Bug 1921976 (CVE-2021-20236)

Summary: CVE-2021-20236 zeromq: Stack overflow on server running PUB/XPUB socket
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amctagga, andrewniemants, anharris, bniver, dbecker, denis.arnaud_fedora, extras-orphan, flucifre, gmeno, hvyas, jjoyce, jschluet, lhh, lpeer, mbenjamin, mburns, mhackett, rhel8-maint, sclewis, slinaber, sostapov, tomspur, vereddy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: zeromq 4.3.3 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the ZeroMQ server. This flaw allows a malicious client to cause a stack buffer overflow on the server by sending crafted topic subscription requests and then unsubscribing. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-11 22:09:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1921977, 1921979, 1921980, 1921981    
Bug Blocks: 1921995    

Description Pedro Sampaio 2021-01-29 00:28:37 UTC 
A flaw was found in zeromq before version 4.3.3. The PUB/XPUB subscription store (mtrie) is traversed using recursive function calls. In the remove (unsubscription) case, the recursive calls are NOT tail calls, so even with optimizations the stack grows linearly with the length of a subscription topic. Topics are under the control of remote clients - they can send a subscription to arbitrary length topics. An attacker can thus cause a server to create an mtrie sufficiently large such that, when unsubscribing, traversal will cause a stack overflow.

References:

https://github.com/zeromq/libzmq/pull/3959
https://github.com/zeromq/libzmq/security/advisories/GHSA-qq65-x72m-9wr8
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22488
Comment 1 Pedro Sampaio 2021-01-29 00:29:43 UTC 
Created zeromq tracking bugs for this issue:

Affects: epel-all [bug 1921979]
Affects: fedora-all [bug 1921981]
Affects: openstack-rdo [bug 1921980]


Created zeromq3 tracking bugs for this issue:

Affects: epel-7 [bug 1921977]
Comment 2 Denis Arnaud 2021-01-30 00:12:06 UTC 
Fixed by https://bodhi.fedoraproject.org/updates/FEDORA-2021-a01e258e6d
Comment 3 Fedora Update System 2021-02-08 01:29:32 UTC 
FEDORA-2021-8b3202b783 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 5 Todd Cullum 2021-02-12 19:08:53 UTC 
External References:

https://github.com/zeromq/libzmq/security/advisories/GHSA-qq65-x72m-9wr8
Comment 6 Fedora Update System 2021-02-17 04:15:50 UTC 
FEDORA-EPEL-2021-5e4b80b9d8 has been pushed to the Fedora EPEL 8 stable repository.
If problem still persists, please make note of it in this bug report.