Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified)) by mollari.NetBSD.org (Postfix) with ESMTPS id 88E9D1A9239 for ; Sat, 20 Nov 2021 22:15:27 +0000 (UTC) Received: by mail.netbsd.org (Postfix, from userid 605) id 1DC6584DBD; Sat, 20 Nov 2021 22:15:27 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 554D484D35 for ; Sat, 20 Nov 2021 22:15:26 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id DHhIGeuiBS3Z for ; Sat, 20 Nov 2021 22:15:24 +0000 (UTC) Received: from cvs.NetBSD.org (ivanova.netbsd.org [199.233.217.197]) by mail.netbsd.org (Postfix) with ESMTP id AA5FD84CE2 for ; Sat, 20 Nov 2021 22:15:24 +0000 (UTC) Received: by cvs.NetBSD.org (Postfix, from userid 500) id 9EBFAFAEC; Sat, 20 Nov 2021 22:15:24 +0000 (UTC) Content-Transfer-Encoding: 7bit Content-Type: multipart/mixed; boundary="_----------=_163744652476160" MIME-Version: 1.0 Date: Sat, 20 Nov 2021 22:15:24 +0000 From: "Thomas Merkel" Subject: CVS commit: [pkgsrc-2021Q3] pkgsrc/net/zeromq To: pkgsrc-changes@NetBSD.org Reply-To: tm@netbsd.org X-Mailer: log_accum Message-Id: <20211120221524.9EBFAFAEC@cvs.NetBSD.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: Precedence: bulk List-Unsubscribe: This is a multi-part message in MIME format. --_----------=_163744652476160 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" Module Name: pkgsrc Committed By: tm Date: Sat Nov 20 22:15:24 UTC 2021 Modified Files: pkgsrc/net/zeromq [pkgsrc-2021Q3]: Makefile PLIST distinfo pkgsrc/net/zeromq/patches [pkgsrc-2021Q3]: patch-src_ipc__listener.cpp patch-src_tcp__listener.cpp Log Message: Pullup ticket #6532 - requested by bsiegert net/zeromq: security fix Revisions pulled up: - net/zeromq/Makefile 1.32 - net/zeromq/PLIST 1.11 - net/zeromq/distinfo 1.34 - net/zeromq/patches/patch-src_ipc__listener.cpp 1.5 - net/zeromq/patches/patch-src_tcp__listener.cpp 1.6 --- Module Name: pkgsrc Committed By: adam Date: Sun Nov 14 20:15:46 UTC 2021 Modified Files: pkgsrc/net/zeromq: Makefile PLIST distinfo pkgsrc/net/zeromq/patches: patch-src_ipc__listener.cpp patch-src_tcp__listener.cpp Log Message: zeromq: updated to 4.3.4 libzmq 4.3.4 New DRAFT (see NEWS for 4.2.0) socket option: ZMQ_PRIORITY will set the SO_PRIORITY socket option on the underlying sockets. Only supported on Linux. See doc/zmq_setsockopt.txt and doc/zmq_getsockopt.txt for details. Fixed 4113 - compilation errors on kFreeBSD and GNU/Hurd Fixed 4086 - excessive amount of socket files left behind in Windows TMP directory Fixed 4108 - regression that breaks using IPv6 link-local addresses on Linux Fixed 4078 - compilation errors on Android Fixed 4074 - compilation error with ulibc and libbsd Fixed 4060 - stack overflow on Windows x64 Fixed 4051 - various compilation errors on Windows ARM 32bit Fixed 4043 - various compilation warnings with XCode Fixed 4038 - return value of zmq_ctx_get changed unintentionally libzmq 4.3.3 Security advisories: CVE-2020-15166: Denial-of-Service on CURVE/ZAP-protected servers by unauthenticated clients. If a raw TCP socket is opened and connected to an endpoint that is fully configured with CURVE/ZAP, legitimate clients will not be able to exchange any message. Handshakes complete successfully, and messages are delivered to the library, but the server application