main/zeromq: fix CVE-2019-13132

fixes #10687
author: Leo <thinkabit.ukim@gmail.com> 2019-07-23 12:43:11 -0300
committer: Natanael Copa <ncopa@alpinelinux.org> 2019-07-23 20:55:23 +0200
commit: cea68283f6fb219e133352b64b4e2f39cc002604 (patch)
tree: 21f70f0f1bb7dd645ecf896a499b66594f63e5c1 /main
parent: 1d883b90c2617f701a473458f6bea95c5488513b (diff)
download: aports-cea68283f6fb219e133352b64b4e2f39cc002604.tar.bz2
aports-cea68283f6fb219e133352b64b4e2f39cc002604.tar.xz
2 files changed, 116 insertions, 2 deletions
diff --git a/main/zeromq/APKBUILD b/main/zeromq/APKBUILD
index 3cfe83e1df..3edd05f866 100644
--- a/main/zeromq/APKBUILD
+++ b/main/zeromq/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=zeromq
 pkgver=4.2.5
-pkgrel=0
+pkgrel=1
 pkgdesc="The ZeroMQ messaging library and tools"
 url="http://www.zeromq.org/"
 arch="all"
@@ -14,10 +14,13 @@ subpackages="$pkgname-dev $pkgname-doc libzmq:libs"
 source="https://github.com/zeromq/libzmq/releases/download/v$pkgver/$pkgname-$pkgver.tar.gz
 	test-driver.patch
 	CVE-2019-6250.patch
+	CVE-2019-13132.patch
 	"
 builddir="$srcdir/$pkgname-$pkgver"
 
