Bug 24186 - zeromq new security issue CVE-2019-6250
Summary: zeromq new security issue CVE-2019-6250
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-01-15 13:55 CET by David Walser
Modified: 2019-01-30 20:40 CET (History)
4 users (show)

See Also:
Source RPM: zeromq-4.2.2-1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-01-15 13:55:26 CET
Debian has issued an advisory on January 14:
https://www.debian.org/security/2019/dsa-4368

The issue is fixed upstream in 4.3.1.

Mageia 6 is also affected.
David Walser 2019-01-15 13:56:32 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2019-01-15 20:29:58 CET
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => zen25000

Comment 2 Barry Jackson 2019-01-15 23:53:49 CET
That would be great if 4.3.1 would build without 102 out of 108 ctest failures.

I had filed a bug report upstream this evening before seeing the mail about this CVS.

https://github.com/zeromq/libzmq/issues/3365

I will push the failing version to Cauldron with the tests enabled so that maybe someone else can help with it.

In the past the tests have passed locally but failed on the BS, so I normally test locally and if all tests pass I disable the tests and push to the BS.
Comment 3 Barry Jackson 2019-01-16 11:16:19 CET
In view of reply from upstream I am switching the package to autotools and so far results are looking good.
Comment 4 David Walser 2019-01-19 17:38:50 CET
openSUSE has issued an advisory for this on January 18:
https://lists.opensuse.org/opensuse-updates/2019-01/msg00063.html
Comment 5 Barry Jackson 2019-01-22 10:44:13 CET
(In reply to David Walser from comment #4)
> openSUSE has issued an advisory for this on January 18:
> https://lists.opensuse.org/opensuse-updates/2019-01/msg00063.html

This patch for 4.2.2 will save lots of rebuilds of other packages which would have been needed if we had tried to update to 4.3.1 in Mga6. It will also save me a lot of work, as I was about to start testing that route.
Thanks David! :)
Comment 6 David Walser 2019-01-22 12:17:20 CET
You're welcome :D

Also noting that zeromq-4.3.1-2.mga7 is now in Cauldron.

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 7 Barry Jackson 2019-01-22 15:35:24 CET
Update Advisory
################################

zeromq-4.2.2-1.1 has been submitted to 6/core/updates_testing.

Description
################################

This update for zeromq fixes the following security issue:

CVE-2019-6250: fix a remote execution vulnerability due to pointer
arithmetic overflow

Packages affected
################################

libzmq5-4.2.2-1.1.mga6.i586.rpm
libzmq-devel-4.2.2-1.1.mga6.i586.rpm
zeromq-utils-4.2.2-1.1.mga6.i586.rpm
zeromq-debuginfo-4.2.2-1.1.mga6.i586.rpm

libzmq5-4.2.2-1.1.mga6.x86_64.rpm
libzmq-devel-4.2.2-1.1.mga6.x86_64.rpm
zeromq-utils-4.2.2-1.1.mga6.x86_64.rpm
zeromq-debuginfo-4.2.2-1.1.mga6.x86_64.rpm

From:
zeromq-4.2.2-1.1.mga6.src.rpm

Testing
################################

Since this is a one line patch I suspect that the tests performed during the build will suffice?

Assignee: zen25000 => qa-bugs
Source RPM: zeromq-4.2.3-3.mga7.src.rpm => zeromq-4.2.2-1.mga6.src.rpm

Comment 8 Lewis Smith 2019-01-23 21:26:06 CET
 $ urpmq -i lib64zmq5
"The 0MQ lightweight messaging kernel is a library which extends the
standard socket interfaces..."

 $ urpmq --whatrequires lib64zmq5
 ...
 molequeue
 ntopng
 python[3]-pyzmq
 zeromq-utils

From:
 https://bugs.mageia.org/show_bug.cgi?id=16670#c5
"Testing the package with spyder3 & ipython console. Started spyder3 without error and entered print("hello world") into the ipython console at the bottom right."

