From 8cd64cd224d77ffc40c2e9eba07475e6869c3a47 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 17 2020 17:41:18 +0000 Subject: import slirp4netns-0.3.0-8.el7_7 --- diff --git a/SOURCES/slirp4netns-CVE-2019-14378.patch b/SOURCES/slirp4netns-CVE-2019-14378.patch new file mode 100644 index 0000000..f9fdd0f --- /dev/null +++ b/SOURCES/slirp4netns-CVE-2019-14378.patch @@ -0,0 +1,34 @@ +From 126c04acbabd7ad32c2b018fe10dfac2a3bc1210 Mon Sep 17 00:00:00 2001 +From: Samuel Thibault +Date: Sun, 28 Jul 2019 19:11:24 +0200 +Subject: [PATCH] Fix heap overflow in ip_reass on big packet input + +When the first fragment does not fit in the preallocated buffer, q will +already be pointing to the ext buffer, so we mustn't try to update it. + +Signed-off-by: Samuel Thibault +--- + src/ip_input.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff -up ./slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/ip_input.c.CVE-2019-14378 ./slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/ip_input.c +--- slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/ip_input.c.CVE-2019-14378 2019-09-26 11:57:51.211754081 +0200 ++++ slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/ip_input.c 2019-09-26 11:57:51.213754105 +0200 +@@ -331,6 +331,8 @@ insert: + q = fp->frag_link.next; + m = dtom(slirp, q); + ++ int was_ext = m->m_flags & M_EXT; ++ + q = (struct ipasfrag *) q->ipf_next; + while (q != (struct ipasfrag*)&fp->frag_link) { + struct mbuf *t = dtom(slirp, q); +@@ -353,7 +355,7 @@ insert: + * the old buffer (in the mbuf), so we must point ip + * into the new buffer. + */ +- if (m->m_flags & M_EXT) { ++ if (!was_ext && m->m_flags & M_EXT) { + int delta = (char *)q - m->m_dat; + q = (struct ipasfrag *)(m->m_ext + delta); + } diff --git a/SOURCES/slirp4netns-CVE-2019-15890.patch b/SOURCES/slirp4netns-CVE-2019-15890.patch new file mode 100644 index 0000000..c28c455 --- /dev/null +++ b/SOURCES/slirp4netns-CVE-2019-15890.patch @@ -0,0 +1,40 @@ +From c59279437eda91841b9d26079c70b8a540d41204 Mon Sep 17 00:00:00 2001 +From: Samuel Thibault +Date: Mon, 26 Aug 2019 00:55:03 +0200 +Subject: [PATCH] ip_reass: Fix use after free + +Using ip_deq after m_free might read pointers from an allocation reuse. + +This would be difficult to exploit, but that is still related with +CVE-2019-14378 which generates fragmented IP packets that would trigger this +issue and at least produce a DoS. + +Signed-off-by: Samuel Thibault +--- + src/ip_input.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff -up slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/ip_input.c.CVE-2019-15890 slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/ip_input.c +--- slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/ip_input.c.CVE-2019-15890 2020-02-26 14:58:52.081548244 +0100 ++++ slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/ip_input.c 2020-02-26 15:00:48.144123448 +0100 +@@ -297,6 +297,7 @@ ip_reass(Slirp *slirp, struct ip *ip, st + */ + while (q != (struct ipasfrag*)&fp->frag_link && + ip->ip_off + ip->ip_len > q->ipf_off) { ++ struct ipasfrag *prev; + i = (ip->ip_off + ip->ip_len) - q->ipf_off; + if (i < q->ipf_len) { + q->ipf_len -= i; +@@ -304,9 +305,10 @@ ip_reass(Slirp *slirp, struct ip *ip, st + m_adj(dtom(slirp, q), i); + break; + } ++ prev = q; + q = q->ipf_next; +- m_free(dtom(slirp, q->ipf_prev)); +- ip_deq(q->ipf_prev); ++ ip_deq(prev); ++ m_free(dtom(slirp, prev)); + } + + insert: diff --git a/SOURCES/slirp4netns-CVE-2020-7039.patch b/SOURCES/slirp4netns-CVE-2020-7039.patch new file mode 100644 index 0000000..3ed5218 --- /dev/null +++ b/SOURCES/slirp4netns-CVE-2020-7039.patch @@ -0,0 +1,127 @@ +From 2655fffed7a9e765bcb4701dd876e9dab975f289 Mon Sep 17 00:00:00 2001 +From: Samuel Thibault +Date: Wed, 8 Jan 2020 00:58:48 +0100 +Subject: [PATCH] tcp_emu: Fix oob access + +The main loop only checks for one available byte, while we sometimes +need two bytes. + +2.24.1 + +From 82ebe9c370a0e2970fb5695aa19aa5214a6a1c80 