From 3e3b37d5cc1018c62acdf42b92060e32a2f207f47b4653fbffff59ac73c240ea Mon Sep 17 00:00:00 2001
From: Adam Majer <amajer@suse.com>
Date: Mon, 7 Sep 2020 17:11:05 +0000
Subject: [PATCH 1/2] - New upstream version 4.3.3:   * Denial-of-Service on
 CURVE/ZAP-protected servers by     unauthenticated clients. (CVE-2020-15166,
 bsc#1176116)     If a raw TCP socket is opened and connected to an endpoint
 that is fully     configured with CURVE/ZAP, legitimate clients will not be
 able to exchange     any message. Handshakes complete successfully, and
 messages are delivered to     the library, but the server application never
 receives them.     For more information see the security advisory:    
 https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m   *
 Stack overflow on server running PUB/XPUB socket (CURVE disabled).     The
 PUB/XPUB subscription store (mtrie) is traversed using recursive     function
 calls. In the remove (unsubscription) case, the recursive calls are     NOT
 tail calls, so even with optimizations the stack grows linearly with the    
 length of a subscription topic. Topics are under the control of remote    
 clients - they can send a subscription to arbitrary length topics. An    
 attacker can thus cause a server to create an mtrie sufficiently large such  
   that, when unsubscribing, traversal will cause a stack overflow.     For
 more information see the security advisory:    
 https://github.com/zeromq/libzmq/security/advisories/GHSA-qq65-x72m-9wr8   *
 Memory leak in PUB server induced by malicious client(s) without CURVE/ZAP.  
   Messages with metadata are never processed by PUB sockets, but the metadata
     is kept referenced in the PUB object and never freed.     For more
 information see the security advisory:    
 https://github.com/zeromq/libzmq/security/advisories/GHSA-4p5v-h92w-6wxw   *
 Memory leak in client induced by malicious server(s) without CURVE/ZAP.    
 When a pipe processes a delimiter and is already not in active state but    
 still has an unfinished message, the message is leaked.     For more
 information see the security advisory:    
 https://github.com/zeromq/libzmq/security/advisories/GHSA-wfr2-29gj-5w87   *
 Heap overflow when receiving malformed ZMTP v1 packets (CURVE disabled).

OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/zeromq?expand=0&rev=74
---
 zeromq-4.3.2.tar.gz |  3 ---
 zeromq-4.3.3.tar.gz |  3 +++
 zeromq.changes      | 44 ++++++++++++++++++++++++++++++++++++++++++++
 zeromq.spec         |  4 ++--
 4 files changed, 49 insertions(+), 5 deletions(-)
 delete mode 100644 zeromq-4.3.2.tar.gz
 create mode 100644 zeromq-4.3.3.tar.gz

diff --git a/zeromq-4.3.2.tar.gz b/zeromq-4.3.2.tar.gz
deleted file mode 100644
index d62820a..0000000
--- a/zeromq-4.3.2.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:ebd7b5c830d6428956b67a0454a7f8cbed1de74b3b01e5c33c5378e22740f763
-size 1697442
diff --git a/zeromq-4.3.3.tar.gz b/zeromq-4.3.3.tar.gz
new file mode 100644
index 0000000..aab58b0
--- /dev/null
+++ b/zeromq-4.3.3.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9d9285db37ae942ed0780c016da87060497877af45094ff9e1a1ca736e3875a2
+size 2117050
diff --git a/zeromq.changes b/zeromq.changes
index 8e902c8..d71bca7 100644
--- a/zeromq.changes
+++ b/zeromq.changes
@@ -1,3 +1,47 @@
+-------------------------------------------------------------------
+Mon Sep  7 16:56:09 UTC 2020 - Adam Majer <adam.majer@suse.de>
+
+- New upstream version 4.3.3:
+  * Denial-of-Service on CURVE/ZAP-protected servers by
+    unauthenticated clients. (CVE-2020-15166, bsc#1176116)
+    If a raw TCP socket is opened and connected to an endpoint that is fully
+    configured with CURVE/ZAP, legitimate clients will not be able to exchange
+    any message. Handshakes complete successfully, and messages are delivered to
+    the library, but the server application never receives them.
+    For more information see the security advisory:
+    https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m
+  * Stack overflow on server running PUB/XPUB socket (CURVE disabled).
+    The PUB/XPUB subscription store (mtrie) is traversed using recursive
+    function calls. In the remove (unsubscription) case, the recursive calls are
+    NOT tail calls, so even with optimizations the stack grows linearly with the
+    length of a subscription topic. Topics are under the control of remote
+    clients - they can send a subscription to arbitrary length topics. An
+    attacker can thus cause a server to create an mtrie sufficiently large such
+    that, when unsubscribing, traversal will cause a stack overflow.
+    For more information see the security advisory:
+    https://github.com/zeromq/libzmq/security/advisories/GHSA-qq65-x72m-9wr8
+  * Memory leak in PUB server induced by malicious client(s) without CURVE/ZAP.
+    Messages with metadata are never processed by PUB sockets, but the metadata
+    is kept referenced in the PUB object and never freed.
+    For more information see the security advisory:
+    https://github.com/zeromq/libzmq/security/advisories/GHSA-4p5v-h92w-6wxw
+  * Memory leak in client induced by malicious server(s) without CURVE/ZAP.
+    When a pipe processes a delimiter and is already not in active state but
+    still has an unfinished message, the message is leaked.
+    For more information see the security advisory:
+    https://github.com/zeromq/libzmq/security/advisories/GHSA-wfr2-29gj-5w87
+  * Heap overflow when receiving malformed ZMTP v1 packets (CURVE disabled).
+    By crafting a packet which is not valid ZMTP v2/v3, and which has two
+    messages larger than 8192 bytes, the decoder can be tricked into changing
+    the recorded size of the 8192 bytes static buffer, which then gets overflown
+    by the next message. The content that gets written in the overflown memory
+    is entirely decided by the sender.
+    For more information see the security advisory:
+    https://github.com/zeromq/libzmq/security/advisories/GHSA-fc3w-qxf5-7hp6
+
+For complete list of changes, see
+https://github.com/zeromq/libzmq/releases/tag/v4.3.3
+
 -------------------------------------------------------------------
 Tue Jul  9 07:35:29 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
 
