Bug 1921983 (CVE-2021-20235)

Summary: CVE-2021-20235 zeromq: Heap overflow when receiving malformed ZMTP v1 packets
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amctagga, andrewniemants, anharris, bniver, dbecker, denis.arnaud_fedora, extras-orphan, flucifre, gmeno, hvyas, jjoyce, jschluet, lhh, lpeer, mbenjamin, mburns, mhackett, rhel8-maint, sclewis, slinaber, sostapov, tomspur, vereddy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: zeromq 4.3.3 Doc Type: If docs needed, set a value
Doc Text:
There's a flaw in the zeromq server in src/decoder_allocators.hpp. The decoder static allocator could have its sized changed, but the buffer would remain the same as it is a static buffer. A remote, unauthenticated attacker who sends a crafted request to the zeromq server could trigger a buffer overflow WRITE of arbitrary data if CURVE/ZAP authentication is not enabled. The greatest impact of this flaw is to application availability, data integrity, and confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-11 22:09:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1921984, 1921985, 1921986, 1921987    
Bug Blocks: 1921995, 1939831    

Description Pedro Sampaio 2021-01-29 00:41:04 UTC 
A flaw was found in zeromq before 4.3.3. The use of a static allocator with ZMTP v1 packets may lead to a heap based overflow.

References:

https://github.com/zeromq/libzmq/pull/3902
https://github.com/zeromq/libzmq/security/advisories/GHSA-fc3w-qxf5-7hp6
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21984
Comment 1 Pedro Sampaio 2021-01-29 00:41:58 UTC 
Created zeromq tracking bugs for this issue:

Affects: epel-all [bug 1921985]
Affects: fedora-all [bug 1921987]
Affects: openstack-rdo [bug 1921986]


Created zeromq3 tracking bugs for this issue:

Affects: epel-7 [bug 1921984]
Comment 2 Denis Arnaud 2021-01-30 00:13:54 UTC 
Fixed by https://bodhi.fedoraproject.org/updates/FEDORA-2021-a01e258e6d
Comment 3 Fedora Update System 2021-02-08 01:29:37 UTC 
FEDORA-2021-8b3202b783 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 5 Todd Cullum 2021-02-12 19:24:50 UTC 
External References:

https://github.com/zeromq/libzmq/security/advisories/GHSA-fc3w-qxf5-7hp6
Comment 6 Fedora Update System 2021-02-17 04:15:58 UTC 
FEDORA-EPEL-2021-5e4b80b9d8 has been pushed to the Fedora EPEL 8 stable repository.
If problem still persists, please make note of it in this bug report.