Bug 200502 - net/libzmq4: Update to 4.1.2 (And fix CVE-2014-9721)
Summary: net/libzmq4: Update to 4.1.2 (And fix CVE-2014-9721)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Kubilay Kocak
URL:
Keywords: needs-qa, patch, security
: 200843 (view as bug list)
Depends on:
Blocks:
 
Reported: 2015-05-28 23:12 UTC by Sevan Janiyan
Modified: 2015-06-25 02:27 UTC (History)
7 users (show)

See Also:
koobs: maintainer-feedback+
koobs: merge-quarterly-


Attachments
net/libzmq4: update to 4.0.6 to resolve CVE-2014-9721 (1.71 KB, patch)
2015-06-04 23:46 UTC, Jason Unovitch
no flags Details | Diff
Poudriere testport build logs from 10.1-RELEASE amd64 (178.18 KB, text/x-log)
2015-06-04 23:49 UTC, Jason Unovitch
no flags Details
security/vuxml entry for libzmq4 and CVE-2014-9721 (1.43 KB, patch)
2015-06-05 01:14 UTC, Jason Unovitch
no flags Details | Diff
security/vuxml entry for libzmq4 and CVE-2014-9721 (1.46 KB, patch)
2015-06-05 01:58 UTC, Jason Unovitch
delphij: maintainer-approval+
Details | Diff
net/libzmq4: update to 4.1.1 to resolve CVE-2014-9721 (3.03 KB, patch)
2015-06-06 02:58 UTC, Jason Unovitch
no flags Details | Diff
Poudriere Build Logs from 10.1-RELEASE-p10 amd64 (144.63 KB, text/x-log)
2015-06-06 03:02 UTC, Jason Unovitch
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Jason Unovitch freebsd_committer 2015-06-04 23:46:19 UTC
Created attachment 157421 [details]
net/libzmq4: update to 4.0.6 to resolve CVE-2014-9721

Koobs,
Attached patch will update to 4.0.6 to resolve CVE-2014-9721.  I had to add a patch to resolve compile time errors regarding a missing newline.

I submitted https://github.com/zeromq/zeromq4-x/pull/120 upstream to fix the next release so we can remove the temporary patch.

Comments on the pull request:

This resolves the following error seen at compile time with Clang 3.6 on FreeBSD 11-CURRENT and Clang 3.4.1 on FreeBSD 10.1-RELEASE.

c++ -DHAVE_CONFIG_H -I. -I../src -I../include -I../include -pedantic -Werror -Wall -D__BSD_VISIBLE -D_REENTRANT -D_THREAD_SAFE -I/usr/local/include -DZMQ_FORCE_KQUEUE -O2 -pipe -Wno-long-long -fstack-protector -fno-strict-aliasing -MT test_proxy_terminate.o -MD -MP -MF .deps/test_proxy_terminate.Tpo -c -o test_proxy_terminate.o test_proxy_terminate.cpp
test_proxy_terminate.cpp:113:2: error: no newline at end of file [-Werror,-Wnewline-eof]
}
^
1 error generated.
*** Error code 1

This also resolves the following compile time error seen with GCC on FreeBSD 8.4-RELEASE

c++ -DHAVE_CONFIG_H -I. -I../src -I../include -I../include -pedantic -Werror -Wall -D__BSD_VISIBLE -D_REENTRANT -D_THREAD_SAFE -I/usr/local/include -DZMQ_FORCE_KQUEUE -O2 -pipe -Wno-long-long -fstack-protector -fno-strict-aliasing -MT test_proxy_terminate.o -MD -MP -MF .deps/test_proxy_terminate.Tpo -c -o test_proxy_terminate.o test_proxy_terminate.cpp
test_proxy_terminate.cpp:113:2: error: no newline at end of file
Comment 2 Jason Unovitch freebsd_committer 2015-06-04 23:49:30 UTC
Created attachment 157422 [details]
Poudriere testport build logs from 10.1-RELEASE amd64

