oss-sec mailing list archives

Re: CVE Request: zeromq downgrade attack

From: Alessandro Ghedini <alessandro () ghedini me>
Date: Fri, 22 May 2015 11:46:02 +0200

On Thu, May 21, 2015 at 10:16:53AM -0400, cve-assign () mitre org wrote:

// Is the peer using ZMTP/1.0 with no revision number?
if (greeting_recv [0] != 0xff || !(greeting_recv [9] & 0x01)) {
    if (session->zap_enabled ()) {
        // Reject ZMTP 1.0 connections if ZAP is enabled
        error ();

if (greeting_recv [revision_pos] == ZMTP_1_0) {
    if (session->zap_enabled ()) {
        // Reject ZMTP 1.0 connections if ZAP is enabled
        error ();

if (greeting_recv [revision_pos] == ZMTP_2_0) {
    if (session->zap_enabled ()) {
        // Reject ZMTP 1.0 connections if ZAP is enabled
        error ();


We think there is essentially only one vulnerability, and it was fixed
by that commit, but it is somewhat confusing because of an apparent
typo in a comment. Shouldn't the "== ZMTP_2_0" test have a "Reject
ZMTP 2.0" comment?


Yes, I think that was due to a copy-paste error when backporting the patches.

The current git version has the correct comment [0].

Cheers

[0] https://github.com/zeromq/libzmq/blob/f03a78bbfc205e12591a256914c6d53cc57e9023/src/stream_engine.cpp#L609

Attachment: signature.asc
Description: Digital signature

Current thread:

CVE Request: zeromq downgrade attack Alessandro Ghedini (May 07)
- Re: CVE Request: zeromq downgrade attack Salvatore Bonaccorso (May 10)
- Re: CVE Request: zeromq downgrade attack Alessandro Ghedini (May 15)
- Re: CVE Request: zeromq downgrade attack cve-assign (May 21)
  - Re: CVE Request: zeromq downgrade attack Alessandro Ghedini (May 22)