diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..9687785 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/libslirp-4.3.0.tar.xz diff --git a/.libslirp.metadata b/.libslirp.metadata new file mode 100644 index 0000000..01065a1 --- /dev/null +++ b/.libslirp.metadata @@ -0,0 +1 @@ +09f0c96d08a37a21eda73f4df8fb81a321361ad4 SOURCES/libslirp-4.3.0.tar.xz diff --git a/SOURCES/libslirp-coverity.patch b/SOURCES/libslirp-coverity.patch new file mode 100644 index 0000000..9f3f65d --- /dev/null +++ b/SOURCES/libslirp-coverity.patch @@ -0,0 +1,191 @@ +From 0b83636e914a894b324836e3fb2f20a2f7599fc4 Mon Sep 17 00:00:00 2001 +From: Jindrich Novy +Date: Wed, 27 May 2020 11:01:02 +0200 +Subject: [PATCH] Fix possible infinite loops and use-after-free +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Error: USE_AFTER_FREE (CWE-416): [#def1] +libslirp-4.3.0/src/ip_icmp.c:79: freed_arg: "icmp_detach" frees "slirp->icmp.so_next". +libslirp-4.3.0/src/ip_icmp.c:79: deref_arg: Calling "icmp_detach" dereferences freed pointer "slirp->icmp.so_next". + 77| { + 78| while (slirp->icmp.so_next != &slirp->icmp) { + 79|-> icmp_detach(slirp->icmp.so_next); + 80| } + 81| } + +Error: USE_AFTER_FREE (CWE-416): [#def27] +libslirp-4.3.0/src/udp.c:56: freed_arg: "udp_detach" frees "slirp->udb.so_next". +libslirp-4.3.0/src/udp.c:56: deref_arg: Calling "udp_detach" dereferences freed pointer "slirp->udb.so_next". + 54| { + 55| while (slirp->udb.so_next != &slirp->udb) { + 56|-> udp_detach(slirp->udb.so_next); + 57| } + 58| } + +Signed-off-by: Jindrich Novy +Reviewed-by: Marc-André Lureau +--- + src/ip_icmp.c | 7 +++++-- + src/udp.c | 5 ++++- + 2 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/src/ip_icmp.c b/src/ip_icmp.c +index fe0add4..7533595 100644 +--- libslirp-4.3.0/src/ip_icmp.c ++++ libslirp-4.3.0/src/ip_icmp.c +@@ -75,8 +75,11 @@ void icmp_init(Slirp *slirp) + + void icmp_cleanup(Slirp *slirp) + { +- while (slirp->icmp.so_next != &slirp->icmp) { +- icmp_detach(slirp->icmp.so_next); ++ struct socket *so, *so_next; ++ ++ for (so = slirp->icmp.so_next; so != &slirp->icmp; so = so_next) { ++ so_next = so->so_next; ++ icmp_detach(so); + } + } + +diff --git a/src/udp.c b/src/udp.c +index 6bde20f..9ed1e74 100644 +--- libslirp-4.3.0/src/udp.c ++++ libslirp-4.3.0/src/udp.c +@@ -52,7 +52,10 @@ void udp_init(Slirp *slirp) + + void udp_cleanup(Slirp *slirp) + { +- while (slirp->udb.so_next != &slirp->udb) { ++ struct socket *so, *so_next; ++ ++ for (so = slirp->udb.so_next; so != &slirp->udb; so = so_next) { ++ so_next = so->so_next; + udp_detach(slirp->udb.so_next); + } + } +-- +2.26.2 + +From 2d79c0b7d78e55624790a102fbd924a4259eef16 Mon Sep 17 00:00:00 2001 +From: Jindrich Novy +Date: Wed, 27 May 2020 11:07:19 +0200 +Subject: [PATCH] Use secure string copy to avoid overflow +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Error: STRING_OVERFLOW (CWE-120): [#def2] +libslirp-4.3.0/src/ip_icmp.c:277: fixed_size_dest: You might overrun the 20-character fixed-size string "bufa" by