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 9 Jan 2020 15:12:28 +0530 +Subject: [PATCH] slirp: use correct size while emulating commands + +While emulating services in tcp_emu(), it uses 'mbuf' size +'m->m_size' to write commands via snprintf(3). Use M_FREEROOM(m) +size to avoid possible OOB access. + +Signed-off-by: Prasad J Pandit +Signed-off-by: Samuel Thibault +Message-Id: <20200109094228.79764-3-ppandit@redhat.com> + +2.24.1 + +From ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 9 Jan 2020 15:12:27 +0530 +Subject: [PATCH] slirp: use correct size while emulating IRC commands + +While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size +'m->m_size' to write DCC commands via snprintf(3). This may +lead to OOB write access, because 'bptr' points somewhere in +the middle of 'mbuf' buffer, not at the start. Use M_FREEROOM(m) +size to avoid OOB access. + +Reported-by: Vishnu Dev TJ +Signed-off-by: Prasad J Pandit +Reviewed-by: Samuel Thibault +Message-Id: <20200109094228.79764-2-ppandit@redhat.com> + +--- + CHANGELOG.md | 1 + + src/tcp_subr.c | 7 +++++++ + 2 files changed, 8 insertions(+) + +diff -up slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/tcp_subr.c.CVE-2020-7039 slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/tcp_subr.c +--- slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/tcp_subr.c.CVE-2020-7039 2020-01-16 11:12:46.862064816 +0100 ++++ slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/tcp_subr.c 2020-01-16 14:07:45.614874831 +0100 +@@ -709,7 +709,7 @@ tcp_emu(struct socket *so, struct mbuf * + n4 = (laddr & 0xff); + + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, m->m_size - m->m_len, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), + "ORT %d,%d,%d,%d,%d,%d\r\n%s", + n1, n2, n3, n4, n5, n6, x==7?buff:""); + return 1; +@@ -742,7 +742,7 @@ tcp_emu(struct socket *so, struct mbuf * + n4 = (laddr & 0xff); + + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, m->m_size - m->m_len, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), + "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s", + n1, n2, n3, n4, n5, n6, x==7?buff:""); + +@@ -768,8 +768,9 @@ tcp_emu(struct socket *so, struct mbuf * + if (m->m_data[m->m_len-1] == '\0' && lport != 0 && + (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr, + htons(lport), SS_FACCEPTONCE)) != NULL) +- m->m_len = snprintf(m->m_data, m->m_size, "%d", +- ntohs(so->so_fport)) + 1; ++ m->m_len = snprintf(m->m_data, M_ROOM(m), ++ "%d", ntohs(so->so_fport)) + 1; ++ + return 1; + + case EMU_IRC: +@@ -788,7 +789,7 @@ tcp_emu(struct socket *so, struct mbuf * + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, m->m_size, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), + "DCC CHAT chat %lu %u%c\n", + (unsigned long)ntohl(so->so_faddr.s_addr), + ntohs(so->so_fport), 1); +@@ -799,7 +800,7 @@ tcp_emu(struct socket *so, struct mbuf * + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, m->m_size, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), + "DCC SEND %s %lu %u %u%c\n", buff, + (unsigned long)ntohl(so->so_faddr.s_addr), + ntohs(so->so_fport), n1, 1); +@@ -810,7 +811,7 @@ tcp_emu(struct socket *so, struct mbuf * + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, m->m_size, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), + "DCC MOVE %s %lu %u %u%c\n", buff, + (unsigned long)ntohl(so->so_faddr.s_addr), + ntohs(so->so_fport), n1, 1); +@@ -897,6 +898,9 @@ tcp_emu(struct socket *so, struct mbuf * + break; + + case 5: ++ if (bptr == m->m_data + m->m_len - 1) ++ return 1; /* We need two bytes */ ++ + /* + * The difference between versions 1.0 and + * 2.0 is here. For future versions of +@@ -912,6 +916,10 @@ tcp_emu(struct socket *so, struct mbuf * + /* This is the field containing the port + * number that RA-player is listening to. + */ ++ ++ if (bptr == m->m_data + m->m_len - 1) ++ return 1; /* We need two bytes */ ++ + lport = (((uint8_t*)bptr)[0] << 8) + + ((uint8_t *)bptr)[1]; + if (lport < 6970) diff --git a/SOURCES/slirp4netns-CVE-2020-7211.patch b/SOURCES/slirp4netns-CVE-2020-7211.patch new file mode 100644 index 0000000..72be1ae --- /dev/null +++ b/SOURCES/slirp4netns-CVE-2020-7211.patch @@ -0,0 +1,38 @@ +From 14ec36e107a8c9af7d0a80c3571fe39b291ff1d4 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Mon, 13 Jan 2020 17:44:31 +0530 +Subject: [PATCH] slirp: tftp: restrict relative path access + +tftp restricts relative or directory path access on Linux systems. +Apply same restrictions on Windows systems too. It helps to avoid +directory traversal issue. + +Fixes: https://bugs.launchpad.net/qemu/+bug/1812451 +Reported-by: Peter Maydell +Signed-off-by: Prasad J Pandit +Reviewed-by: Samuel Thibault +Message-Id: <20200113121431.156708-1-ppandit@redhat.com> +--- + src/tftp.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff -up slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/tftp.c.CVE-2020-7211 slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/tftp.c +--- slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/tftp.c.CVE-2020-7211 2020-01-17 08:02:02.837544967 +0100 ++++ slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/tftp.c 2020-01-17 08:14:59.569544607 +0100 +@@ -344,9 +344,13 @@ static void tftp_handle_rrq(Slirp *slirp + k += 6; /* skipping octet */ + + /* do sanity checks on the filename */ +- if (!strncmp(req_fname, "../", 3) || +- req_fname[strlen(req_fname) - 1] == '/' || +- strstr(req_fname, "/../")) { ++ if ( ++#ifdef G_OS_WIN32 ++ strstr(req_fname, "..\\") || ++ req_fname[strlen(req_fname) - 1] == '\\' || ++#endif ++ strstr(req_fname, "../") || ++ req_fname[strlen(req_fname) - 1] == '/') { + tftp_send_error(spt, 2, "Access violation", tp); + return; + } diff --git a/SOURCES/slirp4netns-CVE-2020-8608.patch b/SOURCES/slirp4netns-CVE-2020-8608.patch new file mode 100644 index 0000000..cb58822 --- /dev/null +++ b/SOURCES/slirp4netns-CVE-2020-8608.patch @@ -0,0 +1,241 @@ +From 68ccb8021a838066f0951d4b2817eb6b6f10a843 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Mon, 27 Jan 2020 10:24:14 +0100 +Subject: [PATCH] tcp_emu: fix unsafe snprintf() usages +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Various calls to snprintf() assume that snprintf() returns "only" the +number of bytes written (excluding terminating NUL). + +https://pubs.opengroup.org/onlinepubs/9699919799/functions/snprintf.html#tag_16_159_04 + +"Upon successful completion, the snprintf() function shall return the +number of bytes that would be written to s had n been sufficiently +large excluding the terminating null byte." + +Before patch ce131029, if there isn't enough room in "m_data" for the +"DCC ..." message, we overflow "m_data". + +After the patch, if there isn't enough room for the same, we don't +overflow "m_data", but we set "m_len" out-of-bounds. The next time an +access is bounded by "m_len", we'll have a buffer overflow then. + +Use slirp_fmt*() to fix potential OOB memory access. + +Reported-by: Laszlo Ersek +Signed-off-by: Marc-André Lureau +Reviewed-by: Samuel Thibault +Message-Id: <20200127092414.169796-7-marcandre.lureau@redhat.com> +--- + src/tcp_subr.c | 44 +++++++++++++++++++++----------------------- + 1 file changed, 21 insertions(+), 23 deletions(-) + +diff -up slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/tcp_subr.c.orig slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/tcp_subr.c +--- slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/tcp_subr.c.orig 2020-02-06 14:57:07.786013242 +0100 ++++ slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/tcp_subr.c 2020-02-06 15:14:44.678746260 +0100 +@@ -709,9 +709,9 @@ tcp_emu(struct socket *so, struct mbuf * + n4 = (laddr & 0xff); + + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, M_FREEROOM(m), +- "ORT %d,%d,%d,%d,%d,%d\r\n%s", +- n1, n2, n3, n4, n5, n6, x==7?buff:""); ++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), ++ "ORT %d,%d,%d,%d,%d,%d\r\n%s", ++ n1, n2, n3, n4, n5, n6, x == 7 ? buff : ""); + return 1; + } else if ((bptr = (char *)strstr(m->m_data, "27 Entering")) != NULL) { + /* +@@ -742,10 +742,9 @@ tcp_emu(struct socket *so, struct mbuf * + n4 = (laddr & 0xff); + + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, M_FREEROOM(m), +- "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s", +- n1, n2, n3, n4, n5, n6, x==7?buff:""); +- ++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), ++ "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s", ++ n1, n2, n3, n4, n5, n6, x == 7 ? buff : ""); + return 1; + } + +@@ -768,9 +767,8 @@ tcp_emu(struct socket *so, struct mbuf * + if (m->m_data[m->m_len-1] == '\0' && lport != 0 && + (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr, + htons(lport), SS_FACCEPTONCE)) != NULL) +- m->m_len = snprintf(m->m_data, M_ROOM(m), +- "%d", ntohs(so->so_fport)) + 1; +- ++ m->m_len = slirp_fmt0(m->m_data, M_ROOM(m), ++ "%d", ntohs(so->so_fport)); + return 1; + + case EMU_IRC: +@@ -789,10 +787,10 @@ tcp_emu(struct socket *so, struct mbuf * + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, M_FREEROOM(m), +- "DCC CHAT chat %lu %u%c\n", +- (unsigned long)ntohl(so->so_faddr.s_addr), +- ntohs(so->so_fport), 1); ++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), ++ "DCC CHAT chat %lu %u%c\n", ++ (unsigned long)ntohl(so->so_faddr.s_addr), ++ ntohs(so->so_fport), 1); + } else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport, &n1) == 4) { + if ((so = tcp_listen(slirp, INADDR_ANY, 0, + htonl(laddr), htons(lport), +@@ -800,10 +798,10 @@ tcp_emu(struct socket *so, struct mbuf * + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, M_FREEROOM(m), +- "DCC SEND %s %lu %u %u%c\n", buff, +- (unsigned long)ntohl(so->so_faddr.s_addr), +- ntohs(so->so_fport), n1, 1); ++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), ++ "DCC SEND %s %lu %u %u%c\n", buff, ++ (unsigned long)ntohl(so->so_faddr.s_addr), ++ ntohs(so->so_fport), n1, 1); + } else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport, &n1) == 4) { + if ((so = tcp_listen(slirp, INADDR_ANY, 0, + htonl(laddr), htons(lport), +@@ -811,10 +809,10 @@ tcp_emu(struct socket *so, struct mbuf * + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, M_FREEROOM(m), +- "DCC MOVE %s %lu %u %u%c\n", buff, +- (unsigned long)ntohl(so->so_faddr.s_addr), +- ntohs(so->so_fport), n1, 1); ++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), ++ "DCC MOVE %s %lu %u %u%c\n", buff, ++ (unsigned long)ntohl(so->so_faddr.s_addr), ++ ntohs(so->so_fport), n1, 1); + } + return 1; + +From 30648c03b27fb8d9611b723184216cd3174b6775 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Mon, 27 Jan 2020 10:24:09 +0100 +Subject: [PATCH] util: add slirp_fmt() helpers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Various calls to snprintf() in libslirp assume that snprintf() returns +"only" the number of bytes written (excluding terminating NUL). + +https://pubs.opengroup.org/onlinepubs/9699919799/functions/snprintf.html#tag_16_159_04 + +"Upon successful completion, the snprintf() function shall return the +number of bytes that would be written to s had n been sufficiently +large excluding the terminating null byte." + +Introduce slirp_fmt() that handles several pathological cases the +way libslirp usually expect: + +- treat error as fatal (instead of silently returning -1) + +- fmt0() will always \0 end + +- return the number of bytes actually written (instead of what would +have been written, which would usually result in OOB later), including +the ending \0 for fmt0() + +- warn if truncation happened (instead of ignoring) + +Other less common cases can still be handled with strcpy/snprintf() etc. + +Signed-off-by: Marc-André Lureau +Reviewed-by: Samuel Thibault +Message-Id: <20200127092414.169796-2-marcandre.lureau@redhat.com> +--- + src/util.