https://github.com/zeromq/zeromq4-x/commit/b6e3e0f601e2c1ec1f3aac880ed6a3fe63043e51
Created attachment 157421 [details] net/libzmq4: update to 4.0.6 to resolve CVE-2014-9721 Koobs, Attached patch will update to 4.0.6 to resolve CVE-2014-9721. I had to add a patch to resolve compile time errors regarding a missing newline. I submitted https://github.com/zeromq/zeromq4-x/pull/120 upstream to fix the next release so we can remove the temporary patch. Comments on the pull request: This resolves the following error seen at compile time with Clang 3.6 on FreeBSD 11-CURRENT and Clang 3.4.1 on FreeBSD 10.1-RELEASE. c++ -DHAVE_CONFIG_H -I. -I../src -I../include -I../include -pedantic -Werror -Wall -D__BSD_VISIBLE -D_REENTRANT -D_THREAD_SAFE -I/usr/local/include -DZMQ_FORCE_KQUEUE -O2 -pipe -Wno-long-long -fstack-protector -fno-strict-aliasing -MT test_proxy_terminate.o -MD -MP -MF .deps/test_proxy_terminate.Tpo -c -o test_proxy_terminate.o test_proxy_terminate.cpp test_proxy_terminate.cpp:113:2: error: no newline at end of file [-Werror,-Wnewline-eof] } ^ 1 error generated. *** Error code 1 This also resolves the following compile time error seen with GCC on FreeBSD 8.4-RELEASE c++ -DHAVE_CONFIG_H -I. -I../src -I../include -I../include -pedantic -Werror -Wall -D__BSD_VISIBLE -D_REENTRANT -D_THREAD_SAFE -I/usr/local/include -DZMQ_FORCE_KQUEUE -O2 -pipe -Wno-long-long -fstack-protector -fno-strict-aliasing -MT test_proxy_terminate.o -MD -MP -MF .deps/test_proxy_terminate.Tpo -c -o test_proxy_terminate.o test_proxy_terminate.cpp test_proxy_terminate.cpp:113:2: error: no newline at end of file
Created attachment 157422 [details] Poudriere testport build logs from 10.1-RELEASE amd64 Poudriere log from 10.1-RELEASE attached for a sanity check. As usual, I was able to successfully run a 'testport' build on the following releases (info from `poudriere jail -l`) 8.4-RELEASE-p28 amd64 8.4-RELEASE-p28 i386 9.3-RELEASE-p14 amd64 9.3-RELEASE-p14 i386 10.1-RELEASE-p10 amd64 10.1-RELEASE-p10 i386 11.0-CURRENT r282869 amd64 11.0-CURRENT r282869 i386 vuxml is forthcoming.
Created attachment 157427 [details] security/vuxml entry for libzmq4 and CVE-2014-9721 Koobs, I'm assuming we're going to update libzmq4 to the 4.1.x branch at some point. I attempted to be proactive here and document that version here for correctness even if the vulnerable version hasn't been in ports. If that doesn't make sense the 4.1.x line can be removed. Otherwise vuxml is ready to go. See validation below. # make validate /bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy" >>> Validating... /usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml >>> Successful. Checking if tidy differs... ... seems okay Checking for space/tab... ... seems okay /usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml # env PKG_DBDIR=/usr/ports/security/vuxml pkg audit libzmq4-4.0.5 libzmq4-4.0.5 is vulnerable: libzmq4 -- V3 protocol handler vulnerable to downgrade attacks CVE: CVE-2014-9721 WWW: http://vuxml.FreeBSD.org/freebsd/10a6d0aa-0b1c-11e5-bb90-002590263bf5.html 1 problem(s) in the installed packages found. # env PKG_DBDIR=/usr/ports/security/vuxml pkg audit libzmq4-4.0.6 0 problem(s) in the installed packages found. # env PKG_DBDIR=/usr/ports/security/vuxml pkg audit libzmq4-4.1.0 libzmq4-4.1.0 is vulnerable: libzmq4 -- V3 protocol handler vulnerable to downgrade attacks CVE: CVE-2014-9721 WWW: http://vuxml.FreeBSD.org/freebsd/10a6d0aa-0b1c-11e5-bb90-002590263bf5.html # env PKG_DBDIR=/usr/ports/security/vuxml pkg audit libzmq4-4.1.1 0 problem(s) in the installed packages found.