copying the return value of "inet_ntoa" without checking the length. + 275| if (slirp_debug & DBG_MISC) { + 276| char bufa[20], bufb[20]; + 277|-> strcpy(bufa, inet_ntoa(ip->ip_src)); + 278| strcpy(bufb, inet_ntoa(ip->ip_dst)); + 279| DEBUG_MISC(" %.16s to %.16s", bufa, bufb); + +Error: STRING_OVERFLOW (CWE-120): [#def3] +libslirp-4.3.0/src/ip_icmp.c:278: fixed_size_dest: You might overrun the 20-character fixed-size string "bufb" by copying the return value of "inet_ntoa" without checking the length. + 276| char bufa[20], bufb[20]; + 277| strcpy(bufa, inet_ntoa(ip->ip_src)); + 278|-> strcpy(bufb, inet_ntoa(ip->ip_dst)); + 279| DEBUG_MISC(" %.16s to %.16s", bufa, bufb); + 280| } + +Signed-off-by: Jindrich Novy +Reviewed-by: Marc-André Lureau +--- + src/ip_icmp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/ip_icmp.c b/src/ip_icmp.c +index 7533595..13a0e55 100644 +--- libslirp-4.3.0/src/ip_icmp.c ++++ libslirp-4.3.0/src/ip_icmp.c +@@ -277,8 +277,8 @@ void icmp_send_error(struct mbuf *msrc, uint8_t type, uint8_t code, int minsize, + ip = mtod(msrc, struct ip *); + if (slirp_debug & DBG_MISC) { + char bufa[20], bufb[20]; +- strcpy(bufa, inet_ntoa(ip->ip_src)); +- strcpy(bufb, inet_ntoa(ip->ip_dst)); ++ slirp_pstrcpy(bufa, sizeof(bufa), inet_ntoa(ip->ip_src)); ++ slirp_pstrcpy(bufb, sizeof(bufb), inet_ntoa(ip->ip_dst)); + DEBUG_MISC(" %.16s to %.16s", bufa, bufb); + } + if (ip->ip_off & IP_OFFMASK) +-- +2.26.2 + +From 961a676e93fe7d599d3856e63bd132fe0d2decb2 Mon Sep 17 00:00:00 2001 +From: Jindrich Novy +Date: Wed, 27 May 2020 11:16:57 +0200 +Subject: [PATCH] Check lseek() for failure +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Error: CHECKED_RETURN (CWE-252): [#def26] +libslirp-4.3.0/src/tftp.c:121: check_return: Calling "lseek(spt->fd, block_nr * spt->block_size, 0)" without checking return value. This library function may fail and return an error code. + 119| + 120| if (len) { + 121|-> lseek(spt->fd, block_nr * spt->block_size, SEEK_SET); + 122| + 123| bytes_read = read(spt->fd, buf, len); + +Signed-off-by: Jindrich Novy +Reviewed-by: Marc-André Lureau +--- + src/tftp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/tftp.c b/src/tftp.c +index c209145..c6950ee 100644 +--- libslirp-4.3.0/src/tftp.c ++++ libslirp-4.3.0/src/tftp.c +@@ -118,7 +118,9 @@ static int tftp_read_data(struct tftp_session *spt, uint32_t block_nr, + } + + if (len) { +- lseek(spt->fd, block_nr * spt->block_size, SEEK_SET); ++ if (lseek(spt->fd, block_nr * spt->block_size, SEEK_SET) == (off_t)-1) { ++ return -1; ++ } + + bytes_read = read(spt->fd, buf, len); + } +-- +2.26.2 + +From b0fc01a6b8cf6a50a1af69845cca692cc42dd970 Mon Sep 17 00:00:00 2001 +From: Jindrich Novy +Date: Wed, 27 May 2020 11:18:36 +0200 +Subject: [PATCH] Be sure to initialize sockaddr structure +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Error: UNINIT (CWE-457): [#def30] +libslirp-4.3.0/src/udp.c:325: var_decl: Declaring variable "addr" without initializer. +libslirp-4.3.0/src/udp.c:342: uninit_use_in_call: Using uninitialized value "addr". Field "addr.sin_zero" is uninitialized when calling "bind". + +Signed-off-by: Jindrich Novy +Reviewed-by: Marc-André Lureau +--- + src/udp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/udp.c b/src/udp.c +index 9ed1e74..0ad44d7 100644 +--- libslirp-4.3.0/src/udp.c ++++ libslirp-4.3.0/src/udp.c +@@ -329,6 +329,7 @@ struct socket *udp_listen(Slirp *slirp, uint32_t haddr, unsigned hport, + struct socket *so; + socklen_t addrlen = sizeof(struct sockaddr_in); + ++ memset(&addr, 0, sizeof(addr)); + so = socreate(slirp); + so->s = slirp_socket(AF_INET, SOCK_DGRAM, 0); + if (so->s < 0) { +-- +2.26.2 + diff --git a/SPECS/libslirp.spec b/SPECS/libslirp.spec new file mode 100644 index 0000000..cda3fe8 --- /dev/null +++ b/SPECS/libslirp.spec @@ -0,0 +1,89 @@ +Name: libslirp +Version: 4.3.0 +Release: 3%{?dist} +Summary: A general purpose TCP-IP emulator + +# check the SPDX tags in source files for details +License: BSD and MIT +URL: https://gitlab.freedesktop.org/slirp/%{name} +Source0: %{url}/-/archive/v%{version}/%{name}-%{version}.tar.xz +# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1823657 +# backported: https://gitlab.freedesktop.org/slirp/libslirp/-/merge_requests/41 +Patch0: libslirp-coverity.patch + +BuildRequires: git-core +BuildRequires: meson +BuildRequires: gcc +BuildRequires: glib2-devel + +%description +A general purpose TCP-IP emulator used by virtual machine hypervisors +to provide virtual networking services. + + +%package devel +Summary: Development files for %{name} +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description devel +The %{name}-devel package contains libraries and header files for +developing applications that use %{name}. + + +%prep +%autosetup -S git_am + +%build +%meson +%meson_build + + +%install +%meson_install + + +%files +%license COPYRIGHT +%doc README.md CHANGELOG.md +%{_libdir}/%{name}.so.0* + +%files devel +%dir %{_includedir}/slirp/ +%{_includedir}/slirp/* +%{_libdir}/%{name}.so +%{_libdir}/pkgconfig/slirp.pc + + +%changelog +* Thu May 28 2020 Jindrich Novy - 4.3.0-3 +- fix static analysis issues merged upstream + (https://gitlab.freedesktop.org/slirp/libslirp/-/merge_requests/41) +- Related: #1823657 + +* Mon May 11 2020 Jindrich Novy - 4.3.0-2 +- initial libslirp build for container-tools 8.2.1 module +- Resolves: #1823657 + +* Thu Apr 23 2020 Marc-André Lureau - 4.3.0-1 +- New v4.3.0 release + +* Mon Apr 20 2020 Marc-André Lureau - 4.2.0-2 +- CVE-2020-1983 fix + +* Tue Mar 17 2020 Marc-André Lureau - 4.2.0-1 +- New v4.2.0 release + +* Wed Jan 29 2020 Fedora Release Engineering - 4.1.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Tue Dec 03 2019 Marc-André Lureau - 4.1.0-1 +- New v4.1.0 release + +* Fri Aug 2 2019 Marc-André Lureau - 4.0.0-3 +- Fix CVE-2019-14378, rhbz#1735654 + +* Thu Jul 25 2019 Fedora Release Engineering - 4.0.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Wed May 22 2019 Marc-André Lureau - 4.0.0-1 +- Initial package, rhbz#1712980