CVE-2019-13132: denial of service via stack overflow

[fangpenlin]

I found a critical security bug of libzmq and would like to report it confidentially, so that hopefully the bug can be fixed before we disclose it. It appears the only information I can find about reporting security bug is here in FAQ

http://zeromq.org/area:faq#toc9

Besides opening an issue here, do you folks have an email address and corresponding GPG key I can send the details of this bug over?

[bluca]

@fangpenlin we added a policy and contact details at https://github.com/zeromq/libzmq/security/policy

[bluca]

The embargo is now over, here's a coarse description of the problem:

A remote, unauthenticated client connecting to a
libzmq application, running with a socket listening with CURVE
encryption/authentication enabled, may cause a stack overflow and
overwrite the stack with arbitrary data, due to a buffer overflow in
the library. Users running public servers with the above configuration
are highly encouraged to upgrade as soon as possible, as there are no
known mitigations. All versions from 4.0.0 and upwards are affected.

Releases will be out in a few moments.

[bluca]

The following patches (they have to be named .txt or github refuses to attach them) are backports for a number of releases that have been seen in the wild, to ease the job of users that cannot update at the moment.

4_0_5.txt
4_1_4.txt
4_1_6.txt
4_2_1.txt
4_2_2.txt
4_2_3.txt
4_2_5.txt
4_3_1.txt

[bluca]

Fixed in v4.3.2, v4.1.7 and v4.0.9.

https://github.com/zeromq/libzmq/releases/tag/v4.3.2
https://github.com/zeromq/zeromq4-1/releases/tag/v4.1.7
https://github.com/zeromq/zeromq4-x/releases/tag/v4.0.9

[bluca]

Closing as it's solved, but feel free to comment with more details. Due to sensitivity the code to reproduce the issue will be published on July 15th at 16:00 UTC.

[bluca]

Published on oss-security: https://www.openwall.com/lists/oss-security/2019/07/08/6

[bluca]

@myd7349 FYI for vcpkg

[bluca]

@scpeters @aimileus FYI for homebrew