Bug 1921976 (CVE-2021-20236) - CVE-2021-20236 zeromq: Stack overflow on server running PUB/XPUB socket
Summary: CVE-2021-20236 zeromq: Stack overflow on server running PUB/XPUB socket
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2021-20236
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1921977 1921979 1921980 1921981
Blocks: 1921995
TreeView+ depends on / blocked
 
Reported: 2021-01-29 00:28 UTC by Pedro Sampaio
Modified: 2021-02-17 04:15 UTC (History)
23 users (show)

Fixed In Version: zeromq 4.3.3
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the ZeroMQ server. This flaw allows a malicious client to cause a stack buffer overflow on the server by sending crafted topic subscription requests and then unsubscribing. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-02-11 22:09:45 UTC
Embargoed:


Attachments (Terms of Use)

Description Pedro Sampaio 2021-01-29 00:28:37 UTC
A flaw was found in zeromq before version 4.3.3. The PUB/XPUB subscription store (mtrie) is traversed using recursive function calls. In the remove (unsubscription) case, the recursive calls are NOT tail calls, so even with optimizations the stack grows linearly with the length of a subscription topic. Topics are under the control of remote clients - they can send a subscription to arbitrary length topics. An attacker can thus cause a server to create an mtrie sufficiently large such that, when unsubscribing, traversal will cause a stack overflow.

References:

https://github.com/zeromq/libzmq/pull/3959
https://github.com/zeromq/libzmq/security/advisories/GHSA-qq65-x72m-9wr8
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22488

Comment 1 Pedro Sampaio 2021-01-29 00:29:43 UTC
Created zeromq tracking bugs for this issue:

Affects: epel-all [bug 1921979]
Affects: fedora-all [bug 1921981]
Affects: openstack-rdo [bug 1921980]


Created zeromq3 tracking bugs for this issue:

Affects: epel-7 [bug 1921977]

Comment 2 Denis Arnaud 2021-01-30 00:12:06 UTC
Fixed by https://bodhi.fedoraproject.org/updates/FEDORA-2021-a01e258e6d

Comment 3 Fedora Update System 2021-02-08 01:29:32 UTC
FEDORA-2021-8b3202b783 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 5 Todd Cullum 2021-02-12 19:08:53 UTC
External References:

https://github.com/zeromq/libzmq/security/advisories/GHSA-qq65-x72m-9wr8

Comment 6 Fedora Update System 2021-02-17 04:15:50 UTC
FEDORA-EPEL-2021-5e4b80b9d8 has been pushed to the Fedora EPEL 8 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.