Bug 1189510 (CVE-2021-20237)

Summary:	VUL-0: CVE-2021-20237: zeromq: Memory leaks via metadata messages processed by PUB sockets
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Robert Frohl <rfrohl>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	RESOLVED DUPLICATE	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	gabriele.sonnu, meissner, salt-maintainers, smash_bz
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/277870/
Whiteboard:	CVSSv3.1:SUSE:CVE-2021-20237:5.9:(AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Robert Frohl 2021-08-17 11:08:41 UTC

rh#1921989

A flaw was found in zeromq before 4.3.3. Messages with metadata are never processed by PUB sockets, but the metadata is kept referenced in the PUB object and never freed leading to memory leaks.

References:

https://github.com/zeromq/libzmq/pull/3935
https://github.com/zeromq/libzmq/security/advisories/GHSA-4p5v-h92w-6wxw
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22344

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1921989
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20237
https://access.redhat.com/security/cve/CVE-2021-20237
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20237
https://github.com/zeromq/libzmq/security/advisories/GHSA-4p5v-h92w-6wxw

Comment 1 Robert Frohl 2021-08-17 13:05:18 UTC

tracking as affected:

- SUSE:SLE-15:Update/zeromq

Comment 4 Gabriele Sonnu 2022-04-06 15:09:32 UTC

Closing as duplicated.

*** This bug has been marked as a duplicate of bug 1176259 ***