Grrr. During runtime validation my salt master and salt minion's are not communicating after this update. Hold off on the port patch at least.
Created attachment 157428 [details] security/vuxml entry for libzmq4 and CVE-2014-9721 Include <freebsdpr>200502</freebsdpr> in vuxml entry this time.
The best I can tell, libzmq4-4.0.6 appears to have a run time regression that impacts communications. In my test cases I used Salt to vet run time of the updated library. The Salt master only works with 4.0.5 and on 4.0.6 will result in one of the salt process pegging 100% CPU. The client is not affected and is able to use both 4.0.5 and 4.0.6 with no ill effect. Example: 60190 saltmaster 7 103 0 192M 31652K CPU1 1 1:03 100.00% python2.7 Test matrix: Salt master -- Salt minion libzmq-4.0.6 -- libzmq-4.0.6 -- FAIL (No clients can connect, 100% CPU for salt master) libzmq-4.0.6 -- libzmq-4.0.5 -- FAIL (No clients can connect, 100% CPU for salt master) libzmq-4.0.5 -- libzmq-4.0.6 -- PASS libzmq-4.0.5 -- libzmq-4.0.5 -- PASS
(In reply to Jason Unovitch from comment #4) Thanks for the patches and update Jason. What should we do from here given the runtime regression?
Created attachment 157449 [details] net/libzmq4: update to 4.1.1 to resolve CVE-2014-9721 Security update to 4.1.1 PR: 200502 Security: 10a6d0aa-0b1c-11e5-bb90-002590263bf5 Security: CVE-2014-9721 Submitted by: Jason Unovitch <jason unovitch gmail com> Reported by: Sevan Janiyan <venture37 geeklan co uk> MFH: 2015Q2
Created attachment 157450 [details] Poudriere Build Logs from 10.1-RELEASE-p10 amd64 Build time looks good. Updated testport log attached. Also builds on all releases as mentioned above. No obvious issues noted at run time. I validated successful communication between the following combos. Salt Master -- Salt Minion libzmq4-4.1.1 -- libzmq4-4.0.5 libzmq4-4.1.1 -- libzmq4-4.1.1 libzmq4-4.1.1 -- 4.0.4 (Ubuntu)
Koobs, I went the route of bumping the minor revision to the 4.1.x. Based off the link below, the 4.0.x series is frozen so now is as good a time as any to update to the next minor revision. http://lists.zeromq.org/pipermail/zeromq-dev/2015-June/028996.html Items of note: 1. There was an issue installing man pages that required a post-configure target. Pull request with upstream has been accepted to the development libzmq repo. I will ensure it gets in zeromq/zeromq4-1 so that post-configure can be removed next update. https://github.com/zeromq/libzmq/issues/1429 2. Remove the --with-system-pgm as that option is no longer available in the ./configure script. configure: WARNING: unrecognized options: --with-system-pgm I appreciate the review and comments. This has been working well for me so far. The security/vuxml is already good to go as I had put 4.1.1 as being fixed from the start. Jason
(In reply to Jason Unovitch from comment #10) Regarding my comment on 1. The fix for the man page install issue was merged in the 4.1 stable branch and development branch here. A "# TODO: Remove post-configure target after 4.1.2 release" comment may be justified so nobody forgets that was only needed temporarily. https://github.com/zeromq/zeromq4-1/pull/36 https://github.com/zeromq/libzmq/pull/1430
Koobs, Did you need anything else from me to get this pushed into ports? As I said before 4.1.1 didn't suffer any run time issues. My Salt master has been working fine since the update. Jason
A commit references this bug: Author: delphij Date: Wed Jun 10 18:09:21 UTC 2015 New revision: 389118 URL: https://svnweb.freebsd.org/changeset/ports/389118 Log: Document libzmq4 V3 protocol handler protocol downgrade vulnerability. PR: 200502 Submitted by: Jason Unovitch Changes: head/security/vuxml/vuln.xml
Comment on attachment 157428 [details] security/vuxml entry for libzmq4 and CVE-2014-9721 Vuxml patch committed.
