Ubuntu
zeromq3 package

Merge ~ahasenack/ubuntu/+source/zeromq3:eoan-zeromq3-merge into ubuntu/+source/zeromq3:ubuntu/devel

Proposed by Andreas Hasenack on 2019-07-10

Status:

Superseded

Proposed branch:

~ahasenack/ubuntu/+source/zeromq3:eoan-zeromq3-merge

Merge into:

ubuntu/+source/zeromq3:ubuntu/devel

Diff against target:

218 lines (+177/-0) (has conflicts)

5 files modified

debian/changelog (+27/-0)
debian/patches/CVE-2019-13132.patch (+110/-0)
debian/patches/gssapi_pkgconfig.patch (+30/-0)
debian/patches/series (+5/-0)
debian/patches/validate-group-before-using.patch (+5/-0)

Conflict in debian/changelog
Conflict in debian/patches/series
Conflict in debian/patches/validate-group-before-using.patch

Undecided

Fix Released

Link a bug report

Reviewer	Date Requested	Status
Christian Ehrhardt  (community)	2019-07-10	Approve on 2019-07-11
Canonical Server	2019-07-10	Pending
Review via email: mp+369945@code.launchpad.net

This proposal has been superseded by a proposal from 2019-07-11.

Description of the change

PPA: https://launchpad.net/~ahasenack/+archive/ubuntu/zeromq3-merge
sudo add-apt-repository ppa:ahasenack/zeromq3-merge -y

There are no DEP8 tests for this package.

Merge from debian. Some notes:
- I collapsed our delta, since 4.3.1-3ubuntu2 reverted the symbols change from 4.3.1-3ubuntu1. Only the patch validate-group-before-using.patch remains
- that patch was merged upstream, so I updated its DEP3 header to reflect that. Debian should pick it up the next time upstream releases, and then this package can become a sync
- we are also affected by this debian bug, so this merge is beneficial to us:
  * Fix GSSAPI support build (closes: #925914).
- and this fixes a security issue that our security team has already SRUed:
  * Fix CVE-2019-13132: application metadata not parsed correctly when using
    CURVE.

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2019-07-11:

Taking this review as part of my inbox cleanup ....

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2019-07-11:

- found all the tags
- ack to only "validate-group-before-using.patch" is remaining
- ack on Debians GSSAPI+CVE fixes
- ack to header update
- the build in the PPA LGTM
- all self tests passed or skipped
- no rebuild of dependencies needed for this upload
- tested with some examples from http://zguide.zeromq.org/php:all

All working fine +1 on this MP

review: Approve

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2019-07-11:

The merge target should be d/sid but that wasn't important for the review since I check things out anyway (but it breaks the LP view).

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2019-07-11:

Oopsie on the merge target... Thanks for the +1, I'll resubmit to the right target before tagging and uploading.

Unmerged commits

b02bd8a... by Andreas Hasenack on 2019-07-10

update-maintainer

25eaccc... by Andreas Hasenack on 2019-07-10

reconstruct-changelog

9ec7be4... by Andreas Hasenack on 2019-07-10

merge-changelogs

da84d81... by Andreas Hasenack on 2019-07-10

    - d/p/validate-group-before-using.patch: validate the supplementary
      group used in the filter_ipc test before using it. (LP: #1820282)
      [Updated DEP3 header with Applied-Upstream information]

ec76dfd... by Laszlo Boszormenyi on 2019-07-06

Import patches-unapplied version 4.3.1-5 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 1d23ad62598c2153d371703cf940bdd769501083

New changelog entries:
  [ Luca Boccassi <email address hidden> ]
  * Fix CVE-2019-13132: application metadata not parsed correctly when using
    CURVE.

1d23ad6... by Laszlo Boszormenyi on 2019-03-28

Import patches-unapplied version 4.3.1-4 to debian/sid

Imported using git-ubuntu import.

Changelog parent: f9b7f4ed1996049b09f22a4a083b6dd7643d3aeb

New changelog entries:
[ Luca Boccassi <email address hidden> ]
* Fix GSSAPI support build (closes: #925914).

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Andreas Hasenack

git-ubuntu developers

 diff --git a/debian/changelog b/debian/changelog
 index d743c03..b3104e0 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,30 @@
++<<<<<<< debian/changelog
++=======
++zeromq3 (4.3.1-5ubuntu1) eoan; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - d/p/validate-group-before-using.patch: validate the supplementary
++      group used in the filter_ipc test before using it. (LP #1820282)
++      [Updated DEP3 header with Applied-Upstream information]
++
++ -- Andreas Hasenack <andreas@canonical.com>  Wed, 10 Jul 2019 10:13:50 -0300
++
++zeromq3 (4.3.1-5) unstable; urgency=high
++
++  [ Luca Boccassi <bluca@debian.org> ]
++  * Fix CVE-2019-13132: application metadata not parsed correctly when using
++    CURVE.
++
++ -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sat, 06 Jul 2019 13:52:23 +0000
++
++zeromq3 (4.3.1-4) unstable; urgency=medium
++
++  [ Luca Boccassi <bluca@debian.org> ]
++  * Fix GSSAPI support build (closes: #925914).
++
++ -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Thu, 28 Mar 2019 16:37:09 +0000
++
++>>>>>>> debian/changelog
  zeromq3 (4.3.1-3ubuntu2) disco; urgency=medium
    * d/libzmq5.symbols: revert previous symbols update, as that came from a
 diff --git a/debian/patches/CVE-2019-13132.patch b/debian/patches/CVE-2019-13132.patch
 new file mode 100644
 index 0000000..46c0e20
 --- /dev/null
 +++ b/debian/patches/CVE-2019-13132.patch
@@ -0,0 +1,110 @@
++From 29f1ea22396d1b41b218343d50d4c22857d1fb28 Mon Sep 17 00:00:00 2001
++From: Luca Boccassi <luca.boccassi@gmail.com>
++Date: Tue, 2 Jul 2019 01:24:19 +0100
++Subject: [PATCH] Problem: application metadata not parsed correctly when using
++ CURVE
++
++Solution: create buffers large enough to contain arbitrary metadata
++---
++ src/curve_server.cpp | 35 ++++++++++++++++++++++++-----------
++ 1 file changed, 24 insertions(+), 11 deletions(-)
++
++diff --git a/src/curve_server.cpp b/src/curve_server.cpp
++index 69a1aa9f..ac1e3ae3 100644
++--- a/src/curve_server.cpp
+++++ b/src/curve_server.cpp
++@@ -327,8 +327,12 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
++     const size_t clen = (size - 113) + crypto_box_BOXZEROBYTES;
++
++     uint8_t initiate_nonce[crypto_box_NONCEBYTES];
++-    uint8_t initiate_plaintext[crypto_box_ZEROBYTES + 128 + 256];
++-    uint8_t initiate_box[crypto_box_BOXZEROBYTES + 144 + 256];
+++    uint8_t *initiate_plaintext =
+++      static_cast<uint8_t *> (malloc (crypto_box_ZEROBYTES + clen));
+++    alloc_assert (initiate_plaintext);
+++    uint8_t *initiate_box =
+++      static_cast<uint8_t *> (malloc (crypto_box_BOXZEROBYTES + clen));
+++    alloc_assert (initiate_box);
++
++     //  Open Box [C + vouch + metadata](C'->S')
++     memset (initiate_box, 0, crypto_box_BOXZEROBYTES);
++@@ -339,6 +343,8 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
++     memcpy (initiate_nonce + 16, initiate + 105, 8);
++     cn_peer_nonce = get_uint64 (initiate + 105);
++
+++    const uint8_t *client_key = initiate_plaintext + crypto_box_ZEROBYTES;
+++
++     rc = crypto_box_open (initiate_plaintext, initiate_box, clen,
++                           initiate_nonce, _cn_client, _cn_secret);
++     if (rc != 0) {
++@@ -346,11 +352,10 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
++         session->get_socket ()->event_handshake_failed_protocol (
++           session->get_endpoint (), ZMQ_PROTOCOL_ERROR_ZMTP_CRYPTOGRAPHIC);
++         errno = EPROTO;
++-        return -1;
+++        rc = -1;
+++        goto exit;
++     }
++
++-    const uint8_t *client_key = initiate_plaintext + crypto_box_ZEROBYTES;
++-
++     uint8_t vouch_nonce[crypto_box_NONCEBYTES];
++     uint8_t vouch_plaintext[crypto_box_ZEROBYTES + 64];
++     uint8_t vouch_box[crypto_box_BOXZEROBYTES + 80];
++@@ -371,7 +376,8 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
++         session->get_socket ()->event_handshake_failed_protocol (
++           session->get_endpoint (), ZMQ_PROTOCOL_ERROR_ZMTP_CRYPTOGRAPHIC);
++         errno = EPROTO;
++-        return -1;
+++        rc = -1;
+++        goto exit;
++     }
++
++     //  What we decrypted must be the client's short-term public key
++@@ -383,7 +389,8 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
++         session->get_socket ()->event_handshake_failed_protocol (
++           session->get_endpoint (), ZMQ_PROTOCOL_ERROR_ZMTP_KEY_EXCHANGE);
++         errno = EPROTO;
++-        return -1;
+++        rc = -1;
+++        goto exit;
++     }
++
++     //  Precompute connection secret from client key
