Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 22 May 2015 11:46:02 +0200
From: Alessandro Ghedini <alessandro@...dini.me>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE Request: zeromq downgrade attack

On Thu, May 21, 2015 at 10:16:53AM -0400, cve-assign@...re.org wrote:
> > // Is the peer using ZMTP/1.0 with no revision number?
> > if (greeting_recv [0] != 0xff || !(greeting_recv [9] & 0x01)) {
> >     if (session->zap_enabled ()) {
> >         // Reject ZMTP 1.0 connections if ZAP is enabled
> >         error ();
> > 
> > if (greeting_recv [revision_pos] == ZMTP_1_0) {
> >     if (session->zap_enabled ()) {
> >         // Reject ZMTP 1.0 connections if ZAP is enabled
> >         error ();
> > 
> > if (greeting_recv [revision_pos] == ZMTP_2_0) {
> >     if (session->zap_enabled ()) {
> >         // Reject ZMTP 1.0 connections if ZAP is enabled
> >         error ();
> 
> We think there is essentially only one vulnerability, and it was fixed
> by that commit, but it is somewhat confusing because of an apparent
> typo in a comment. Shouldn't the "== ZMTP_2_0" test have a "Reject
> ZMTP 2.0" comment?

Yes, I think that was due to a copy-paste error when backporting the patches.

The current git version has the correct comment [0].

Cheers

[0] https://github.com/zeromq/libzmq/blob/f03a78bbfc205e12591a256914c6d53cc57e9023/src/stream_engine.cpp#L609

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