package/zeromq: security bump to version 4.3.3

Fixes the following security issues:

- CVE-2020-15166: Denial-of-Service on CURVE/ZAP-protected servers by
  unauthenticated clients.
  If a raw TCP socket is opened and connected to an endpoint that is fully
  configured with CURVE/ZAP, legitimate clients will not be able to exchange
  any message.  Handshakes complete successfully, and messages are delivered
  to the library, but the server application never receives them.  For more
  information see the security advisory:
  https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m

- Stack overflow on server running PUB/XPUB socket (CURVE disabled).
  The PUB/XPUB subscription store (mtrie) is traversed using recursive
  function calls.  In the remove (unsubscription) case, the recursive calls
  are NOT tail calls, so even with optimizations the stack grows linearly
  with the length of a subscription topic.  Topics are under the control of
  remote clients - they can send a subscription to arbitrary length topics.
  An attacker can thus cause a server to create an mtrie sufficiently large
  such that, when unsubscribing, traversal will cause a stack overflow.  For
  more information see the security advisory:
  https://github.com/zeromq/libzmq/security/advisories/GHSA-qq65-x72m-9wr8

- Memory leak in PUB server induced by malicious client(s) without CURVE/ZAP.
  Messages with metadata are never processed by PUB sockets, but the
  metadata is kept referenced in the PUB object and never freed.  For more
  information see the security advisory:
  https://github.com/zeromq/libzmq/security/advisories/GHSA-4p5v-h92w-6wxw

- Memory leak in client induced by malicious server(s) without CURVE/ZAP.
  When a pipe processes a delimiter and is already not in active state but
  still has an unfinished message, the message is leaked.
  For more information see the security advisory:
  https://github.com/zeromq/libzmq/security/advisories/GHSA-wfr2-29gj-5w87

- Heap overflow when receiving malformed ZMTP v1 packets (CURVE disabled).
  By crafting a packet which is not valid ZMTP v2/v3, and which has two
  messages larger than 8192 bytes, the decoder can be tricked into changing
  the recorded size of the 8192 bytes static buffer, which then gets
  overflown by the next message.  The content that gets written in the
  overflown memory is entirely decided by the sender.
  For more information see the security advisory:
  https://github.com/zeromq/libzmq/security/advisories/GHSA-fc3w-qxf5-7hp6

Drop now upstreamed patches, autoreconf and reformat hash file with 2 space
delimiters.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

diff --git a/package/zeromq/0001-acinclude.m4-add-latomic-to-PKGCFG_LIBS_PRIVATE.patch b/package/zeromq/0001-acinclude.m4-add-latomic-to-PKGCFG_LIBS_PRIVATE.patch
deleted file mode 100644 (file)
index 49f753b..0000000
--- a/package/zeromq/0001-acinclude.m4-add-latomic-to-PKGCFG_LIBS_PRIVATE.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From d59dcbcaebd91ca30a0f866403c383177a4843f8 Mon Sep 17 00:00:00 2001
-From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-Date: Sun, 12 Jan 2020 10:10:15 +0100
-Subject: [PATCH] acinclude.m4: add -latomic to PKGCFG_LIBS_PRIVATE
-
-Add -latomic to PKGCFG_LIBS_PRIVATE so applications linking statically
-with libzmq (such czmq) will know that they have to link with -latomic
-and the following build failure will be avoided:
-
-  CCLD     src/czmq_selftest
-/home/buildroot/autobuild/run/instance-3/output-1/host/opt/ext-toolchain/bin/../lib/gcc/sparc-buildroot-linux-uclibc/7.4.0/../../../../sparc-buildroot-linux-uclibc/bin/ld: /home/buildroot/autobuild/run/instance-3/output-1/host/sparc-buildroot-linux-uclibc/sysroot/usr/lib/libzmq.a(src_libzmq_la-ctx.o): in function `zmq::ctx_t::create_socket(int)':
-ctx.cpp:(.text+0x1710): undefined reference to `__atomic_fetch_add_4'
-
-Fixes:
- - http://autobuild.buildroot.org/results/4a12f1ede260cd956a0b5ccb4eec6ca8b44cb04f
-
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-[Retrieved from:
-https://github.com/zeromq/libzmq/commit/d59dcbcaebd91ca30a0f866403c383177a4843f8]
----
- acinclude.m4 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/acinclude.m4 b/acinclude.m4
-index 8c042ca50..387a3d2a1 100644
---- a/acinclude.m4
-+++ b/acinclude.m4
-@@ -691,7 +691,7 @@ int main (int, char **)
-             return t;
-         }
-         ])],
--        [AC_MSG_RESULT(yes) ; libzmq_cv_has_atomic_instrisics="yes" ; $1],
-+        [AC_MSG_RESULT(yes) ; libzmq_cv_has_atomic_instrisics="yes" PKGCFG_LIBS_PRIVATE="$PKGCFG_LIBS_PRIVATE -latomic" ; $1],
-         [AC_MSG_RESULT(no) ; libzmq_cv_has_atomic_instrisics="no" LIBS=$save_LIBS ; $2])
-     fi
- }])