++@@ -405,7 +412,7 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
++             //  is attempted)
++             rc = receive_and_process_zap_reply ();
++             if (rc == -1)
++-                return -1;
+++                goto exit;
++         } else if (!options.zap_enforce_domain) {
++             //  This supports the Stonehouse pattern (encryption without
++             //  authentication) in legacy mode (domain set but no handler).
++@@ -413,15 +420,21 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
++         } else {
++             session->get_socket ()->event_handshake_failed_no_detail (
++               session->get_endpoint (), EFAULT);
++-            return -1;
+++            rc = -1;
+++            goto exit;
++         }
++     } else {
++         //  This supports the Stonehouse pattern (encryption without authentication).
++         state = sending_ready;
++     }
++
++-    return parse_metadata (initiate_plaintext + crypto_box_ZEROBYTES + 128,
++-                           clen - crypto_box_ZEROBYTES - 128);
+++    rc = parse_metadata (initiate_plaintext + crypto_box_ZEROBYTES + 128,
+++                         clen - crypto_box_ZEROBYTES - 128);
+++
+++exit:
+++    free (initiate_plaintext);
+++    free (initiate_box);
+++    return rc;
++ }
++
++ int zmq::curve_server_t::produce_ready (msg_t *msg_)
++--
++2.20.1
++
 diff --git a/debian/patches/gssapi_pkgconfig.patch b/debian/patches/gssapi_pkgconfig.patch
 new file mode 100644
 index 0000000..5072f82
 --- /dev/null
 +++ b/debian/patches/gssapi_pkgconfig.patch
@@ -0,0 +1,30 @@
++Author: Luca Boccassi <bluca@debian.org>
++Description: gssapi pkg-config check in configure.ac does not work
++ correctly enable the definition in platform.hpp so that the
++ gssapi support is actually built in if requested and available.
++Origin: https://github.com/zeromq/libzmq/pull/3361
++--- a/configure.ac
+++++ b/configure.ac
++@@ -472,16 +472,20 @@
++ # conditionally require libgssapi_krb5
++ if test "x$require_libgssapi_krb5_ext" != "xno"; then
++     PKG_CHECK_MODULES([gssapi_krb5], [krb5-gssapi], [
+++        have_gssapi_library="yes"
++         PKGCFG_NAMES_PRIVATE="$PKGCFG_NAMES_PRIVATE krb5-gssapi"
++     ], [
++         AC_CHECK_HEADERS(gssapi/gssapi_generic.h)
++         AC_SEARCH_LIBS([gss_init_sec_context], [gssapi_krb5 gssapi],
++-            AC_DEFINE(HAVE_LIBGSSAPI_KRB5, [1], [Enabled GSSAPI security]),
+++            have_gssapi_library="yes",
++             AC_MSG_ERROR(libgssapi_krb5 is needed for GSSAPI security))
++         PKGCFG_LIBS_PRIVATE="$PKGCFG_LIBS_PRIVATE -lgssapi_krb5"
++     ])
++ fi
++-AM_CONDITIONAL(BUILD_GSSAPI, test "x$require_libgssapi_krb5_ext" != "xno")
+++if test "x$have_gssapi_library" = "xyes"; then
+++    AC_DEFINE(HAVE_LIBGSSAPI_KRB5, [1], [Enabled GSSAPI security])
+++fi
+++AM_CONDITIONAL(BUILD_GSSAPI, test "x$have_gssapi_library" = "xyes")
++
++ # Select curve encryption library, defaults to tweetnacl
++ # To use libsodium instead, use --with-libsodium (must be installed)
 diff --git a/debian/patches/series b/debian/patches/series
 index 89cfc2c..feab9ab 100644
 --- a/debian/patches/series
 +++ b/debian/patches/series
@@ -3,4 +3,9 @@ test_sigbus_sparc64.patch
  test_hardcoded_ipc_path.patch
  ppc64_atomic_intrinsics.patch
  test_pair_ipc_hurd.patch
++<<<<<<< debian/patches/series
++=======
++gssapi_pkgconfig.patch
++CVE-2019-13132.patch
++>>>>>>> debian/patches/series
  validate-group-before-using.patch
 diff --git a/debian/patches/validate-group-before-using.patch b/debian/patches/validate-group-before-using.patch
 index fc8b6b9..eb2af70 100644
 --- a/debian/patches/validate-group-before-using.patch
 +++ b/debian/patches/validate-group-before-using.patch
@@ -8,7 +8,12 @@ Author: Andreas Hasenack <andreas@canonical.com>
  Bug: https://github.com/zeromq/libzmq/issues/1462
  Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/zeromq3/+bug/1820282
  Forwarded: https://github.com/zeromq/libzmq/pull/3453
++<<<<<<< debian/patches/validate-group-before-using.patch
  Last-Update: 2019-03-16
++=======
++Applied-Upstream: https://github.com/zeromq/libzmq/commit/168aa83d089425d4be5a34911c37c6f58eed2b9b
++Last-Update: 2019-07-10
++>>>>>>> debian/patches/validate-group-before-using.patch
  ---
  This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
  --- a/tests/test_filter_ipc.cpp

Ubuntuzeromq3 package

Merge ~ahasenack/ubuntu/+source/zeromq3:eoan-zeromq3-merge into ubuntu/+source/zeromq3:ubuntu/devel

Commit message

Description of the change

Unmerged commits

Preview Diff

Subscribers

Ubuntu
zeromq3 package