 # secfixes:
+#   4.2.5-r1:
+#     - CVE-2019-13132
 #   4.2.5-r0:
 #     - CVE-2019-6250
 
@@ -47,4 +50,5 @@ package() {
 
 sha512sums="4556cb50d05a6d133015a0ba804d6d951a47479a33fa29561eaeecb93d48b7bb6477365d0986c38b779f500cadaf08522c4a7aa13f5510303bd923f794d37036  zeromq-4.2.5.tar.gz
 64e4ae2c89469359480743beeb4f1e08976a4c52dbfd2dd33020463df78e927993319e456299682901001e0832ebed85291eea0decc1d27a58de78a6c891e660  test-driver.patch
-ee0c71814c93378106593afafd9bb96c15038c2455dcd57ac71a6c3474ebd4eee3f4cf9933ddc737bbe0fe25f8d7cb141517c933fec591c00b7d5563bf33894d  CVE-2019-6250.patch"
+ee0c71814c93378106593afafd9bb96c15038c2455dcd57ac71a6c3474ebd4eee3f4cf9933ddc737bbe0fe25f8d7cb141517c933fec591c00b7d5563bf33894d  CVE-2019-6250.patch
+e70db052cced7110ff0066c495a1230459710e31bb1f6afd6f01194ac024c625cf365413d81fccf1c4e1670f9ec6e5ed340fddf9e06a0b726ed79009db92c587  CVE-2019-13132.patch"
diff --git a/main/zeromq/CVE-2019-13132.patch b/main/zeromq/CVE-2019-13132.patch
new file mode 100644
index 0000000000..39c80d7996
--- /dev/null
+++ b/main/zeromq/CVE-2019-13132.patch
@@ -0,0 +1,110 @@
+From 4287cd2274ad48faa2b5346b6108f05b32ec20f2 Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <luca.boccassi@gmail.com>
+Date: Tue, 2 Jul 2019 01:24:19 +0100
+Subject: [PATCH] Problem: application metadata not parsed correctly when using
+ CURVE
+
+Solution: create buffers large enough to contain arbitrary metadata
+---
+ src/curve_server.cpp | 35 ++++++++++++++++++++++++-----------
+ 1 file changed, 24 insertions(+), 11 deletions(-)
+
+diff --git a/src/curve_server.cpp b/src/curve_server.cpp
+index 6938a637..d3a710db 100644
+--- a/src/curve_server.cpp
++++ b/src/curve_server.cpp
+@@ -327,8 +327,12 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
+     const size_t clen = (size - 113) + crypto_box_BOXZEROBYTES;
+ 
+     uint8_t initiate_nonce[crypto_box_NONCEBYTES];
+-    uint8_t initiate_plaintext[crypto_box_ZEROBYTES + 128 + 256];
+-    uint8_t initiate_box[crypto_box_BOXZEROBYTES + 144 + 256];
++    uint8_t *initiate_plaintext =
++      static_cast<uint8_t *> (malloc (crypto_box_ZEROBYTES + clen));
++    alloc_assert (initiate_plaintext);
++    uint8_t *initiate_box =
++      static_cast<uint8_t *> (malloc (crypto_box_BOXZEROBYTES + clen));
++    alloc_assert (initiate_box);
+ 
+     //  Open Box [C + vouch + metadata](C'->S')
+     memset (initiate_box, 0, crypto_box_BOXZEROBYTES);
+@@ -339,6 +343,8 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
+     memcpy (initiate_nonce + 16, initiate + 105, 8);
+     cn_peer_nonce = get_uint64 (initiate + 105);
+ 
++    const uint8_t *client_key = initiate_plaintext + crypto_box_ZEROBYTES;
++
+     rc = crypto_box_open (initiate_plaintext, initiate_box, clen,
+                           initiate_nonce, cn_client, cn_secret);
+     if (rc != 0) {
+@@ -346,11 +352,10 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
+         session->get_socket ()->event_handshake_failed_protocol (
+           session->get_endpoint (), ZMQ_PROTOCOL_ERROR_ZMTP_CRYPTOGRAPHIC);
+         errno = EPROTO;
+-        return -1;
++        rc = -1;
++        goto exit;
+     }
+ 
+-    const uint8_t *client_key = initiate_plaintext + crypto_box_ZEROBYTES;
+-
+     uint8_t vouch_nonce[crypto_box_NONCEBYTES];
+     uint8_t vouch_plaintext[crypto_box_ZEROBYTES + 64];
+     uint8_t vouch_box[crypto_box_BOXZEROBYTES + 80];
+@@ -371,7 +376,8 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
+         session->get_socket ()->event_handshake_failed_protocol (
+           session->get_endpoint (), ZMQ_PROTOCOL_ERROR_ZMTP_CRYPTOGRAPHIC);
+         errno = EPROTO;
+-        return -1;
++        rc = -1;
++        goto exit;
+     }
+ 
+     //  What we decrypted must be the client's short-term public key
+@@ -383,7 +389,8 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
+         session->get_socket ()->event_handshake_failed_protocol (
+           session->get_endpoint (), ZMQ_PROTOCOL_ERROR_ZMTP_KEY_EXCHANGE);
+         errno = EPROTO;
+-        return -1;
++        rc = -1;
++        goto exit;
+     }
+ 
+     //  Precompute connection secret from client key
+@@ -405,7 +412,7 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
+             //  is attempted)
+             rc = receive_and_process_zap_reply ();
+             if (rc == -1)
+-                return -1;
++                goto exit;
+         } else if (!options.zap_enforce_domain) {
+             //  This supports the Stonehouse pattern (encryption without
+             //  authentication) in legacy mode (domain set but no handler).
+@@ -413,15 +420,21 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
+         } else {
+             session->get_socket ()->event_handshake_failed_no_detail (
+               session->get_endpoint (), EFAULT);
+-            return -1;
++            rc = -1;
++            goto exit;
+         }
+     } else {
+         //  This supports the Stonehouse pattern (encryption without authentication).
+         state = sending_ready;
+     }
+ 
+-    return parse_metadata (initiate_plaintext + crypto_box_ZEROBYTES + 128,
+-                           clen - crypto_box_ZEROBYTES - 128);
++    rc = parse_metadata (initiate_plaintext + crypto_box_ZEROBYTES + 128,
++                         clen - crypto_box_ZEROBYTES - 128);
++
++exit:
++    free (initiate_plaintext);
++    free (initiate_box);
++    return rc;
+ }
+ 
+ int zmq::curve_server_t::produce_ready (msg_t *msg_)
+-- 
+2.20.1
+
author	Leo <thinkabit.ukim@gmail.com>	2019-07-23 12:43:11 -0300
committer	Natanael Copa <ncopa@alpinelinux.org>	2019-07-23 20:55:23 +0200
commit	cea68283f6fb219e133352b64b4e2f39cc002604 (patch)
tree	21f70f0f1bb7dd645ecf896a499b66594f63e5c1 /main
parent	1d883b90c2617f701a473458f6bea95c5488513b (diff)
download	aports-cea68283f6fb219e133352b64b4e2f39cc002604.tar.bz2 aports-cea68283f6fb219e133352b64b4e2f39cc002604.tar.xz