Bug 1980260 (CVE-2020-36400)

Summary: CVE-2020-36400 zeromq: heap-based buffer overflow in zmq::tcp_read
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: amctagga, andrewniemants, anharris, bniver, cfeist, dbecker, denis.arnaud_fedora, extras-orphan, flucifre, gmeno, hvyas, jjoyce, jschluet, lhh, lpeer, mbenjamin, mburns, mhackett, sclewis, slinaber, sostapov, tomspur, vereddy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: zeromq 4.3.3 Doc Type: If docs needed, set a value
Doc Text:
A flaw has been identified in zeromq. A heap-based buffer overflow is possible in zmq::tcp_read by resizing a fixed static allocator. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-09 22:40:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1980261, 1980262, 1980263    
Bug Blocks: 1980264    

Description Marian Rehak 2021-07-08 08:26:38 UTC 
ZeroMQ libzmq 4.3.3 has a heap-based buffer overflow in zmq::tcp_read by resizing a fixed static allocator, a different vulnerability than CVE-2021-20235.

Upstream Reference:

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26042

Upstream fix:

https://github.com/zeromq/libzmq/commit/397ac80850bf8d010fae23dd215db0ee2c677306
Comment 1 Marian Rehak 2021-07-08 08:27:48 UTC 
Created zeromq tracking bugs for this issue:

Affects: epel-7 [bug 1980261]
Affects: openstack-rdo [bug 1980263]


Created zeromq3 tracking bugs for this issue:

Affects: epel-7 [bug 1980262]
Comment 2 Todd Cullum 2021-07-08 17:13:28 UTC 
Flaw summary:

The c_single_allocator class in src/decoder_allocators.hpp of libzmq has a resize method which attempts to resize the static allocator when it should not (since it's a fixed buffer by design).
Comment 4 Product Security DevOps Team 2021-07-09 22:40:20 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-36400