Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 21 May 2015 10:16:53 -0400 (EDT)
From: cve-assign@...re.org
To: alessandro@...dini.me
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: zeromq downgrade attack

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> https://github.com/zeromq/libzmq/issues/1273
> https://github.com/zeromq/zeromq4-x/commit/b6e3e0f601e2c1ec1f3aac880ed6a3fe63043e51
> https://www.debian.org/security/2015/dsa-3255

Use CVE-2014-9721.

> // Is the peer using ZMTP/1.0 with no revision number?
> if (greeting_recv [0] != 0xff || !(greeting_recv [9] & 0x01)) {
>     if (session->zap_enabled ()) {
>         // Reject ZMTP 1.0 connections if ZAP is enabled
>         error ();
> 
> if (greeting_recv [revision_pos] == ZMTP_1_0) {
>     if (session->zap_enabled ()) {
>         // Reject ZMTP 1.0 connections if ZAP is enabled
>         error ();
> 
> if (greeting_recv [revision_pos] == ZMTP_2_0) {
>     if (session->zap_enabled ()) {
>         // Reject ZMTP 1.0 connections if ZAP is enabled
>         error ();

We think there is essentially only one vulnerability, and it was fixed
by that commit, but it is somewhat confusing because of an apparent
typo in a comment. Shouldn't the "== ZMTP_2_0" test have a "Reject
ZMTP 2.0" comment?

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVXehxAAoJEKllVAevmvmsbfgH/2jRFmbbcvY3qV4yGoEhupxS
xiI4z5Emf7dgQ/J06/qK4EBCBbr4UfWD9MlEWPOJF1jC5x4ILz7R44nfLtNwvv+H
weBUUI7VcCIbzs4/aIhznHExz849e9ze2wQLURaZ+v9d7tuc9QpTGfDdOqI/Mu7h
9LKrZPKmbbx6HyQVZVCf3UETiNeSndbmF/Up8A8QPIkBDDUUNiigZTj3JRXCUyuP
3MtLHGECAg5+qst2CPaLgdp64CTRinHzNXffF6kOS71CaqPPj4O5sbUAaLQBEHsw
cyvTGsFyoM2NaefGnlG06Snk7EEfANwX9whCoQneHDNDK0Fr/L5sCwd+BYdQzlI=
=rSCR
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