Upstream has issued an advisory today (September 7): https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m The issue is fixed upstream in 4.3.3. Mageia 7 is also affected.
Status comment: (none) => Fixed upstream in 4.3.3Whiteboard: (none) => MGA7TOO
Fixed in zeromq-4.3.3-1.mga8 in Cauldron by Barry.
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)
Updated package uploaded for Mageia 7 by Barry. Advisory: ======================== Updated zeromq packages fix security vulnerability: If a raw TCP socket is opened and connected to an endpoint that is fully configured with CURVE/ZAP, legitimate clients will not be able to exchange any message. Handshakes complete successfully, and messages are delivered to the library, but the server application never receives them (CVE-2020-15166). Also, the cppzmq package has been rebuilt against the updated zeromq library. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15166 https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m ======================== Updated packages in core/updates_testing: ======================== libzmq5-4.3.3-1.mga7 libzmq-devel-4.3.3-1.mga7 zeromq-utils-4.3.3-1.mga7 lib64cppzmq-devel-4.3.0-2.1.mga7 from SRPMS: zeromq-4.3.3-1.mga7.src.rpm cppzmq-4.3.0-2.1.mga7.src.rpm
Assignee: zen25000 => qa-bugsStatus comment: Fixed upstream in 4.3.3 => (none)CC: (none) => zen25000
mga7, x86_64 Before update installation of the listed packages failed for lib64cppzmq-devel. The following package cannot be installed because it depends on packages that are older than the installed ones: lib64cppzmq-devel-4.3.0-2.mga7 $ urpmq --requires lib64cppzmq-devel-4.3.0-2.mga7 zeromq-devel[== 4.3.1] $ rpm -q zeromq-devel package zeromq-devel is not installed $ sudo urpmi zeromq-devel Package lib64zmq-devel-4.3.2-1.mga7.x86_64 is already installed How to interpret this? Note also that compilation of the PoC failed because pkgconfig could not deal with libzmq.pc. That needed to be edited to point to /usr/lib64. The compilation worked fine after that. $ g++ -o dos -lzmq $(pkg-config --libs libzmq) poc_dos.cc $ file dos dos: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=dd743fbe659584b0c656d367de285fe36ab4bf47, for GNU/Linux 3.2.0, with debug_info, not stripped $ ./dos hangs forever, as expected. The rest of the system continues to operate normally. Updated the packages and was able to install lib64cppzmq-devel without problems. The pkgconfig file for libzmq needed to be edited again to allow compilation of the test script. $ ./dos $ Expected result. Unsure of how to test this. Leaving this for packager comments.
CC: (none) => tarazed25
Keywords: (none) => feedback
Apologies, omitted the address for the PoC: CVE-2020-15166 https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m
Not sure what you mean by unsure how to test it, as you tested it successfully. Can you give more details on how you had to edit the pkgconfig file?
I guess you are right David - the compilation used the library and generated the executable OK. Yes, I changed the library path entry in libzmq.pc from lib to lib64. The diagnostics had advised a more specific path to the library so that was my first thought. Most other pkgconfig files had the lib64 entry. e.g. libdir=/usr/lib64. Just an oversight probably. $ count pkgconfig 245 $ cd pkgconfig $ grep libdir=/usr/lib64 *.pc | wc -l 193 So, let's send this on. You have the final word.
OK once the config is corrected that is.
Barry, it sounds like the pkgconfig file isn't being generated correctly on x86_64. Can you have a look?
Ah well I was waiting to test the install tonight before adding the advisory :\ ...but thanks for doing it :) Yes I will take a look.
OK this should be fixed updated zeromq-4.3.3-1.1.mga7 currently building.
Keywords: feedback => (none)
I need to rebuild cppzmq again as well, as I forgot to up the required version of zeromq in it's spec and it built against the old version. :\ Doing it in a moment.
That rebuild was unnecessary. Usually, explicit versions on the BuildRequires are not necessary. http://pkgsubmit.mageia.org/uploads/done/7/core/updates_testing/20200913223841.barjac.duvel.27003/cppzmq-4.3.0-2.1.mga7/rpm_qa.0.20200913223904.log
Right. Yes, my error, wasted a few electrons.
New package list is: libzmq5-4.3.3-1.1.mga7 libzmq-devel-4.3.3-1.1.mga7 zeromq-utils-4.3.3-1.1.mga7 libcppzmq-devel-4.3.0-2.2.mga7 from SRPMS: zeromq-4.3.3-1.1.mga7.src.rpm cppzmq-4.3.0-2.2.mga7.src.rpm
Updated the four packages and re-compiled the PoC file. Ran the resulting executable. Immediate return. Thanks Barry and David. Validating, advisory in comment 2.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA7-64-OKCC: (none) => sysadmin-bugs
Packages Comment 14. Advisory done on SVN.
Target Milestone: --- => Mageia 7CC: (none) => ouaurelienKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0367.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
This update also fixed two other issues: https://lists.suse.com/pipermail/sle-security-updates/2020-October/007649.html https://github.com/zeromq/libzmq/security/advisories/GHSA-wfr2-29gj-5w87 https://github.com/zeromq/libzmq/security/advisories/GHSA-qq65-x72m-9wr8