CVE-2019-13132

In ZeroMQ libzmq before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.3.2, a remote, unauthenticated client connecting to a libzmq application, running with a socket listening with CURVE encryption/authentication enabled, may cause a stack overflow and overwrite the stack with arbitrary data, due to a buffer overflow in the library. Users running public servers with the above configuration are highly encouraged to upgrade as soon as possible, as there are no known mitigations.

References

Affected packages

Git / github.com/zeromq/libzmq

Affected ranges

Type: GIT
Repo: https://github.com/zeromq/libzmq
Events: Introduced

097bf26e8dacf73abc2a6cdd6f9e4dce824b8208

Fixed

a84ffa12b2eb3569ced199660bac5ad128bff1f0

Introduced

3aa5a9d409c9d93fd9a984f6d1221ca596eae659

Fixed

c9894a493dd4a460d6a109a017609925ce589e31

Affected versions

v4.*

v4.1.0

v4.1.1

v4.1.2

v4.1.3

v4.1.4

v4.1.5

v4.1.6

v4.2.0

v4.2.1

v4.2.2

v4.2.3

v4.2.4

v4.2.5

v4.3.0

v4.3.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-13132.json"

Git / gitlab.com/libtiff/libtiff

Affected ranges

Type: GIT
Repo: https://gitlab.com/libtiff/libtiff
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

020bd2fd3b4235b2175dafa9633d2b191c50e7cd

Affected versions

v3.*

v3.5.3

v3.5.4

v3.5.5

v3.5.7

v3.6.0

v3.6.0beta2

v3.6.1

v3.7.0

v3.7.0alpha

v3.7.0beta

v3.7.0beta2

v3.7.1

v3.7.2

v3.7.3

v3.7.4

v3.8.0

v3.8.1

v3.8.2

v4.*

v4.0.0

v4.0.0alpha

v4.0.0alpha4

v4.0.0alpha5

v4.0.0alpha6

v4.0.0beta7

v4.0.1

v4.0.2

v4.0.3

v4.0.4

v4.0.4beta

v4.0.5

v4.0.6

v4.0.7

v4.0.8

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-13132.json"