diff --git a/package/zeromq/0002-configure.ac-fix-build-with-openpgm-5-3-128.patch b/package/zeromq/0002-configure.ac-fix-build-with-openpgm-5-3-128.patch
deleted file mode 100644 (file)
index 89ef555..0000000
--- a/package/zeromq/0002-configure.ac-fix-build-with-openpgm-5-3-128.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 883d432c29fe5b81b2b4a6809610c60083571fb4 Mon Sep 17 00:00:00 2001
-From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-Date: Wed, 2 Sep 2020 07:54:36 +0200
-Subject: [PATCH] configure.ac: fix build with openpgm-5-3-128
-
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-[Upstream status: https://github.com/zeromq/libzmq/pull/4027]
----
- configure.ac | 13 +++++++++----
- 1 file changed, 9 insertions(+), 4 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index e7193423..49b5d69c 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -649,13 +649,18 @@ AC_ARG_WITH([pgm], [AS_HELP_STRING([--with-pgm],
- 
- # conditionally require pgm package
- if test "x$with_pgm_ext" != "xno"; then
--    PKG_CHECK_MODULES([pgm], [openpgm-5.2 >= 5.2], [
-+    PKG_CHECK_MODULES([pgm], [openpgm-5.3 >= 5.3], [
-         have_pgm_library="yes"
--        PKGCFG_NAMES_PRIVATE="$PKGCFG_NAMES_PRIVATE openpgm-5.2 >= 5.2"
-+        PKGCFG_NAMES_PRIVATE="$PKGCFG_NAMES_PRIVATE openpgm-5.3 >= 5.3"
-     ], [
--        PKG_CHECK_MODULES([pgm], [openpgm-5.1 >= 5.1], [
-+        PKG_CHECK_MODULES([pgm], [openpgm-5.2 >= 5.2], [
-             have_pgm_library="yes"
--            PKGCFG_NAMES_PRIVATE="$PKGCFG_NAMES_PRIVATE openpgm-5.1 >= 5.1"
-+            PKGCFG_NAMES_PRIVATE="$PKGCFG_NAMES_PRIVATE openpgm-5.2 >= 5.2"
-+        ], [
-+            PKG_CHECK_MODULES([pgm], [openpgm-5.1 >= 5.1], [
-+                have_pgm_library="yes"
-+                PKGCFG_NAMES_PRIVATE="$PKGCFG_NAMES_PRIVATE openpgm-5.1 >= 5.1"
-+            ])
-         ])
-     ])
- fi
--- 
-2.28.0
-

diff --git a/package/zeromq/zeromq.hash b/package/zeromq/zeromq.hash
index 689d960b28f2121f66c5f38ed2cc19ab2742cfe6..17ffff87627588ec831438ae5363eb4291e586e9 100644 (file)
--- a/package/zeromq/zeromq.hash
+++ b/package/zeromq/zeromq.hash
@@ -1,7 +1,7 @@
 # From https://github.com/zeromq/libzmq/releases
-md5  2047e917c2cc93505e2579bcba67a573 zeromq-4.3.2.tar.gz
-sha1 e5253bff214f77621b3d29443f1aa6e5a106ffe5  zeromq-4.3.2.tar.gz
+md5  78acc277d95e10812d71b2b3c3c3c9a9  zeromq-4.3.3.tar.gz
+sha1  d78bc504194d6908df40a2b9e41849b181b02491  zeromq-4.3.3.tar.gz
 # Locally computed
-sha256 ebd7b5c830d6428956b67a0454a7f8cbed1de74b3b01e5c33c5378e22740f763  zeromq-4.3.2.tar.gz
-sha256 4fd86507c9b486764343065a9e035222869a27b5789efeb4fd93edc85412d7a3  COPYING
-sha256 83f32abe61ee58ffb1b007412c08415168c052501dbf56d7a47aaaac52b03ef6  COPYING.LESSER
+sha256  9d9285db37ae942ed0780c016da87060497877af45094ff9e1a1ca736e3875a2  zeromq-4.3.3.tar.gz
+sha256  4fd86507c9b486764343065a9e035222869a27b5789efeb4fd93edc85412d7a3  COPYING
+sha256  83f32abe61ee58ffb1b007412c08415168c052501dbf56d7a47aaaac52b03ef6  COPYING.LESSER

diff --git a/package/zeromq/zeromq.mk b/package/zeromq/zeromq.mk
index ac8a09eaaacb996c275db69524ac4fb6faa290a3..8d2619817b9b3017b9e563299bf869dfd33efcce 100644 (file)
--- a/package/zeromq/zeromq.mk
+++ b/package/zeromq/zeromq.mk
@@ -4,15 +4,13 @@
 #
 ################################################################################
 
-ZEROMQ_VERSION = 4.3.2
+ZEROMQ_VERSION = 4.3.3
 ZEROMQ_SITE = https://github.com/zeromq/libzmq/releases/download/v$(ZEROMQ_VERSION)
 ZEROMQ_INSTALL_STAGING = YES
 ZEROMQ_DEPENDENCIES = util-linux
 ZEROMQ_CONF_OPTS = --disable-Werror --without-documentation
 ZEROMQ_LICENSE = LGPL-3.0+ with exceptions
 ZEROMQ_LICENSE_FILES = COPYING COPYING.LESSER
-# We're patching acinclude.m4
-ZEROMQ_AUTORECONF = YES
 
 # Assume these flags are always available. It is true, at least for
 # SOCK_CLOEXEC, since linux v2.6.27.