Poudriere log from 10.1-RELEASE attached for a sanity check.  As usual, I was able to successfully run a 'testport' build on the following releases (info from `poudriere jail -l`)
8.4-RELEASE-p28      amd64
8.4-RELEASE-p28      i386
9.3-RELEASE-p14      amd64
9.3-RELEASE-p14      i386
10.1-RELEASE-p10     amd64
10.1-RELEASE-p10     i386
11.0-CURRENT r282869 amd64
11.0-CURRENT r282869 i386

vuxml is forthcoming.
Comment 3 Jason Unovitch freebsd_committer 2015-06-05 01:14:07 UTC
Created attachment 157427 [details]
security/vuxml entry for libzmq4 and CVE-2014-9721

Koobs,
I'm assuming we're going to update libzmq4 to the 4.1.x branch at some point.  I attempted to be proactive here and document that version here for correctness even if the vulnerable version hasn't been in ports.  If that doesn't make sense the 4.1.x line can be removed.  Otherwise vuxml is ready to go.  See validation below.

# make validate
/bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy"
>>> Validating...
/usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml
>>> Successful.
Checking if tidy differs...
... seems okay
Checking for space/tab...
... seems okay
/usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml


# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit libzmq4-4.0.5
libzmq4-4.0.5 is vulnerable:
libzmq4 -- V3 protocol handler vulnerable to downgrade attacks
CVE: CVE-2014-9721
WWW: http://vuxml.FreeBSD.org/freebsd/10a6d0aa-0b1c-11e5-bb90-002590263bf5.html

1 problem(s) in the installed packages found.

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit libzmq4-4.0.6
0 problem(s) in the installed packages found.

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit libzmq4-4.1.0
libzmq4-4.1.0 is vulnerable:
libzmq4 -- V3 protocol handler vulnerable to downgrade attacks
CVE: CVE-2014-9721
WWW: http://vuxml.FreeBSD.org/freebsd/10a6d0aa-0b1c-11e5-bb90-002590263bf5.html

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit libzmq4-4.1.1
0 problem(s) in the installed packages found.
Comment 4 Jason Unovitch freebsd_committer 2015-06-05 01:24:30 UTC
Grrr. During runtime validation my salt master and salt minion's are not communicating after this update.  Hold off on the port patch at least.
Comment 5 Jason Unovitch freebsd_committer 2015-06-05 01:58:11 UTC
Created attachment 157428 [details]
security/vuxml entry for libzmq4 and CVE-2014-9721

Include <freebsdpr>200502</freebsdpr> in vuxml entry this time.
Comment 6 Jason Unovitch freebsd_committer 2015-06-05 02:32:44 UTC
The best I can tell, libzmq4-4.0.6 appears to have a run time regression that impacts communications.

In my test cases I used Salt to vet run time of the updated library.  The Salt master only works with 4.0.5 and on 4.0.6 will result in one of the salt process pegging 100% CPU.  The client is not affected and is able to use both 4.0.5 and 4.0.6 with no ill effect.  

Example:
60190 saltmaster       7 103    0   192M 31652K CPU1    1   1:03 100.00% python2.7

Test matrix:
Salt master  -- Salt minion
libzmq-4.0.6 -- libzmq-4.0.6 -- FAIL (No clients can connect, 100% CPU for salt master)
libzmq-4.0.6 -- libzmq-4.0.5 -- FAIL (No clients can connect, 100% CPU for salt master)
libzmq-4.0.5 -- libzmq-4.0.6 -- PASS
libzmq-4.0.5 -- libzmq-4.0.5 -- PASS
Comment 7 Kubilay Kocak freebsd_committer freebsd_triage 2015-06-05 03:19:55 UTC
(In reply to Jason Unovitch from comment #4)

Thanks for the patches and update Jason. What should we do from here given the runtime regression?
Comment 8 Jason Unovitch freebsd_committer 2015-06-06 02:58:33 UTC
Created attachment 157449 [details]
net/libzmq4: update to 4.1.1 to resolve CVE-2014-9721

Security update to 4.1.1

PR:		200502
Security:	10a6d0aa-0b1c-11e5-bb90-002590263bf5
Security:	CVE-2014-9721
Submitted by:	Jason Unovitch <jason unovitch gmail com>
Reported by:	Sevan Janiyan <venture37 geeklan co uk>
MFH:		2015Q2
Comment 9 Jason Unovitch freebsd_committer 2015-06-06 03:02:24 UTC
Created attachment 157450 [details]
Poudriere Build Logs from 10.1-RELEASE-p10 amd64

Build time looks good.  Updated testport log attached.  Also builds on all releases as mentioned above.

