main/zeromq: upgrade to 4.2.5, security fix (CVE-2019-6250)

Fixes #9879
author: Leonardo Arena <rnalrd@alpinelinux.org> 2019-02-04 11:19:36 +0000
committer: Leonardo Arena <rnalrd@alpinelinux.org> 2019-02-04 11:24:20 +0000
commit: 5d060d203debb5d8ad6c58e09788f832cd025045 (patch)
tree: ebbc2da2b6d06e51fb2c18d541b8e7930ab1733b
parent: 4d5a8dd7fdeb7671773360ec78521fd9557ababf (diff)
download: alpine_aports-5d060d203debb5d8ad6c58e09788f832cd025045.tar.bz2
alpine_aports-5d060d203debb5d8ad6c58e09788f832cd025045.tar.xz
alpine_aports-5d060d203debb5d8ad6c58e09788f832cd025045.zip
2 files changed, 23 insertions, 4 deletions
diff --git a/main/zeromq/APKBUILD b/main/zeromq/APKBUILD
index 28065bc4bf..3cfe83e1df 100644
--- a/main/zeromq/APKBUILD
+++ b/main/zeromq/APKBUILD
@@ -1,8 +1,8 @@
 # Contributor: Natanael Copa <ncopa@alpinelinux.org>
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=zeromq
-pkgver=4.2.2
+pkgver=4.2.5
-pkgrel=1
+pkgrel=0
 pkgdesc="The ZeroMQ messaging library and tools"
 url="http://www.zeromq.org/"
 arch="all"
@@ -13,9 +13,14 @@ makedepends="util-linux-dev libsodium-dev
 subpackages="$pkgname-dev $pkgname-doc libzmq:libs"
 source="https://github.com/zeromq/libzmq/releases/download/v$pkgver/$pkgname-$pkgver.tar.gz
        test-driver.patch
+        CVE-2019-6250.patch
        "
 builddir="$srcdir/$pkgname-$pkgver"
+# secfixes:
+#   4.2.5-r0:
+#     - CVE-2019-6250
 build() {
        cd "$builddir"
        ./configure \
@@ -40,5 +45,6 @@ package() {
        make DESTDIR="$pkgdir" install || return 1
 }
-sha512sums="d78813a61ce3311a1f8c230f7da0f5aedc97ef4b792afb6d398c5710da239348c0c7a67bdfeb38a7ab0282af498f1ed173649aff4add1bc35f0ef1b66f965443  zeromq-4.2.2.tar.gz
+sha512sums="4556cb50d05a6d133015a0ba804d6d951a47479a33fa29561eaeecb93d48b7bb6477365d0986c38b779f500cadaf08522c4a7aa13f5510303bd923f794d37036  zeromq-4.2.5.tar.gz
-64e4ae2c89469359480743beeb4f1e08976a4c52dbfd2dd33020463df78e927993319e456299682901001e0832ebed85291eea0decc1d27a58de78a6c891e660  test-driver.patch"
+64e4ae2c89469359480743beeb4f1e08976a4c52dbfd2dd33020463df78e927993319e456299682901001e0832ebed85291eea0decc1d27a58de78a6c891e660  test-driver.patch
+ee0c71814c93378106593afafd9bb96c15038c2455dcd57ac71a6c3474ebd4eee3f4cf9933ddc737bbe0fe25f8d7cb141517c933fec591c00b7d5563bf33894d  CVE-2019-6250.patch"
diff --git a/main/zeromq/CVE-2019-6250.patch b/main/zeromq/CVE-2019-6250.patch
new file mode 100644
index 0000000000..15bcc30314
--- /dev/null
+++ b/main/zeromq/CVE-2019-6250.patch
@@ -0,0 +1,13 @@
+diff --git a/src/v2_decoder.cpp b/src/v2_decoder.cpp
+index 839be9a..37889bd 100644
+--- a/src/v2_decoder.cpp
+++ b/src/v2_decoder.cpp
+@@ -116,7 +116,7 @@ int zmq::v2_decoder_t::size_ready (uint64_t msg_size,
+ 
+     if (unlikely (
+           !zero_copy
+-          || ((unsigned char *) read_pos + msg_size > (data () + size ())))) {
+          || (msg_size > (size_t) (data () + size () - read_pos)))) {
+         // a new message has started, but the size would exceed the pre-allocated arena
+         // this happens every time when a message does not fit completely into the buffer
+         rc = in_progress.init_size (static_cast<size_t> (msg_size));
author	Leonardo Arena <rnalrd@alpinelinux.org>	2019-02-04 11:19:36 +0000
committer	Leonardo Arena <rnalrd@alpinelinux.org>	2019-02-04 11:24:20 +0000
commit	5d060d203debb5d8ad6c58e09788f832cd025045 (patch)
tree	ebbc2da2b6d06e51fb2c18d541b8e7930ab1733b
parent	4d5a8dd7fdeb7671773360ec78521fd9557ababf (diff)
download	alpine_aports-5d060d203debb5d8ad6c58e09788f832cd025045.tar.bz2 alpine_aports-5d060d203debb5d8ad6c58e09788f832cd025045.tar.xz alpine_aports-5d060d203debb5d8ad6c58e09788f832cd025045.zip