Bug 1980260 (CVE-2020-36400) - CVE-2020-36400 zeromq: heap-based buffer overflow in zmq::tcp_read
Summary: CVE-2020-36400 zeromq: heap-based buffer overflow in zmq::tcp_read
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-36400
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1980261 1980262 1980263
Blocks: 1980264
TreeView+ depends on / blocked
 
Reported: 2021-07-08 08:26 UTC by Marian Rehak
Modified: 2021-07-23 22:45 UTC (History)
23 users (show)

Fixed In Version: zeromq 4.3.3
Doc Type: If docs needed, set a value
Doc Text:
A flaw has been identified in zeromq. A heap-based buffer overflow is possible in zmq::tcp_read by resizing a fixed static allocator. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2021-07-09 22:40:20 UTC
Embargoed:


Attachments (Terms of Use)

Description Marian Rehak 2021-07-08 08:26:38 UTC
ZeroMQ libzmq 4.3.3 has a heap-based buffer overflow in zmq::tcp_read by resizing a fixed static allocator, a different vulnerability than CVE-2021-20235.

Upstream Reference:

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26042

Upstream fix:

https://github.com/zeromq/libzmq/commit/397ac80850bf8d010fae23dd215db0ee2c677306

Comment 1 Marian Rehak 2021-07-08 08:27:48 UTC
Created zeromq tracking bugs for this issue:

Affects: epel-7 [bug 1980261]
Affects: openstack-rdo [bug 1980263]


Created zeromq3 tracking bugs for this issue:

Affects: epel-7 [bug 1980262]

Comment 2 Todd Cullum 2021-07-08 17:13:28 UTC
Flaw summary:

The c_single_allocator class in src/decoder_allocators.hpp of libzmq has a resize method which attempts to resize the static allocator when it should not (since it's a fixed buffer by design).

Comment 4 Product Security DevOps Team 2021-07-09 22:40:20 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-36400


Note You need to log in before you can comment on or make changes to this bug.