No obvious issues noted at run time.  I validated successful communication between the following combos.

Salt Master   -- Salt Minion
libzmq4-4.1.1 -- libzmq4-4.0.5
libzmq4-4.1.1 -- libzmq4-4.1.1
libzmq4-4.1.1 -- 4.0.4 (Ubuntu)
Comment 10 Jason Unovitch freebsd_committer 2015-06-06 03:10:02 UTC
Koobs,
I went the route of bumping the minor revision to the 4.1.x.  Based off the link below, the 4.0.x series is frozen so now is as good a time as any to update to the next minor revision.

http://lists.zeromq.org/pipermail/zeromq-dev/2015-June/028996.html

Items of note:
1.  There was an issue installing man pages that required a post-configure target.  Pull request with upstream has been accepted to the development libzmq repo.  I will ensure it gets in zeromq/zeromq4-1 so that post-configure can be removed next update.

https://github.com/zeromq/libzmq/issues/1429

2.  Remove the --with-system-pgm as that option is no longer available in the ./configure script.
configure: WARNING: unrecognized options: --with-system-pgm


I appreciate the review and comments.  This has been working well for me so far.  The security/vuxml is already good to go as I had put 4.1.1 as being fixed from the start.

Jason
Comment 11 Jason Unovitch freebsd_committer 2015-06-08 09:47:30 UTC
(In reply to Jason Unovitch from comment #10)

Regarding my comment on 1.  The fix for the man page install issue was merged in the 4.1 stable branch and development branch here.  A "# TODO: Remove post-configure target after 4.1.2 release" comment may be justified so nobody forgets that was only needed temporarily.
 
https://github.com/zeromq/zeromq4-1/pull/36
https://github.com/zeromq/libzmq/pull/1430
Comment 12 Jason Unovitch freebsd_committer 2015-06-10 00:42:01 UTC
Koobs,
Did you need anything else from me to get this pushed into ports?  As I said before 4.1.1 didn't suffer any run time issues.  My Salt master has been working fine since the update.

Jason
Comment 13 commit-hook freebsd_committer 2015-06-10 18:09:46 UTC
A commit references this bug:

Author: delphij
Date: Wed Jun 10 18:09:21 UTC 2015
New revision: 389118
URL: https://svnweb.freebsd.org/changeset/ports/389118

Log:
  Document libzmq4 V3 protocol handler protocol downgrade vulnerability.

  PR:		200502
  Submitted by:	Jason Unovitch

Changes:
  head/security/vuxml/vuln.xml
Comment 14 Xin LI freebsd_committer 2015-06-10 18:09:56 UTC
Comment on attachment 157428 [details]
security/vuxml entry for libzmq4 and CVE-2014-9721

Vuxml patch committed.
Comment 15 Kubilay Kocak freebsd_committer freebsd_triage 2015-06-15 06:59:44 UTC
*** Bug 200843 has been marked as a duplicate of this bug. ***
Comment 16 Kubilay Kocak freebsd_committer freebsd_triage 2015-06-15 07:03:04 UTC
Apparent issues with pyzmq, see: bug 200843, comment 2
Comment 17 Kubilay Kocak freebsd_committer freebsd_triage 2015-06-15 07:23:26 UTC
Update & QA in progress. 

