Incoming details.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bff2f10013fd5ad08befbb74b0f48987a4272c80 commit bff2f10013fd5ad08befbb74b0f48987a4272c80 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2019-01-14 02:19:03 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2019-01-14 02:19:15 +0000 net-libs/zeromq: bump to v4.3.1 Bug: https://bugs.gentoo.org/675376 Package-Manager: Portage-2.3.55, Repoman-2.3.12 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> net-libs/zeromq/Manifest | 1 + net-libs/zeromq/zeromq-4.3.1.ebuild | 62 +++++++++++++++++++++++++++++++++++++ 2 files changed, 63 insertions(+)
A pointer overflow, with code execution, was discovered in ZeroMQ libzmq (aka 0MQ) 4.2.x and 4.3.x before 4.3.1. A v2_decoder.cpp zmq::v2_decoder_t::size_ready integer overflow allows an authenticated attacker to overwrite an arbitrary amount of bytes beyond the bounds of a buffer, which can be leveraged to run arbitrary code on the target system. The memory layout allows the attacker to inject OS commands into a data structure located immediately after the problematic buffer (i.e., it is not necessary to use a typical buffer-overflow exploitation technique that changes the flow of control).
An automated check of this bug failed - repoman reported dependency errors (17 lines truncated): > dependency.bad net-libs/zeromq/zeromq-4.3.1.ebuild: DEPEND: alpha(default/linux/alpha/17.0) ['=net-libs/openpgm-5.2.122'] > dependency.bad net-libs/zeromq/zeromq-4.3.1.ebuild: RDEPEND: alpha(default/linux/alpha/17.0) ['=net-libs/openpgm-5.2.122'] > dependency.bad net-libs/zeromq/zeromq-4.3.1.ebuild: DEPEND: alpha(default/linux/alpha/17.0) ['=net-libs/openpgm-5.2.122']
Oops, alpha hasn't keyworded package -- removing.
x86 stable
arm64 stable
Just in case any of the tests test_reconnect_ivl, test_pair_ipc, or test_rebind_ipc fails: this is just the testcases using a fixed file in /tmp and not cleaning up on failure. Just "rm -f /tmp/{test_pair_ipc,test_rebind_ipc,test_reconnect_ivl}" and try again. This has been fixed upstream after the 4.3.1 release.
sparc stable
ia64 stable
ppc stable
ppc64 stable
amd64 stable
hppa stable
arm stable
@maintainer, please drop vulnerable.
This issue was resolved and addressed in GLSA 201903-22 at https://security.gentoo.org/glsa/201903-22 by GLSA coordinator Aaron Bauman (b-man).
re-opened for cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ba0378bf154e007fbd1c68bdfe20bd12a5f92674 commit ba0378bf154e007fbd1c68bdfe20bd12a5f92674 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2019-04-05 17:20:33 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2019-04-05 17:22:02 +0000 net-libs/zeromq: security cleanup Bug: https://bugs.gentoo.org/675376 Package-Manager: Portage-2.3.62, Repoman-2.3.12 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> net-libs/zeromq/Manifest | 8 --- .../zeromq/files/zeromq-4.2.0-dl-backport.patch | 25 -------- ...able-experimental-zmq_poll-implementation.patch | 35 ----------- .../files/zeromq-4.2.2-optional-libunwind.patch | 70 ---------------------- net-libs/zeromq/zeromq-4.1.1.ebuild | 49 --------------- net-libs/zeromq/zeromq-4.1.6.ebuild | 55 ----------------- net-libs/zeromq/zeromq-4.2.0-r1.ebuild | 59 ------------------ net-libs/zeromq/zeromq-4.2.1.ebuild | 55 ----------------- net-libs/zeromq/zeromq-4.2.2-r1.ebuild | 57 ------------------ net-libs/zeromq/zeromq-4.2.2-r2.ebuild | 63 ------------------- net-libs/zeromq/zeromq-4.2.2.ebuild | 55 ----------------- net-libs/zeromq/zeromq-4.2.3.ebuild | 62 ------------------- net-libs/zeromq/zeromq-4.2.5.ebuild | 62 ------------------- net-libs/zeromq/zeromq-4.3.0.ebuild | 62 ------------------- 14 files changed, 717 deletions(-)