diff --git a/zeromq.spec b/zeromq.spec
index 9628e64..4d368c6 100644
--- a/zeromq.spec
+++ b/zeromq.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package zeromq
 #
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2020 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -23,7 +23,7 @@
 %bcond_with pgm
 %endif
 Name:           zeromq
-Version:        4.3.2
+Version:        4.3.3
 Release:        0
 Summary:        Lightweight messaging kernel
 License:        LGPL-3.0-or-later

From 900467cba635c506a932a0c93a9734c8a2217c4e540e698d1ececfcaaaaef0b1 Mon Sep 17 00:00:00 2001
From: Adam Majer <amajer@suse.com>
Date: Mon, 5 Oct 2020 12:37:13 +0000
Subject: [PATCH 2/2] Add missing bug numbers to changelog

OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/zeromq?expand=0&rev=75
---
 zeromq.changes | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/zeromq.changes b/zeromq.changes
index d71bca7..66a613d 100644
--- a/zeromq.changes
+++ b/zeromq.changes
@@ -17,17 +17,17 @@ Mon Sep  7 16:56:09 UTC 2020 - Adam Majer <adam.majer@suse.de>
     length of a subscription topic. Topics are under the control of remote
     clients - they can send a subscription to arbitrary length topics. An
     attacker can thus cause a server to create an mtrie sufficiently large such
-    that, when unsubscribing, traversal will cause a stack overflow.
+    that, when unsubscribing, traversal will cause a stack overflow. (bsc#1176258)
     For more information see the security advisory:
     https://github.com/zeromq/libzmq/security/advisories/GHSA-qq65-x72m-9wr8
   * Memory leak in PUB server induced by malicious client(s) without CURVE/ZAP.
     Messages with metadata are never processed by PUB sockets, but the metadata
-    is kept referenced in the PUB object and never freed.
+    is kept referenced in the PUB object and never freed. (bsc#1176257)
     For more information see the security advisory:
     https://github.com/zeromq/libzmq/security/advisories/GHSA-4p5v-h92w-6wxw
   * Memory leak in client induced by malicious server(s) without CURVE/ZAP.
     When a pipe processes a delimiter and is already not in active state but
-    still has an unfinished message, the message is leaked.
+    still has an unfinished message, the message is leaked. (bsc#1176259)
     For more information see the security advisory:
     https://github.com/zeromq/libzmq/security/advisories/GHSA-wfr2-29gj-5w87
   * Heap overflow when receiving malformed ZMTP v1 packets (CURVE disabled).
@@ -35,7 +35,7 @@ Mon Sep  7 16:56:09 UTC 2020 - Adam Majer <adam.majer@suse.de>
     messages larger than 8192 bytes, the decoder can be tricked into changing
     the recorded size of the 8192 bytes static buffer, which then gets overflown
     by the next message. The content that gets written in the overflown memory
-    is entirely decided by the sender.
+    is entirely decided by the sender. (bsc#1176256)
     For more information see the security advisory:
     https://github.com/zeromq/libzmq/security/advisories/GHSA-fc3w-qxf5-7hp6