*** Bug 200843 has been marked as a duplicate of this bug. ***
Apparent issues with pyzmq, see: bug 200843, comment 2
Update & QA in progress. A couple of issues to sort out: 1) .pc files need to be in libdata -libdata/pkgconfig/libzmq.pc +lib/pkgconfig/libzmq.pc 2) --with-system-pgm was replaced with: --with-pgm build libzmq with PGM extension. Requires pkg-config [default=no] 3) Backport merged man page fix
Another item: --with-libsodium now requires pkg-config, and doesn't take arguments
Upstream (pyzmq) evidence of breakage with 4.1.1 https://github.com/zeromq/pyzmq/pull/677 https://github.com/zeromq/pyzmq/pull/678 https://github.com/zeromq/pyzmq/pull/678#issuecomment-109784824 The following pyzmq tests fail with 4.1.1 installed: ERROR: test_single_socket_forwarder_bind (zmq.tests.test_device.TestDevice) RuntimeError: context could not terminate, open sockets likely remain in test ERROR: test_single_socket_forwarder_connect (zmq.tests.test_device.TestDevice) RuntimeError: context could not terminate, open sockets likely remain in test FAIL: test_single_socket_forwarder_bind (zmq.tests.test_device.TestDevice) AssertionError: Should have received a message FAIL: test_single_socket_forwarder_connect (zmq.tests.test_device.TestDevice) AssertionError: Should have received a message
Not sure yet what we can do at the moment. Options appear to be: 1) Land 4.1.1, break pyzmq (and potentially other consumers) 2) Wait for 4.1.2, leave security fix pending Note: It doesn't looks like 4.1.2 will revert the ABI breakage (I note a bump of the ABI version upstream [1]) so we'll likely be blocked by an update of pyzmq anyway, even when 4.1.2 lands. [1] https://github.com/zeromq/zeromq4-1/pull/39 Thoughts?
Upstream has released 4.1.2 and 4.0.7 (after I mentioned it on twitter), and the ABI change has remained (with associated version bump). I've also notified pyzmq upstream: https://github.com/zeromq/pyzmq/pull/678#issuecomment-112003990
Dependent ports will need a PORTREVISION for this update given a shared library major version bump in 4.1.2 (4 -> 5)
pyzmq passes its tests with 4.1.2: Ran 176 tests in 17.177s
A commit references this bug: Author: koobs Date: Mon Jun 15 11:06:52 UTC 2015 New revision: 389682 URL: https://svnweb.freebsd.org/changeset/ports/389682 Log: net/libzmq4: Update to 4.1.2, Fixes CVE-2014-9721 - Update to 4.1.2 - Update pkg-plist - USES: pkg-config is now a global dependency - OPTIONS: with-sytem-pgm is now with-pgm, update helpers - OPTIONS: with-libsodium no longer takes args, update helpers - Override pkgconfigdir via configure, deprecate USES: pathfix - Bump PORTREVISION for dependent ports for shared library version change While I'm here: - Whitespace align Makefile Based on: PR: 200502 Reported by: Sevan Janiyan <venture37 geeklan co uk> Submitted by: Jason Unovitch <jason.unovitch gmail com> MFH: 2015Q2 Security: 10a6d0aa-0b1c-11e5-bb90-002590263bf5 Security: CVE-2014-9721 Changes: head/dns/powerdns/Makefile head/net/czmq/Makefile head/net/libzmq4/Makefile head/net/libzmq4/distinfo head/net/libzmq4/pkg-plist head/net/ntopng/Makefile head/net/pecl-zmq/Makefile head/net/py-pyzmq/Makefile