never receives them. For more information see the security advisory: GHSA-25wp-cf8g-938m Stack overflow on server running PUB/XPUB socket (CURVE disabled). The PUB/XPUB subscription store (mtrie) is traversed using recursive function calls. In the remove (unsubscription) case, the recursive calls are NOT tail calls, so even with optimizations the stack grows linearly with the length of a subscription topic. Topics are under the control of remote clients - they can send a subscription to arbitrary length topics. An attacker can thus cause a server to create an mtrie sufficiently large such that, when unsubscribing, traversal will cause a stack overflow. For more information see the security advisory: GHSA-qq65-x72m-9wr8 Memory leak in PUB server induced by malicious client(s) without CURVE/ZAP. Messages with metadata are never processed by PUB sockets, but the metadata is kept referenced in the PUB object and never freed. For more information see the security advisory: GHSA-4p5v-h92w-6wxw Memory leak in client induced by malicious server(s) without CURVE/ZAP. When a pipe processes a delimiter and is already not in active state but still has an unfinished message, the message is leaked. For more information see the security advisory: GHSA-wfr2-29gj-5w87 Heap overflow when receiving malformed ZMTP v1 packets (CURVE disabled). By crafting a packet which is not valid ZMTP v2/v3, and which has two messages larger than 8192 bytes, the decoder can be tricked into changing the recorded size of the 8192 bytes static buffer, which then gets overflown by the next message. The content that gets written in the overflown memory is entirely decided by the sender. For more information see the security advisory: GHSA-fc3w-qxf5-7hp6 Note for packagers: an external, self-contained sha1 library is now included in the source tree under external/sha1/ - it is licensed under BSD-3-Clause and thus it is fully compatible with libzmq's license. It is only used if WebSockets support is enabled, and if neither GnuTLS nor NSS are available. Note for packagers: an internal reimplementation of strlcpy is now included, for wider platform compatibility. libbsd can be used and is enabled by default if available instead of the internal implementation, for better security maintenance in distros. Note for packagers: ZeroMQConfig.cmake is now installed in the arch-dependent subdirectory - eg: /usr/lib/x86_64-linux-gnu/cmake/ New DRAFT (see NEWS for 4.2.0) socket type: ZMQ_CHANNEL is a thread-safe alternative to ZMQ_PAIR. See doc/zmq_socket.txt for details. New DRAFT (see NEWS for 4.2.0) socket option: ZMQ_ONLY_FIRST_SUBSCRIBE will cause only the first part of a multipart message to be processed as a subscribe/unsubscribe message, and the rest will be forwarded as user data to the application. ZMQ_RECONNECT_STOP will cause a connecting socket to stop trying to reconnect in specific circumstances. See the manpage for details. ZMQ_HELLO_MSG to set a message that will be automatically sent to a new connection. ZMQ_DISCONNECT_MSG to set a message that will be automatically received when a peer disconnects. See doc/zmq_setsockopt.txt and doc/zmq_getsockopt.txt for details. New DRAFT (see NEWS for 4.2.0) zmq_ctx_get_ext/zmq_ctx_set_ext APIs were added to allow enhancing the context options with variable data inputs. See doc/zmq_ctx_get_ext.txt and doc/zmq_ctx_set_ext.txt for details. New DRAFT (see NEWS for 4.2.0) transport options WS and WSS added for support of WebSockets (and secure WebSockets via TLS) via the ZWS 2.0 protocol. WSS requires the GnuTLS library for TLS support. ZMQ_WSS_ specific socket options were added to support TLS. WebSockets support is disabled by default if DRAFT APIs are disabled. New DRAFT (see NEWS for 4.2.0) socket type, PEER, which is thread safe and a related zmq_connect_peer function which atomically and thread-safely connects and returns a routing-id. New DRAFT (see NEWS for 4.2.0) zmq_msg_init_buffer API was added to allow the construction of a message by copying from an existing buffer. New DRAFT (see NEWS for 4.2.0) zmq_poller_size API was added to allow querying the number of sockets/fds registered in a zmq_poller. ZMTP 3.1 peers will receive subscribe/cancel on PUB/SUB via commands rather than using the first byte of the payload. zmq_z85_decode now checks that the input string's length is at least 5 characters and always a multiple of 5 as per API specification. Fixed 3566 - malformed CURVE message can cause memory leak Fixed 3567 - missing ZeroMQ_INCLUDE_DIR in ZeroMQConfig.cmake when only static lib is built Fixed 3576 - CURVE plaintext secrets now stored in libsodium's secure memory Fixed 3588 - install debug libraries for debug msvc builds with CMake Fixed 3591 - incorrect ZMQ_MAX_SOCKETS default value in doc Fixed 3594 - fixed stream_engine use after free due to concurrent heartbeats Fixed 3586 - error when compiling with MinGW due to usage of MS-specific __except keyword Fixed 3603 - fixed CMake build on SL6.9 Fixed 3607 - added scripts to ease performance graph generation Fixed 3608 - fix for IPv4 mapping not supported in DragonFlyBSD Fixed 3636 - added ENABLE_PRECOMPILED CMake option to fix build with Ninja Fixed 2862 - UDP engine aborts on networking-related errors from socket syscalls Fixed 3656 - segfault on sending data from XSUB to XPUB Fixed 3646 - static-only test run fails Fixed 3668 - fixed CMAKE_CXX_FLAGS_* regexes on MSVC Fixed 110 - do not include winsock2.h in public zmq.h header Fixed 3683 - allow "configure --disable-maintainer-mode" Fixed 3686 - fix documentation about sockets blocking on send operations Fixed 3323 - fix behavior of ZMQ_CONFLATE on PUB sockets Fixed 3698 - fix build on IBM i/PASE/os400 Fixed 3705 - zero-sized messages cause assertion when glibc assertion are on Fixed 3713 - remove dependency on math library by avoiding std::ceil Fixed 3694 - build targeting Windows XP is broken Fixed 3691 - added support for IPC on Windows 10 via AF_UNIX Fixed 3725 - disable by default test that requires sudo on CMake Fixed 3727 - fix zmq_poller documentation example Fixed 3729 - do not check for FD_OOB when using WSAEventSelect on Windows Fixed 3738 - allow renaming the library in CMake Fixed 1808 - use AF_UNIX instead of TCP for the internal socket on Windows 10 Fixed 3758 - fix pthread_set_affinity detection in CMake Fixed 3769 - fix undefined behaviour in array.hpp Fixed 3772 - fix compiling under msys2-mingw Fixed 3775 - add -latomic to the private libs flag in pkg-config if needed Fixed 3778 - fix documentation of zmq_poller's thread safety Fixed 3792 - do not allow creation of new sockets after zmq_ctx_shutdown Fixed 3805 - improve performance of CURVE by reducing copies Fixed 3814 - send subscribe/cancel as commands to ZMTP 3.1 peers Fixed 3847 - fix building without PGM and NORM Fixed 3849 - install .cmake file in arch-dependent subdirectory Fixed 4005 - allow building on Windows ARM/ARM64 To generate a diff of this commit: cvs rdiff -u -r1.31 -r1.31.18.1 pkgsrc/net/zeromq/Makefile cvs rdiff -u -r1.10 -r1.10.18.1 pkgsrc/net/zeromq/PLIST cvs rdiff -u -r1.31 -r1.31.14.1 pkgsrc/net/zeromq/distinfo cvs rdiff -u -r1.4 -r1.4.18.1 \ pkgsrc/net/zeromq/patches/patch-src_ipc__listener.cpp cvs rdiff -u -r1.5 -r1.5.18.1 \ pkgsrc/net/zeromq/patches/patch-src_tcp__listener.cpp Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. --_----------=_163744652476160 Content-Disposition: inline Content-Length: 5677 Content-Transfer-Encoding: binary Content-Type: text/x-diff; charset=us-ascii Modified files: Index: pkgsrc/net/zeromq/Makefile diff -u pkgsrc/net/zeromq/Makefile:1.31 pkgsrc/net/zeromq/Makefile:1.31.18.1 --- pkgsrc/net/zeromq/Makefile:1.31 Fri Aug 9 12:01:34 2019 +++ pkgsrc/net/zeromq/Makefile Sat Nov 20 22:15:24 2021 @@ -1,18 +1,17 @@ -# $NetBSD: Makefile,v 1.31 2019/08/09 12:01:34 adam Exp $ +# $NetBSD: Makefile,v 1.31.18.1 2021/11/20 22:15:24 tm Exp $ -DISTNAME= zeromq-4.3.2 +DISTNAME= zeromq-4.3.4 CATEGORIES= net devel MASTER_SITES= ${MASTER_SITE_GITHUB:=zeromq/} GITHUB_PROJECT= libzmq GITHUB_RELEASE= v${PKGVERSION_NOREV} MAINTAINER= pkgsrc-users@NetBSD.org -HOMEPAGE= http://www.zeromq.org/ +HOMEPAGE= https://zeromq.org/ COMMENT= The ZeroMQ messaging library LICENSE= gnu-lgpl-v3 USE_LANGUAGES= c c99 gnu++11 - USE_LIBTOOL= yes USE_TOOLS+= gmake pkg-config GNU_CONFIGURE= yes Index: pkgsrc/net/zeromq/PLIST diff -u pkgsrc/net/zeromq/PLIST:1.10 pkgsrc/net/zeromq/PLIST:1.10.18.1 --- pkgsrc/net/zeromq/PLIST:1.10 Fri Aug 9 12:01:34 2019 +++ pkgsrc/net/zeromq/PLIST Sat Nov 20 22:15:24 2021 @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.10 2019/08/09 12:01:34 adam Exp $ +@comment $NetBSD: PLIST,v 1.10.18.1 2021/11/20 22:15:24 tm Exp $ bin/curve_keygen include/zmq.h include/zmq_utils.h @@ -13,6 +13,7 @@ man/man3/zmq_atomic_counter_value.3 man/man3/zmq_bind.3 man/man3/zmq_close.3 man/man3/zmq_connect.3 +man/man3/zmq_connect_peer.3 man/man3/zmq_ctx_get.3 man/man3/zmq_ctx_new.3 man/man3/zmq_ctx_set.3 @@ -30,6 +31,7 @@ man/man3/zmq_msg_data.3 man/man3/zmq_msg_get.3 man/man3/zmq_msg_gets.3 man/man3/zmq_msg_init.3 +man/man3/zmq_msg_init_buffer.3 man/man3/zmq_msg_init_data.3 man/man3/zmq_msg_init_size.3 man/man3/zmq_msg_more.3 Index: pkgsrc/net/zeromq/distinfo diff -u pkgsrc/net/zeromq/distinfo:1.31 pkgsrc/net/zeromq/distinfo:1.31.14.1 --- pkgsrc/net/zeromq/distinfo:1.31 Wed Mar 18 17:59:51 2020 +++ pkgsrc/net/zeromq/distinfo Sat Nov 20 22:15:24 2021 @@ -1,10 +1,9 @@ -$NetBSD: distinfo,v 1.31 2020/03/18 17:59:51 joerg Exp $ +$NetBSD: distinfo,v 1.31.14.1 2021/11/20 22:15:24 tm Exp $ -SHA1 (zeromq-4.3.2.tar.gz) = e5253bff214f77621b3d29443f1aa6e5a106ffe5 -RMD160 (zeromq-4.3.2.tar.gz) = 01621ad7d28f7eb2de939441bd1b4f2c21fb3663 -SHA512 (zeromq-4.3.2.tar.gz) = b6251641e884181db9e6b0b705cced7ea4038d404bdae812ff47bdd0eed12510b6af6846b85cb96898e253ccbac71eca7fe588673300ddb9c3109c973250c8e4 -Size (zeromq-4.3.2.tar.gz) = 1697442 bytes -SHA1 (patch-src_generic__mtrie__impl.hpp) = fef217e692a1a14511600f6d2dac96f04779f570 -SHA1 (patch-src_ipc__listener.cpp) = 08b79008e5c331e6cb603244a91abddc55454678 +SHA1 (zeromq-4.3.4.tar.gz) = 47277a64749049123d1401600e8cfbab10a3ae28 +RMD160 (zeromq-4.3.4.tar.gz) = abe97228a215b1bc9fdc0abe1e5b3a9bfe74ab94 +SHA512 (zeromq-4.3.4.tar.gz) = e198ef9f82d392754caadd547537666d4fba0afd7d027749b3adae450516bcf284d241d4616cad3cb4ad9af8c10373d456de92dc6d115b037941659f141e7c0e +Size (zeromq-4.3.4.tar.gz) = 2486520 bytes +SHA1 (patch-src_ipc__listener.cpp) = 4440ed53b04b72ac732377f695716d5017121af3 SHA1 (patch-src_kqueue.cpp) = b0313bf68e3c8b906a2770f625b6706f40fc0530 -SHA1 (patch-src_tcp__listener.cpp) = 8960a2f5e4d59aa8e4e5fd29a4770e9d1b04a21a +SHA1 (patch-src_tcp__listener.cpp) = e806f9776f46668f30c3a2c3baf7e52afd4a7a49 Index: pkgsrc/net/zeromq/patches/patch-src_ipc__listener.cpp diff -u pkgsrc/net/zeromq/patches/patch-src_ipc__listener.cpp:1.4 pkgsrc/net/zeromq/patches/patch-src_ipc__listener.cpp:1.4.18.1 --- pkgsrc/net/zeromq/patches/patch-src_ipc__listener.cpp:1.4 Fri Aug 9 12:01:34 2019 +++ pkgsrc/net/zeromq/patches/patch-src_ipc__listener.cpp Sat Nov 20 22:15:24 2021 @@ -1,10 +1,10 @@ -$NetBSD: patch-src_ipc__listener.cpp,v 1.4 2019/08/09 12:01:34 adam Exp $ +$NetBSD: patch-src_ipc__listener.cpp,v 1.4.18.1 2021/11/20 22:15:24 tm Exp $ NetBSD<8 has SOCK_CLOEXEC -- but uses it with paccept, not accept4 ---- src/ipc_listener.cpp.orig 2019-07-08 16:19:27.000000000 +0000 +--- src/ipc_listener.cpp.orig 2021-01-03 21:46:01.000000000 +0000 +++ src/ipc_listener.cpp -@@ -350,7 +350,11 @@ zmq::fd_t zmq::ipc_listener_t::accept () +@@ -303,7 +303,11 @@ zmq::fd_t zmq::ipc_listener_t::accept () // resources is considered valid and treated by ignoring the connection. zmq_assert (_s != retired_fd); #if defined ZMQ_HAVE_SOCK_CLOEXEC && defined HAVE_ACCEPT4 @@ -14,5 +14,5 @@ NetBSD<8 has SOCK_CLOEXEC -- but uses it fd_t sock = ::accept4 (_s, NULL, NULL, SOCK_CLOEXEC); +#endif #else - fd_t sock = ::accept (_s, NULL, NULL); - #endif + struct sockaddr_storage ss; + memset (&ss, 0, sizeof (ss)); Index: pkgsrc/net/zeromq/patches/patch-src_tcp__listener.cpp diff -u pkgsrc/net/zeromq/patches/patch-src_tcp__listener.cpp:1.5 pkgsrc/net/zeromq/patches/patch-src_tcp__listener.cpp:1.5.18.1 --- pkgsrc/net/zeromq/patches/patch-src_tcp__listener.cpp:1.5 Fri Aug 9 12:01:34 2019 +++ pkgsrc/net/zeromq/patches/patch-src_tcp__listener.cpp Sat Nov 20 22:15:24 2021 @@ -1,8 +1,8 @@ -$NetBSD: patch-src_tcp__listener.cpp,v 1.5 2019/08/09 12:01:34 adam Exp $ +$NetBSD: patch-src_tcp__listener.cpp,v 1.5.18.1 2021/11/20 22:15:24 tm Exp $ NetBSD<8 has SOCK_CLOEXEC, but uses it with paccept, not accept4 ---- src/tcp_listener.cpp.orig 2019-07-08 16:19:27.000000000 +0000 +--- src/tcp_listener.cpp.orig 2021-01-16 14:15:51.000000000 +0000 +++ src/tcp_listener.cpp @@ -202,8 +202,13 @@ zmq::fd_t zmq::tcp_listener_t::accept () socklen_t ss_len = sizeof (ss); @@ -16,5 +16,5 @@ NetBSD<8 has SOCK_CLOEXEC, but uses it w &ss_len, SOCK_CLOEXEC); +#endif #else - fd_t sock = + const fd_t sock = ::accept (_s, reinterpret_cast (&ss), &ss_len); --_----------=_163744652476160--