FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

libzmq4 -- Remote Code Execution Vulnerability

Affected packages
4.2.0 <= libzmq4 < 4.3.1

Details

VuXML ID 8e48365a-214d-11e9-9f8a-0050562a4d7b
Discovery 2019-01-08
Entry 2019-01-26

A vulnerability has been found that would allow attackers to direct a peer to jump to and execute from an address indicated by the attacker. This issue has been present since v4.2.0. Older releases are not affected. NOTE: The attacker needs to know in advance valid addresses in the peer's memory to jump to, so measures like ASLR are effective mitigations. NOTE: this attack can only take place after authentication, so peers behind CURVE/GSSAPI are not vulnerable to unauthenticated attackers.

References

CVE Name CVE-2019-6250
URL https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6250
URL https://github.com/zeromq/libzmq/issues/3351
URL https://github.com/zeromq/libzmq/pull/3353
URL https://nvd.nist.gov/vuln/detail/CVE-2019-6250