Skip to content
Snippets Groups Projects
Commit 31a14bca authored by Apertis CI's avatar Apertis CI
Browse files

Merge updates from debian/buster

parents 0d87bb4c 0b3566d9
No related branches found
No related tags found
1 merge request!3Update from debian/buster for apertis/v2020pre
Pipeline #159470 passed with stages
in 51 seconds
zeromq3 (4.3.1-4+deb10u1) buster-security; urgency=high
[ Luca Boccassi <bluca@debian.org> ]
* Fix CVE-2019-13132: application metadata not parsed correctly when using
CURVE.
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Sat, 06 Jul 2019 14:13:37 +0000
zeromq3 (4.3.1-4) unstable; urgency=medium
[ Luca Boccassi <bluca@debian.org> ]
......
From 29f1ea22396d1b41b218343d50d4c22857d1fb28 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Tue, 2 Jul 2019 01:24:19 +0100
Subject: [PATCH] Problem: application metadata not parsed correctly when using
CURVE
Solution: create buffers large enough to contain arbitrary metadata
---
src/curve_server.cpp | 35 ++++++++++++++++++++++++-----------
1 file changed, 24 insertions(+), 11 deletions(-)
diff --git a/src/curve_server.cpp b/src/curve_server.cpp
index 69a1aa9f..ac1e3ae3 100644
--- a/src/curve_server.cpp
+++ b/src/curve_server.cpp
@@ -327,8 +327,12 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
const size_t clen = (size - 113) + crypto_box_BOXZEROBYTES;
uint8_t initiate_nonce[crypto_box_NONCEBYTES];
- uint8_t initiate_plaintext[crypto_box_ZEROBYTES + 128 + 256];
- uint8_t initiate_box[crypto_box_BOXZEROBYTES + 144 + 256];
+ uint8_t *initiate_plaintext =
+ static_cast<uint8_t *> (malloc (crypto_box_ZEROBYTES + clen));
+ alloc_assert (initiate_plaintext);
+ uint8_t *initiate_box =
+ static_cast<uint8_t *> (malloc (crypto_box_BOXZEROBYTES + clen));
+ alloc_assert (initiate_box);
// Open Box [C + vouch + metadata](C'->S')
memset (initiate_box, 0, crypto_box_BOXZEROBYTES);
@@ -339,6 +343,8 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
memcpy (initiate_nonce + 16, initiate + 105, 8);
cn_peer_nonce = get_uint64 (initiate + 105);
+ const uint8_t *client_key = initiate_plaintext + crypto_box_ZEROBYTES;
+
rc = crypto_box_open (initiate_plaintext, initiate_box, clen,
initiate_nonce, _cn_client, _cn_secret);
if (rc != 0) {
@@ -346,11 +352,10 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
session->get_socket ()->event_handshake_failed_protocol (
session->get_endpoint (), ZMQ_PROTOCOL_ERROR_ZMTP_CRYPTOGRAPHIC);
errno = EPROTO;
- return -1;
+ rc = -1;
+ goto exit;
}
- const uint8_t *client_key = initiate_plaintext + crypto_box_ZEROBYTES;
-
uint8_t vouch_nonce[crypto_box_NONCEBYTES];
uint8_t vouch_plaintext[crypto_box_ZEROBYTES + 64];
uint8_t vouch_box[crypto_box_BOXZEROBYTES + 80];
@@ -371,7 +376,8 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
session->get_socket ()->event_handshake_failed_protocol (
session->get_endpoint (), ZMQ_PROTOCOL_ERROR_ZMTP_CRYPTOGRAPHIC);
errno = EPROTO;
- return -1;
+ rc = -1;
+ goto exit;
}
// What we decrypted must be the client's short-term public key
@@ -383,7 +389,8 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
session->get_socket ()->event_handshake_failed_protocol (
session->get_endpoint (), ZMQ_PROTOCOL_ERROR_ZMTP_KEY_EXCHANGE);
errno = EPROTO;
- return -1;
+ rc = -1;
+ goto exit;
}
// Precompute connection secret from client key
@@ -405,7 +412,7 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
// is attempted)
rc = receive_and_process_zap_reply ();
if (rc == -1)
- return -1;
+ goto exit;
} else if (!options.zap_enforce_domain) {
// This supports the Stonehouse pattern (encryption without
// authentication) in legacy mode (domain set but no handler).
@@ -413,15 +420,21 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
} else {
session->get_socket ()->event_handshake_failed_no_detail (
session->get_endpoint (), EFAULT);
- return -1;
+ rc = -1;
+ goto exit;
}
} else {
// This supports the Stonehouse pattern (encryption without authentication).
state = sending_ready;
}
- return parse_metadata (initiate_plaintext + crypto_box_ZEROBYTES + 128,
- clen - crypto_box_ZEROBYTES - 128);
+ rc = parse_metadata (initiate_plaintext + crypto_box_ZEROBYTES + 128,
+ clen - crypto_box_ZEROBYTES - 128);
+
+exit:
+ free (initiate_plaintext);
+ free (initiate_box);
+ return rc;
}
int zmq::curve_server_t::produce_ready (msg_t *msg_)
--
2.20.1
......@@ -4,3 +4,4 @@ test_hardcoded_ipc_path.patch
ppc64_atomic_intrinsics.patch
test_pair_ipc_hurd.patch
gssapi_pkgconfig.patch
CVE-2019-13132.patch
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment