Bug 1727055 (CVE-2019-13132)

Summary: CVE-2019-13132 zeromq: stack-overflow on any server protected by encryption/authentication
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: andrewniemants, dbecker, denis.arnaud_fedora, hvyas, jjoyce, jschluet, kbasil, lhh, lpeer, mburns, sclewis, security-response-team, sfowler, sisharma, slinaber, tomspur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-15 08:40:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1729830, 1729831, 1729832    
Bug Blocks: 1727066    

Description Dhananjay Arunesh 2019-07-04 10:26:30 UTC 
A vulnerability was discovered in ZeroMQ through 4.0.0 onwards which allows any unauthenticated client to cause a stack overflow on any server that is supposed to be protected by encryption/authentication. Arbitrary data sent by the client will overwrite the stack, so although the reporter didn't provide a specific exploit, it is entirely possible that a crafty attacker could take advantage of this vulnerability to do more than "just" crash the server.
Comment 10 Dhananjay Arunesh 2019-07-15 04:27:58 UTC 
Created zeromq tracking bugs for this issue:

Affects: fedora-all [bug 1729830]
Comment 11 Dhananjay Arunesh 2019-07-15 04:28:21 UTC 
Created zeromq tracking bugs for this issue:

Affects: epel-all [bug 1729831]
Comment 12 Dhananjay Arunesh 2019-07-15 04:34:15 UTC 
Reference:
https://github.com/zeromq/libzmq/issues/3558
Comment 13 Dhananjay Arunesh 2019-07-15 04:39:07 UTC 
External References:

https://www.openwall.com/lists/oss-security/2019/07/08/6
Comment 14 Dhananjay Arunesh 2019-07-15 05:07:58 UTC 
Created zeromq tracking bugs for this issue:

Affects: openstack-rdo [bug 1729832]
Comment 15 Product Security DevOps Team 2019-07-15 08:40:40 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-13132