| Summary: | zeromq new security issue CVE-2020-15166 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | ouaurelien, sysadmin-bugs, tarazed25, zen25000 |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | Mageia 7 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | zeromq-4.3.2-3.mga8.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2020-09-07 23:58:31 CEST
David Walser
2020-09-07 23:58:43 CEST
Status comment:
(none) =>
Fixed upstream in 4.3.3 Fixed in zeromq-4.3.3-1.mga8 in Cauldron by Barry. Version:
Cauldron =>
7 Updated package uploaded for Mageia 7 by Barry. Advisory: ======================== Updated zeromq packages fix security vulnerability: If a raw TCP socket is opened and connected to an endpoint that is fully configured with CURVE/ZAP, legitimate clients will not be able to exchange any message. Handshakes complete successfully, and messages are delivered to the library, but the server application never receives them (CVE-2020-15166). Also, the cppzmq package has been rebuilt against the updated zeromq library. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15166 https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m ======================== Updated packages in core/updates_testing: ======================== libzmq5-4.3.3-1.mga7 libzmq-devel-4.3.3-1.mga7 zeromq-utils-4.3.3-1.mga7 lib64cppzmq-devel-4.3.0-2.1.mga7 from SRPMS: zeromq-4.3.3-1.mga7.src.rpm cppzmq-4.3.0-2.1.mga7.src.rpm Assignee:
zen25000 =>
qa-bugs mga7, x86_64 Before update installation of the listed packages failed for lib64cppzmq-devel. The following package cannot be installed because it depends on packages that are older than the installed ones: lib64cppzmq-devel-4.3.0-2.mga7 $ urpmq --requires lib64cppzmq-devel-4.3.0-2.mga7 zeromq-devel[== 4.3.1] $ rpm -q zeromq-devel package zeromq-devel is not installed $ sudo urpmi zeromq-devel Package lib64zmq-devel-4.3.2-1.mga7.x86_64 is already installed How to interpret this? Note also that compilation of the PoC failed because pkgconfig could not deal with libzmq.pc. That needed to be edited to point to /usr/lib64. The compilation worked fine after that. $ g++ -o dos -lzmq $(pkg-config --libs libzmq) poc_dos.cc $ file dos dos: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=dd743fbe659584b0c656d367de285fe36ab4bf47, for GNU/Linux 3.2.0, with debug_info, not stripped $ ./dos hangs forever, as expected. The rest of the system continues to operate normally. Updated the packages and was able to install lib64cppzmq-devel without problems. The pkgconfig file for libzmq needed to be edited again to allow compilation of the test script. $ ./dos $ Expected result. Unsure of how to test this. Leaving this for packager comments. CC:
(none) =>
tarazed25
Len Lawrence
2020-09-14 09:21:27 CEST
Keywords:
(none) =>
feedback Apologies, omitted the address for the PoC: CVE-2020-15166 https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m Not sure what you mean by unsure how to test it, as you tested it successfully. Can you give more details on how you had to edit the pkgconfig file? I guess you are right David - the compilation used the library and generated the executable OK. Yes, I changed the library path entry in libzmq.pc from lib to lib64. The diagnostics had advised a more specific path to the library so that was my first thought. Most other pkgconfig files had the lib64 entry. e.g. libdir=/usr/lib64. Just an oversight probably. $ count pkgconfig 245 $ cd pkgconfig $ grep libdir=/usr/lib64 *.pc | wc -l 193 So, let's send this on. You have the final word. OK once the config is corrected that is. Barry, it sounds like the pkgconfig file isn't being generated correctly on x86_64. Can you have a look? Ah well I was waiting to test the install tonight before adding the advisory :\ ...but thanks for doing it :) Yes I will take a look. OK this should be fixed updated zeromq-4.3.3-1.1.mga7 currently building.
David Walser
2020-09-14 22:39:49 CEST
Keywords:
feedback =>
(none) I need to rebuild cppzmq again as well, as I forgot to up the required version of zeromq in it's spec and it built against the old version. :\ Doing it in a moment. That rebuild was unnecessary. Usually, explicit versions on the BuildRequires are not necessary. http://pkgsubmit.mageia.org/uploads/done/7/core/updates_testing/20200913223841.barjac.duvel.27003/cppzmq-4.3.0-2.1.mga7/rpm_qa.0.20200913223904.log Right. Yes, my error, wasted a few electrons. New package list is: libzmq5-4.3.3-1.1.mga7 libzmq-devel-4.3.3-1.1.mga7 zeromq-utils-4.3.3-1.1.mga7 libcppzmq-devel-4.3.0-2.2.mga7 from SRPMS: zeromq-4.3.3-1.1.mga7.src.rpm cppzmq-4.3.0-2.2.mga7.src.rpm Updated the four packages and re-compiled the PoC file. Ran the resulting executable. Immediate return. Thanks Barry and David. Validating, advisory in comment 2. Keywords:
(none) =>
validated_update Packages Comment 14. Advisory done on SVN. Target Milestone:
--- =>
Mageia 7 An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0367.html Resolution:
(none) =>
FIXED |