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ + src/util.h | 3 +++ + 2 files changed, 65 insertions(+) + +diff -up slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/util.c.orig slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/util.c +--- slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/util.c.orig 2019-03-28 12:45:09.000000000 +0100 ++++ slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/util.c 2020-02-06 14:57:07.786013242 +0100 +@@ -366,3 +366,65 @@ void slirp_pstrcpy(char *buf, int buf_si + } + *q = '\0'; + } ++ ++static int slirp_vsnprintf(char *str, size_t size, ++ const char *format, va_list args) ++{ ++ int rv = vsnprintf(str, size, format, args); ++ ++ if (rv < 0) { ++ g_error("vsnprintf() failed: %s", g_strerror(errno)); ++ } ++ ++ return rv; ++} ++ ++/* ++ * A snprintf()-like function that: ++ * - returns the number of bytes written (excluding optional \0-ending) ++ * - dies on error ++ * - warn on truncation ++ */ ++int slirp_fmt(char *str, size_t size, const char *format, ...) ++{ ++ va_list args; ++ int rv; ++ ++ va_start(args, format); ++ rv = slirp_vsnprintf(str, size, format, args); ++ va_end(args); ++ ++ if (rv > size) { ++ g_critical("vsnprintf() truncation"); ++ } ++ ++ return MIN(rv, size); ++} ++ ++/* ++ * A snprintf()-like function that: ++ * - always \0-end (unless size == 0) ++ * - returns the number of bytes actually written, including \0 ending ++ * - dies on error ++ * - warn on truncation ++ */ ++int slirp_fmt0(char *str, size_t size, const char *format, ...) ++{ ++ va_list args; ++ int rv; ++ ++ va_start(args, format); ++ rv = slirp_vsnprintf(str, size, format, args); ++ va_end(args); ++ ++ if (rv >= size) { ++ g_critical("vsnprintf() truncation"); ++ if (size > 0) ++ str[size - 1] = '\0'; ++ rv = size; ++ } else { ++ rv += 1; /* include \0 */ ++ } ++ ++ return rv; ++} +diff -up slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/util.h.orig slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/util.h +--- slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/util.h.orig 2019-03-28 12:45:09.000000000 +0100 ++++ slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/util.h 2020-02-06 14:57:07.786013242 +0100 +@@ -172,4 +172,7 @@ static inline int slirp_socket_set_fast_ + + void slirp_pstrcpy(char *buf, int buf_size, const char *str); + ++int slirp_fmt(char *str, size_t size, const char *format, ...); ++int slirp_fmt0(char *str, size_t size, const char *format, ...); ++ + #endif diff --git a/SPECS/slirp4netns.spec b/SPECS/slirp4netns.spec index 863d37b..6c26000 100644 --- a/SPECS/slirp4netns.spec +++ b/SPECS/slirp4netns.spec @@ -4,11 +4,18 @@ Name: slirp4netns Version: 0.3.0 -Release: 1%{?dist} +Release: 8%{?dist} Summary: slirp for network namespaces License: GPLv2 URL: %{git0} Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz +Patch0: slirp4netns-CVE-2019-14378.patch +Patch1: slirp4netns-CVE-2020-7039.patch +Patch2: slirp4netns-CVE-2020-7211.patch +Patch3: slirp4netns-CVE-2020-8608.patch +# tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-15890 +# backported: https://gitlab.freedesktop.org/slirp/libslirp/commit/c59279437eda91841b9d26079c70b8a540d41204.patch +Patch4: slirp4netns-CVE-2019-15890.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: gcc @@ -54,6 +61,28 @@ make DESTDIR=%{buildroot} install install-man %{_mandir}/man1/%{name}.1.gz %changelog +* Wed Feb 26 2020 Jindrich Novy - 0.3.0-8 +- fix "CVE-2019-15890 QEMU: Slirp: use-after-free during packet reassembly" +- Resolves: #1755596 + +* Thu Feb 06 2020 Jindrich Novy - 0.3.0-7 +- backport the patch for CVE-2020-8608 to 0.3.0 (#1798975) + +* Thu Feb 06 2020 Jindrich Novy - 0.3.0-6 +- Add missing hunks to patch for CVE-2020-8608 (#1798975) + +* Thu Feb 06 2020 Jindrich Novy - 0.3.0-5 +- Fix CVE-2020-8608 (#1798975) + +* Fri Jan 17 2020 Jindrich Novy - 0.3.0-4 +- Backport fix for CVE-2020-7211 (#1792150). + +* Thu Jan 16 2020 Jindrich Novy - 0.3.0-3 +- Backport fix for CVE-2020-7039 (#1791572) + +* Thu Sep 26 2019 Jindrich Novy - 0.3.0-2 +- Fix CVE-2019-14378 (#1755592). + * Sat Jun 08 2019 Lokesh Mandvekar - 0.3.0-1 - bump to latest upstream release