From 511d4a6a57b0c510eb3f3a28d781c807709deca4 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Feb 04 2020 23:12:31 +0000 Subject: import slirp4netns-0.4.2-2.git21fdece.module+el8.1.1+5460+3ac089c3 --- diff --git a/.gitignore b/.gitignore index b6b398d..ef31711 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/slirp4netns-4992082.tar.gz +SOURCES/slirp4netns-21fdece.tar.gz diff --git a/.slirp4netns.metadata b/.slirp4netns.metadata index 71f2023..7ed4552 100644 --- a/.slirp4netns.metadata +++ b/.slirp4netns.metadata @@ -1 +1 @@ -77325a3614d2e7a6dbaf5f52d82cb1e67e181cf9 SOURCES/slirp4netns-4992082.tar.gz +aa1f45a8411788e9fef6bdd69b2b1608b657a2b1 SOURCES/slirp4netns-21fdece.tar.gz diff --git a/SOURCES/slirp4netns-CVE-2019-14378.patch b/SOURCES/slirp4netns-CVE-2019-14378.patch deleted file mode 100644 index 3177eb4..0000000 --- a/SOURCES/slirp4netns-CVE-2019-14378.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 126c04acbabd7ad32c2b018fe10dfac2a3bc1210 Mon Sep 17 00:00:00 2001 -From: Samuel Thibault -Date: Sun, 28 Jul 2019 19:11:24 +0200 -Subject: [PATCH] Fix heap overflow in ip_reass on big packet input - -When the first fragment does not fit in the preallocated buffer, q will -already be pointing to the ext buffer, so we mustn't try to update it. - -Signed-off-by: Samuel Thibault ---- - src/ip_input.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff -up ./slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/ip_input.c.CVE-2019-14378 ./slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/ip_input.c ---- slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/ip_input.c.CVE-2019-14378 2019-09-26 11:58:44.898400528 +0200 -+++ slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/ip_input.c 2019-09-26 11:58:44.899400540 +0200 -@@ -331,6 +331,8 @@ insert: - q = fp->frag_link.next; - m = dtom(slirp, q); - -+ int was_ext = m->m_flags & M_EXT; -+ - q = (struct ipasfrag *) q->ipf_next; - while (q != (struct ipasfrag*)&fp->frag_link) { - struct mbuf *t = dtom(slirp, q); -@@ -353,7 +355,7 @@ insert: - * the old buffer (in the mbuf), so we must point ip - * into the new buffer. - */ -- if (m->m_flags & M_EXT) { -+ if (!was_ext && m->m_flags & M_EXT) { - int delta = (char *)q - m->m_dat; - q = (struct ipasfrag *)(m->m_ext + delta); - } diff --git a/SOURCES/slirp4netns-CVE-2020-7039.patch b/SOURCES/slirp4netns-CVE-2020-7039.patch new file mode 100644 index 0000000..d2f88d5 --- /dev/null +++ b/SOURCES/slirp4netns-CVE-2020-7039.patch @@ -0,0 +1,132 @@ +From 2655fffed7a9e765bcb4701dd876e9dab975f289 Mon Sep 17 00:00:00 2001 +From: Samuel Thibault +Date: Wed, 8 Jan 2020 00:58:48 +0100 +Subject: [PATCH] tcp_emu: Fix oob access + +The main loop only checks for one available byte, while we sometimes +need two bytes. + +2.24.1 + +From 82ebe9c370a0e2970fb5695aa19aa5214a6a1c80 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 9 Jan 2020 15:12:28 +0530 +Subject: [PATCH] slirp: use correct size while emulating commands + +While emulating services in tcp_emu(), it uses 'mbuf' size +'m->m_size' to write commands via snprintf(3). Use M_FREEROOM(m) +size to avoid possible OOB access. + +Signed-off-by: Prasad J Pandit +Signed-off-by: Samuel Thibault +Message-Id: <20200109094228.79764-3-ppandit@redhat.com> + +2.24.1 + +From ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 9 Jan 2020 15:12:27 +0530 +Subject: [PATCH] slirp: use correct size while emulating IRC commands + +While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size +'m->m_size' to write DCC commands via snprintf(3). This may +lead to OOB write access, because 'bptr' points somewhere in +the middle of 'mbuf' buffer, not at the start. Use M_FREEROOM(m) +size to avoid OOB access. + +Reported-by: Vishnu Dev TJ +Signed-off-by: Prasad J Pandit +Reviewed-by: Samuel Thibault +Message-Id: <20200109094228.79764-2-ppandit@redhat.com> + +--- + CHANGELOG.md | 1 + + src/tcp_subr.c | 7 +++++++ + 2 files changed, 8 insertions(+) + +diff -up ./slirp4netns-21fdece2737dc24ffa3f01a341b8a6854f8b13b4/vendor/libslirp/src/tcp_subr.c.CVE-2020-7039 ./slirp4netns-21fdece2737dc24ffa3f01a341b8a6854f8b13b4/vendor/libslirp/src/tcp_subr.c +--- slirp4netns-21fdece2737dc24ffa3f01a341b8a6854f8b13b4/vendor/libslirp/src/tcp_subr.c.CVE-2020-7039 2020-01-16 11:14:05.423941479 +0100 ++++ slirp4netns-21fdece2737dc24ffa3f01a341b8a6854f8b13b4/vendor/libslirp/src/tcp_subr.c 2020-01-16 11:14:05.425941502 +0100 +@@ -692,7 +692,7 @@ int tcp_emu(struct socket *so, struct mb + n4 = (laddr & 0xff); + + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, m->m_size - m->m_len, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), + "ORT %d,%d,%d,%d,%d,%d\r\n%s", n1, n2, n3, n4, + n5, n6, x == 7 ? buff : ""); + return 1; +@@ -727,8 +727,7 @@ int tcp_emu(struct socket *so, struct mb + n4 = (laddr & 0xff); + + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += +- snprintf(bptr, m->m_size - m->m_len, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), + "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s", + n1, n2, n3, n4, n5, n6, x == 7 ? buff : ""); + +@@ -754,8 +753,8 @@ int tcp_emu(struct socket *so, struct mb + if (m->m_data[m->m_len - 1] == '\0' && lport != 0 && + (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr, + htons(lport), SS_FACCEPTONCE)) != NULL) +- m->m_len = +- snprintf(m->m_data, m->m_size, "%d", ntohs(so->so_fport)) + 1; ++ m->m_len = snprintf(m->m_data, M_ROOM(m), ++ "%d", ntohs(so->so_fport)) + 1; + return 1; + + case EMU_IRC: +@@ -774,7 +773,8 @@ int tcp_emu(struct socket *so, struct mb + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, m->m_size, "DCC CHAT chat %lu %u%c\n", ++ m->m_len += snprintf(bptr, M_FREEROOM(m), ++ "DCC CHAT chat %lu %u%c\n", + (unsigned long)ntohl(so->so_faddr.s_addr), + ntohs(so->so_fport), 1); + } else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport, +@@ -784,8 +784,8 @@ int tcp_emu(struct socket *so, struct mb + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += +- snprintf(bptr, m->m_size, "DCC SEND %s %lu %u %u%c\n", buff, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), ++ "DCC SEND %s %lu %u %u%c\n", buff, + (unsigned long)ntohl(so->so_faddr.s_addr), + ntohs(so->so_fport), n1, 1); + } else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport, +@@ -795,8 +795,8 @@ int tcp_emu(struct socket *so, struct mb + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += +- snprintf(bptr, m->m_size, "DCC MOVE %s %lu %u %u%c\n", buff, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), ++ "DCC MOVE %s %lu %u %u%c\n", buff, + (unsigned long)ntohl(so->so_faddr.s_addr), + ntohs(so->so_fport), n1, 1); + } +@@ -882,6 +882,9 @@ int tcp_emu(struct socket *so, struct mb + break; + + case 5: ++ if (bptr == m->m_data + m->m_len - 1) ++ return 1; /* We need two bytes */ ++ + /* + * The difference between versions 1.0 and + * 2.0 is here. For future versions of +@@ -897,6 +900,10 @@ int tcp_emu(struct socket *so, struct mb + /* This is the field containing the port + * number that RA-player is listening to. + */ ++ ++ if (bptr == m->m_data + m->m_len - 1) ++ return 1; /* We need two bytes */ ++ + lport = (((uint8_t *)bptr)[0] << 8) + ((uint8_t *)bptr)[1]; + if (lport < 6970) + lport += 256; /* don't know why */ diff --git a/SPECS/slirp4netns.spec b/SPECS/slirp4netns.spec index 11ba4ad..690c90d 100644 --- a/SPECS/slirp4netns.spec +++ b/SPECS/slirp4netns.spec @@ -1,27 +1,27 @@ %global git0 https://github.com/rootless-containers/%{name} -%global commit0 4992082b2af77c09bca6bd8504e2ebfa5e118c18 +%global commit0 21fdece2737dc24ffa3f01a341b8a6854f8b13b4 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) Name: slirp4netns -Version: 0.3.0 -Release: 4%{?dist} -# no go-md2man in ix86 -ExcludeArch: %{ix86} +Version: 0.4.2 +Release: 2.git%{shortcommit0}%{?dist} Summary: slirp for network namespaces License: GPLv2 URL: %{git0} Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz -Patch0: slirp4netns-CVE-2019-14378.patch +Patch0: slirp4netns-CVE-2020-7039.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: gcc -BuildRequires: git BuildRequires: glib2-devel +BuildRequires: git BuildRequires: go-md2man +BuildRequires: libcap-devel +BuildRequires: libseccomp-devel BuildRequires: make %description -User-mode networking for unprivileged network namespaces. +slirp for network namespaces, without copying buffers across the namespaces. %package devel Summary: %{summary} @@ -30,7 +30,9 @@ BuildArch: noarch %description devel %{summary} -This package contains the devel files for %{name}. +This package contains library source intended for +building other packages which use import path with +%{import_path} prefix. %prep %autosetup -Sgit -n %{name}-%{commit0} @@ -55,6 +57,22 @@ make DESTDIR=%{buildroot} install install-man %{_mandir}/man1/%{name}.1.gz %changelog +* Thu Jan 16 2020 Jindrich Novy - 0.4.2-2.git21fdece +- Fix CVE-2020-7039. +- Related: RHELPLAN-25138 + +* Mon Nov 25 2019 Jindrich Novy - 0.4.2-1.git21fdece +- update to latest 0.4.2, fixes bug 1763454 +- Related: RHELPLAN-25138 + +* Thu Oct 31 2019 Jindrich Novy - 0.4.0-2 +- add new BR: libseccomp-devel + +* Wed Oct 30 2019 Jindrich Novy - 0.4.0-1 +- update to v.0.4.0 +- sync with fedora spec +- drop applied CVE-2019-14378 patch + * Thu Sep 26 2019 Jindrich Novy - 0.3.0-4 - Fix CVE-2019-14378 (#1755595).