup
Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev 2019-08-15 18:54:08 UTC 
Repository is now clean, https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=db77a1dc3ae7e03aaa2b8035b6a410e63380bb72