A flaw was found in zeromq before version 4.3.3. The PUB/XPUB subscription store (mtrie) is traversed using recursive function calls. In the remove (unsubscription) case, the recursive calls are NOT tail calls, so even with optimizations the stack grows linearly with the length of a subscription topic. Topics are under the control of remote clients - they can send a subscription to arbitrary length topics. An attacker can thus cause a server to create an mtrie sufficiently large such that, when unsubscribing, traversal will cause a stack overflow. References: https://github.com/zeromq/libzmq/pull/3959 https://github.com/zeromq/libzmq/security/advisories/GHSA-qq65-x72m-9wr8 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22488
Created zeromq tracking bugs for this issue: Affects: epel-all [bug 1921979] Affects: fedora-all [bug 1921981] Affects: openstack-rdo [bug 1921980] Created zeromq3 tracking bugs for this issue: Affects: epel-7 [bug 1921977]
Fixed by https://bodhi.fedoraproject.org/updates/FEDORA-2021-a01e258e6d
FEDORA-2021-8b3202b783 has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.
External References: https://github.com/zeromq/libzmq/security/advisories/GHSA-qq65-x72m-9wr8
FEDORA-EPEL-2021-5e4b80b9d8 has been pushed to the Fedora EPEL 8 stable repository. If problem still persists, please make note of it in this bug report.