Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
zeromq.3888
zeromq-CVE-2014-7203.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File zeromq-CVE-2014-7203.patch of Package zeromq.3888
diff -urN zeromq-4.0.4.old/src/curve_client.cpp zeromq-4.0.4/src/curve_client.cpp --- zeromq-4.0.4.old/src/curve_client.cpp 2014-09-29 10:18:04.360648652 +0200 +++ zeromq-4.0.4/src/curve_client.cpp 2014-09-29 10:22:56.207648617 +0200 @@ -35,7 +35,9 @@ zmq::curve_client_t::curve_client_t (const options_t &options_) : mechanism_t (options_), - state (send_hello) + state (send_hello), + cn_nonce(1), + cn_peer_nonce(1) { memcpy (public_key, options_.curve_public_key, crypto_box_PUBLICKEYBYTES); memcpy (secret_key, options_.curve_secret_key, crypto_box_SECRETKEYBYTES); @@ -111,7 +113,7 @@ uint8_t message_nonce [crypto_box_NONCEBYTES]; memcpy (message_nonce, "CurveZMQMESSAGEC", 16); - memcpy (message_nonce + 16, &cn_nonce, 8); + put_uint64 (message_nonce + 16, cn_nonce); const size_t mlen = crypto_box_ZEROBYTES + 1 + msg_->size (); @@ -139,7 +141,7 @@ uint8_t *message = static_cast <uint8_t *> (msg_->data ()); memcpy (message, "\x07MESSAGE", 8); - memcpy (message + 8, &cn_nonce, 8); + memcpy (message + 8, message_nonce + 16, 8); memcpy (message + 16, message_box + crypto_box_BOXZEROBYTES, mlen - crypto_box_BOXZEROBYTES); @@ -169,6 +171,13 @@ uint8_t message_nonce [crypto_box_NONCEBYTES]; memcpy (message_nonce, "CurveZMQMESSAGES", 16); memcpy (message_nonce + 16, message + 8, 8); + uint64_t nonce = get_uint64(message + 8); + if (nonce <= cn_peer_nonce) { + errno = EPROTO; + return -1; + } + cn_peer_nonce = nonce; + const size_t clen = crypto_box_BOXZEROBYTES + (msg_->size () - 16); @@ -221,7 +230,7 @@ // Prepare the full nonce memcpy (hello_nonce, "CurveZMQHELLO---", 16); - memcpy (hello_nonce + 16, &cn_nonce, 8); + put_uint64 (hello_nonce + 16, cn_nonce); // Create Box [64 * %x0](C'->S) memset (hello_plaintext, 0, sizeof hello_plaintext); @@ -344,7 +353,7 @@ const size_t mlen = ptr - initiate_plaintext; memcpy (initiate_nonce, "CurveZMQINITIATE", 16); - memcpy (initiate_nonce + 16, &cn_nonce, 8); + put_uint64 (initiate_nonce + 16, cn_nonce); rc = crypto_box (initiate_box, initiate_plaintext, mlen, initiate_nonce, cn_server, cn_secret); @@ -359,7 +368,7 @@ // Cookie provided by the server in the WELCOME command memcpy (initiate + 9, cn_cookie, 96); // Short nonce, prefixed by "CurveZMQINITIATE" - memcpy (initiate + 105, &cn_nonce, 8); + memcpy (initiate + 105, initiate_nonce + 16, 8); // Box [C + vouch + metadata](C'->S') memcpy (initiate + 113, initiate_box + crypto_box_BOXZEROBYTES, mlen - crypto_box_BOXZEROBYTES); @@ -393,6 +402,7 @@ memcpy (ready_nonce, "CurveZMQREADY---", 16); memcpy (ready_nonce + 16, ready + 6, 8); + cn_peer_nonce = get_uint64(msg_data + 6); int rc = crypto_box_open_afternm (ready_plaintext, ready_box, clen, ready_nonce, cn_precom); diff -urN zeromq-4.0.4.old/src/curve_client.hpp zeromq-4.0.4/src/curve_client.hpp --- zeromq-4.0.4.old/src/curve_client.hpp 2014-09-29 10:18:04.357648652 +0200 +++ zeromq-4.0.4/src/curve_client.hpp 2014-09-29 10:18:16.272648651 +0200 @@ -95,6 +95,7 @@ // Nonce uint64_t cn_nonce; + uint64_t cn_peer_nonce; int produce_hello (msg_t *msg_); int process_welcome (msg_t *msg_); diff -urN zeromq-4.0.4.old/src/curve_server.cpp zeromq-4.0.4/src/curve_server.cpp --- zeromq-4.0.4.old/src/curve_server.cpp 2014-09-29 10:18:04.359648652 +0200 +++ zeromq-4.0.4/src/curve_server.cpp 2014-09-29 10:21:25.912648628 +0200 @@ -40,7 +40,8 @@ peer_address (peer_address_), state (expect_hello), expecting_zap_reply (false), - cn_nonce (1) + cn_nonce (1), + cn_peer_nonce(1) { // Fetch our secret key from socket options memcpy (secret_key, options_.curve_secret_key, crypto_box_SECRETKEYBYTES); @@ -114,7 +115,7 @@ uint8_t message_nonce [crypto_box_NONCEBYTES]; memcpy (message_nonce, "CurveZMQMESSAGES", 16); - memcpy (message_nonce + 16, &cn_nonce, 8); + put_uint64 (message_nonce + 16, cn_nonce); uint8_t flags = 0; if (msg_->flags () & msg_t::more) @@ -144,7 +145,7 @@ uint8_t *message = static_cast <uint8_t *> (msg_->data ()); memcpy (message, "\x07MESSAGE", 8); - memcpy (message + 8, &cn_nonce, 8); + memcpy (message + 8, message_nonce + 16, 8); memcpy (message + 16, message_box + crypto_box_BOXZEROBYTES, mlen - crypto_box_BOXZEROBYTES); @@ -174,6 +175,12 @@ uint8_t message_nonce [crypto_box_NONCEBYTES]; memcpy (message_nonce, "CurveZMQMESSAGEC", 16); memcpy (message_nonce + 16, message + 8, 8); + uint64_t nonce = get_uint64(message + 8); + if (nonce <= cn_peer_nonce) { + errno = EPROTO; + return -1; + } + cn_peer_nonce = nonce; const size_t clen = crypto_box_BOXZEROBYTES + msg_->size () - 16; @@ -260,6 +267,7 @@ memcpy (hello_nonce, "CurveZMQHELLO---", 16); memcpy (hello_nonce + 16, hello + 112, 8); + cn_peer_nonce = get_uint64(hello + 112); memset (hello_box, 0, crypto_box_BOXZEROBYTES); memcpy (hello_box + crypto_box_BOXZEROBYTES, hello + 120, 80); @@ -388,6 +396,7 @@ memcpy (initiate_nonce, "CurveZMQINITIATE", 16); memcpy (initiate_nonce + 16, initiate + 105, 8); + cn_peer_nonce = get_uint64(initiate + 105); rc = crypto_box_open (initiate_plaintext, initiate_box, clen, initiate_nonce, cn_client, cn_secret); @@ -469,7 +478,7 @@ const size_t mlen = ptr - ready_plaintext; memcpy (ready_nonce, "CurveZMQREADY---", 16); - memcpy (ready_nonce + 16, &cn_nonce, 8); + put_uint64 (ready_nonce + 16, cn_nonce); int rc = crypto_box_afternm (ready_box, ready_plaintext, mlen, ready_nonce, cn_precom); @@ -482,7 +491,7 @@ memcpy (ready, "\x05READY", 6); // Short nonce, prefixed by "CurveZMQREADY---" - memcpy (ready + 6, &cn_nonce, 8); + memcpy (ready + 6, ready_nonce + 16, 8); // Box [metadata](S'->C') memcpy (ready + 14, ready_box + crypto_box_BOXZEROBYTES, mlen - crypto_box_BOXZEROBYTES); diff -urN zeromq-4.0.4.old/src/curve_server.hpp zeromq-4.0.4/src/curve_server.hpp --- zeromq-4.0.4.old/src/curve_server.hpp 2014-09-29 10:18:04.358648652 +0200 +++ zeromq-4.0.4/src/curve_server.hpp 2014-09-29 10:18:16.273648651 +0200 @@ -84,6 +84,7 @@ bool expecting_zap_reply; uint64_t cn_nonce; + uint64_t cn_peer_nonce; // Our secret key (s) uint8_t secret_key [crypto_box_SECRETKEYBYTES];
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor