diff options
| author | Leonardo Arena <rnalrd@alpinelinux.org> | 2019-02-04 11:19:36 +0000 |
|---|---|---|
| committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2019-02-04 11:24:20 +0000 |
| commit | 5d060d203debb5d8ad6c58e09788f832cd025045 (patch) | |
| tree | ebbc2da2b6d06e51fb2c18d541b8e7930ab1733b | |
| parent | 4d5a8dd7fdeb7671773360ec78521fd9557ababf (diff) | |
| download | aports-5d060d203debb5d8ad6c58e09788f832cd025045.tar.bz2 aports-5d060d203debb5d8ad6c58e09788f832cd025045.tar.xz | |
main/zeromq: upgrade to 4.2.5, security fix (CVE-2019-6250)
Fixes #9879
| -rw-r--r-- | main/zeromq/APKBUILD | 14 | ||||
| -rw-r--r-- | main/zeromq/CVE-2019-6250.patch | 13 |
2 files changed, 23 insertions, 4 deletions
diff --git a/main/zeromq/APKBUILD b/main/zeromq/APKBUILD index 28065bc4bf..3cfe83e1df 100644 --- a/main/zeromq/APKBUILD +++ b/main/zeromq/APKBUILD @@ -1,8 +1,8 @@ # Contributor: Natanael Copa <ncopa@alpinelinux.org> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=zeromq -pkgver=4.2.2 -pkgrel=1 +pkgver=4.2.5 +pkgrel=0 pkgdesc="The ZeroMQ messaging library and tools" url="http://www.zeromq.org/" arch="all" @@ -13,9 +13,14 @@ makedepends="util-linux-dev libsodium-dev subpackages="$pkgname-dev $pkgname-doc libzmq:libs" source="https://github.com/zeromq/libzmq/releases/download/v$pkgver/$pkgname-$pkgver.tar.gz test-driver.patch + CVE-2019-6250.patch " builddir="$srcdir/$pkgname-$pkgver" +# secfixes: +# 4.2.5-r0: +# - CVE-2019-6250 + build() { cd "$builddir" ./configure \ @@ -40,5 +45,6 @@ package() { make DESTDIR="$pkgdir" install || return 1 } -sha512sums="d78813a61ce3311a1f8c230f7da0f5aedc97ef4b792afb6d398c5710da239348c0c7a67bdfeb38a7ab0282af498f1ed173649aff4add1bc35f0ef1b66f965443 zeromq-4.2.2.tar.gz -64e4ae2c89469359480743beeb4f1e08976a4c52dbfd2dd33020463df78e927993319e456299682901001e0832ebed85291eea0decc1d27a58de78a6c891e660 test-driver.patch" +sha512sums="4556cb50d05a6d133015a0ba804d6d951a47479a33fa29561eaeecb93d48b7bb6477365d0986c38b779f500cadaf08522c4a7aa13f5510303bd923f794d37036 zeromq-4.2.5.tar.gz +64e4ae2c89469359480743beeb4f1e08976a4c52dbfd2dd33020463df78e927993319e456299682901001e0832ebed85291eea0decc1d27a58de78a6c891e660 test-driver.patch +ee0c71814c93378106593afafd9bb96c15038c2455dcd57ac71a6c3474ebd4eee3f4cf9933ddc737bbe0fe25f8d7cb141517c933fec591c00b7d5563bf33894d CVE-2019-6250.patch" diff --git a/main/zeromq/CVE-2019-6250.patch b/main/zeromq/CVE-2019-6250.patch new file mode 100644 index 0000000000..15bcc30314 --- /dev/null +++ b/main/zeromq/CVE-2019-6250.patch @@ -0,0 +1,13 @@ +diff --git a/src/v2_decoder.cpp b/src/v2_decoder.cpp +index 839be9a..37889bd 100644 +--- a/src/v2_decoder.cpp ++++ b/src/v2_decoder.cpp +@@ -116,7 +116,7 @@ int zmq::v2_decoder_t::size_ready (uint64_t msg_size, + + if (unlikely ( + !zero_copy +- || ((unsigned char *) read_pos + msg_size > (data () + size ())))) { ++ || (msg_size > (size_t) (data () + size () - read_pos)))) { + // a new message has started, but the size would exceed the pre-allocated arena + // this happens every time when a message does not fit completely into the buffer + rc = in_progress.init_size (static_cast<size_t> (msg_size)); |