A couple of issues to sort out:

1) .pc files need to be in libdata

-libdata/pkgconfig/libzmq.pc
+lib/pkgconfig/libzmq.pc

2) --with-system-pgm was replaced with:

--with-pgm              build libzmq with PGM extension. Requires pkg-config
                          [default=no]

3) Backport merged man page fix
Comment 18 Kubilay Kocak freebsd_committer freebsd_triage 2015-06-15 07:26:37 UTC
Another item:

--with-libsodium now requires pkg-config, and doesn't take arguments
Comment 19 Kubilay Kocak freebsd_committer freebsd_triage 2015-06-15 09:00:16 UTC
Upstream (pyzmq) evidence of breakage with 4.1.1

https://github.com/zeromq/pyzmq/pull/677
https://github.com/zeromq/pyzmq/pull/678
https://github.com/zeromq/pyzmq/pull/678#issuecomment-109784824

The following pyzmq tests fail with 4.1.1 installed:

ERROR: test_single_socket_forwarder_bind (zmq.tests.test_device.TestDevice)
RuntimeError: context could not terminate, open sockets likely remain in test

ERROR: test_single_socket_forwarder_connect (zmq.tests.test_device.TestDevice)
RuntimeError: context could not terminate, open sockets likely remain in test

FAIL: test_single_socket_forwarder_bind (zmq.tests.test_device.TestDevice)
AssertionError: Should have received a message

FAIL: test_single_socket_forwarder_connect (zmq.tests.test_device.TestDevice)
AssertionError: Should have received a message
Comment 20 Kubilay Kocak freebsd_committer freebsd_triage 2015-06-15 09:12:32 UTC
Not sure yet what we can do at the moment. Options appear to be:

1) Land 4.1.1, break pyzmq (and potentially other consumers)
2) Wait for 4.1.2, leave security fix pending

Note:

It doesn't looks like 4.1.2 will revert the ABI breakage (I note a bump of the ABI version upstream [1]) so we'll likely be blocked by an update of pyzmq anyway, even when 4.1.2 lands.

[1] https://github.com/zeromq/zeromq4-1/pull/39

Thoughts?
Comment 21 Kubilay Kocak freebsd_committer freebsd_triage 2015-06-15 10:08:22 UTC
Upstream has released 4.1.2 and 4.0.7 (after I mentioned it on twitter), and the ABI change has remained (with associated version bump).

I've also notified pyzmq upstream:

https://github.com/zeromq/pyzmq/pull/678#issuecomment-112003990
Comment 22 Kubilay Kocak freebsd_committer freebsd_triage 2015-06-15 10:12:43 UTC
Dependent ports will need a PORTREVISION for this update given a shared library major version bump in 4.1.2 (4 -> 5)
Comment 23 Kubilay Kocak freebsd_committer freebsd_triage 2015-06-15 10:17:58 UTC
pyzmq passes its tests with 4.1.2:

Ran 176 tests in 17.177s
Comment 24 commit-hook freebsd_committer 2015-06-15 11:07:35 UTC
A commit references this bug:

Author: koobs
Date: Mon Jun 15 11:06:52 UTC 2015
New revision: 389682
URL: https://svnweb.freebsd.org/changeset/ports/389682

Log:
  net/libzmq4: Update to 4.1.2, Fixes CVE-2014-9721

  - Update to 4.1.2
  - Update pkg-plist
  - USES: pkg-config is now a global dependency
  - OPTIONS: with-sytem-pgm is now with-pgm, update helpers
  - OPTIONS: with-libsodium no longer takes args, update helpers
  - Override pkgconfigdir via configure, deprecate USES: pathfix

  - Bump PORTREVISION for dependent ports for shared library version
    change

  While I'm here:

  - Whitespace align Makefile

  Based on:

  PR:		200502
  Reported by:	Sevan Janiyan <venture37 geeklan co uk>
  Submitted by:	Jason Unovitch <jason.unovitch gmail com>
  MFH:		2015Q2
  Security:	10a6d0aa-0b1c-11e5-bb90-002590263bf5
  Security:	CVE-2014-9721

Changes:
  head/dns/powerdns/Makefile
  head/net/czmq/Makefile
  head/net/libzmq4/Makefile
  head/net/libzmq4/distinfo
  head/net/libzmq4/pkg-plist
  head/net/ntopng/Makefile
  head/net/pecl-zmq/Makefile
  head/net/py-pyzmq/Makefile