The only PoC I found was at:
 https://github.com/zeromq/libzmq/issues/3351
A C program, with the qualifier "Crucial to this exploit is knowing certain addresses, like strcpy and system". Not for us.

 $ urpmf zeromq-utils
don't look very promising, either.

Note Barry's remark "Since this is a one line patch I suspect that the tests performed during the build will suffice?".
@Barry
Although it is not clear from comment 2 whether the build *did* include - or pass through - these tests.

CC: (none) => lewyssmith

Comment 9 Lewis Smith 2019-01-26 21:59:53 CET
More scratching around:
 MoleQueue is an open-source, cross-platform, system-tray resident desktop application for abstracting, managing, and coordinating the execution of tasks both locally and on remote computational resources.
 ntopng is the next generation version of the original ntop. It is a network packet traffic probe and collector that renders network usage graphically, similar to what the popular top Unix command does.
 python-pyzmq: This package contains Python bindings for zeromq, a lightweight and fast messaging implementation. [Similar for Python3].
Among the 'whatrequires' for this last pkg is 'spyder' just as Claire said!
 Spyder is a Python development environment with advanced editing, interactive
testing, debugging and introspection features.

To pursue tomorrow.
Comment 10 Herman Viaene 2019-01-27 10:28:22 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
In view of comments above, just checked what commands are in zeromq-utils, picked one:
$ local_lat --help
usage: local_lat <bind-to> <message-size> <roundtrip-count>
Not the most helpfull I've ever seen, but it does something sensible at least.

CC: (none) => herman.viaene

Comment 11 Lewis Smith 2019-01-27 11:39:17 CET
M6 x64 (OK)

Installed ntopng. [If you can get this to work, it looks a super program]. It needs redis not just installed, but already running. Need to be root to start it. 
/usr/share/doc/ntopng has lots of info, including a good PDF user guide; and README.zmq. It all looks complicated. The local web interface is http://localhost:3000/ with default user/password of admin/admin.

BEFORE update: lib64zmq5-4.2.2-1.mga6
All the utilities:
 inproc_lat inproc_thr local_lat local_thr remote_lat remote_thr
have no man page, and O/P a brief usage line when invoked.

 # systemctl start redis
 # systemctl status redis
 ● redis.service - Redis persistent key-value database
   Active: active (running) since Sad 2019-01-26 21:49:30 CET; 8s ago
 # strace ntopng -i 1 2>&1 | grep libzmq
 open("/lib64/libzmq.so.5", O_RDONLY|O_CLOEXEC) = 3
but I am not at all convinced it was used... The web interface gave a correct login screen, but then foundered:
    HTTP/1.1 500 Internal server error Content-Type: text/html Connection: close Script "/usr/share/ntopng/scripts/lua/index.lua" returned an error:
    /usr/share/ntopng/scripts/lua/inc/menu.lua:25: attempt to index a nil value
I am not chasing that. I think its output is in /var/tmp/ntopng/ , this existed but was empty.

Installed Spyder[3] - nearly 100 pkgs! On starting it, it complained:
- that it was out of date: Spyder 3.3.2 is available!
- You have missing dependencies!   nbconvert >=4.0: None (NOK)
As per comment 8, in the ipython console at the bottom right:-
 In [1]: print("hello world")
 hello world
$ strace spyder 2>&1 | grep libzmq
open("/lib64/libzmq.so.5", O_RDONLY|O_CLOEXEC) = 26
 Doubt it was used...
---------------------
AFTER update: lib64zmq5-4.2.2-1.1.mga6.x86_64  zeromq-utils-4.2.2-1.1.mga6

Utilities: same.
ntopng: same
spyder": same
 Update looks OK. Advisoried from comment 7.

Keywords: (none) => advisory, validated_update
Whiteboard: (none) => MGA6-64-OK
CC: (none) => sysadmin-bugs

Comment 12 Mageia Robot 2019-01-30 20:40:58 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0054.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.