From a447b2bfa3c2abe8c2db94d81a7d21f2f48d7080 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jul 21 2020 15:06:03 +0000 Subject: import slirp4netns-1.0.1-1.module+el8.2.1+6595+03641d72 --- diff --git a/.gitignore b/.gitignore index ef31711..a0faec2 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/slirp4netns-21fdece.tar.gz +SOURCES/v1.0.1.tar.gz diff --git a/.slirp4netns.metadata b/.slirp4netns.metadata index 7ed4552..4b5a724 100644 --- a/.slirp4netns.metadata +++ b/.slirp4netns.metadata @@ -1 +1 @@ -aa1f45a8411788e9fef6bdd69b2b1608b657a2b1 SOURCES/slirp4netns-21fdece.tar.gz +b44918a95f20af21e3510af604c1d0ccda00c08d SOURCES/v1.0.1.tar.gz diff --git a/SOURCES/slirp4netns-CVE-2020-7039.patch b/SOURCES/slirp4netns-CVE-2020-7039.patch deleted file mode 100644 index 67ac730..0000000 --- a/SOURCES/slirp4netns-CVE-2020-7039.patch +++ /dev/null @@ -1,132 +0,0 @@ -From 2655fffed7a9e765bcb4701dd876e9dab975f289 Mon Sep 17 00:00:00 2001 -From: Samuel Thibault -Date: Wed, 8 Jan 2020 00:58:48 +0100 -Subject: [PATCH] tcp_emu: Fix oob access - -The main loop only checks for one available byte, while we sometimes -need two bytes. - -2.24.1 - -From 82ebe9c370a0e2970fb5695aa19aa5214a6a1c80 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Thu, 9 Jan 2020 15:12:28 +0530 -Subject: [PATCH] slirp: use correct size while emulating commands - -While emulating services in tcp_emu(), it uses 'mbuf' size -'m->m_size' to write commands via snprintf(3). Use M_FREEROOM(m) -size to avoid possible OOB access. - -Signed-off-by: Prasad J Pandit -Signed-off-by: Samuel Thibault -Message-Id: <20200109094228.79764-3-ppandit@redhat.com> - -2.24.1 - -From ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Thu, 9 Jan 2020 15:12:27 +0530 -Subject: [PATCH] slirp: use correct size while emulating IRC commands - -While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size -'m->m_size' to write DCC commands via snprintf(3). This may -lead to OOB write access, because 'bptr' points somewhere in -the middle of 'mbuf' buffer, not at the start. Use M_FREEROOM(m) -size to avoid OOB access. - -Reported-by: Vishnu Dev TJ -Signed-off-by: Prasad J Pandit -Reviewed-by: Samuel Thibault -Message-Id: <20200109094228.79764-2-ppandit@redhat.com> - ---- - CHANGELOG.md | 1 + - src/tcp_subr.c | 7 +++++++ - 2 files changed, 8 insertions(+) - -diff -up ./slirp4netns-21fdece2737dc24ffa3f01a341b8a6854f8b13b4/vendor/libslirp/src/tcp_subr.c.CVE-2020-7039 ./slirp4netns-21fdece2737dc24ffa3f01a341b8a6854f8b13b4/vendor/libslirp/src/tcp_subr.c ---- slirp4netns-21fdece2737dc24ffa3f01a341b8a6854f8b13b4/vendor/libslirp/src/tcp_subr.c.CVE-2020-7039 2020-01-16 11:14:15.356052107 +0100 -+++ slirp4netns-21fdece2737dc24ffa3f01a341b8a6854f8b13b4/vendor/libslirp/src/tcp_subr.c 2020-01-16 11:14:15.358052129 +0100 -@@ -692,7 +692,7 @@ int tcp_emu(struct socket *so, struct mb - n4 = (laddr & 0xff); - - m->m_len = bptr - m->m_data; /* Adjust length */ -- m->m_len += snprintf(bptr, m->m_size - m->m_len, -+ m->m_len += snprintf(bptr, M_FREEROOM(m), - "ORT %d,%d,%d,%d,%d,%d\r\n%s", n1, n2, n3, n4, - n5, n6, x == 7 ? buff : ""); - return 1; -@@ -727,8 +727,7 @@ int tcp_emu(struct socket *so, struct mb - n4 = (laddr & 0xff); - - m->m_len = bptr - m->m_data; /* Adjust length */ -- m->m_len += -- snprintf(bptr, m->m_size - m->m_len, -+ m->m_len += snprintf(bptr, M_FREEROOM(m), - "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s", - n1, n2, n3, n4, n5, n6, x == 7 ? buff : ""); - -@@ -754,8 +753,8 @@ int tcp_emu(struct socket *so, struct mb - if (m->m_data[m->m_len - 1] == '\0' && lport != 0 && - (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr, - htons(lport), SS_FACCEPTONCE)) != NULL) -- m->m_len = -- snprintf(m->m_data, m->m_size, "%d", ntohs(so->so_fport)) + 1; -+ m->m_len = snprintf(m->m_data, M_ROOM(m), -+ "%d", ntohs(so->so_fport)) + 1; - return 1; - - case EMU_IRC: -@@ -774,7 +773,8 @@ int tcp_emu(struct socket *so, struct mb - return 1; - } - m->m_len = bptr - m->m_data; /* Adjust length */ -- m->m_len += snprintf(bptr, m->m_size, "DCC CHAT chat %lu %u%c\n", -+ m->m_len += snprintf(bptr, M_FREEROOM(m), -+ "DCC CHAT chat %lu %u%c\n", - (unsigned long)ntohl(so->so_faddr.s_addr), - ntohs(so->so_fport), 1); - } else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport, -@@ -784,8 +784,8 @@ int tcp_emu(struct socket *so, struct mb - return 1; - } - m->m_len = bptr - m->m_data; /* Adjust length */ -- m->m_len += -- snprintf(bptr, m->m_size, "DCC SEND %s %lu %u %u%c\n", buff, -+ m->m_len += snprintf(bptr, M_FREEROOM(m), -+ "DCC SEND %s %lu %u %u%c\n", buff, - (unsigned long)ntohl(so->so_faddr.s_addr), - ntohs(so->so_fport), n1, 1); - } else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport, -@@ -795,8 +795,8 @@ int tcp_emu(struct socket *so, struct mb - return 1; - } - m->m_len = bptr - m->m_data; /* Adjust length */ -- m->m_len += -- snprintf(bptr, m->m_size, "DCC MOVE %s %lu %u %u%c\n", buff, -+ m->m_len += snprintf(bptr, M_FREEROOM(m), -+ "DCC MOVE %s %lu %u %u%c\n", buff, - (unsigned long)ntohl(so->so_faddr.s_addr), - ntohs(so->so_fport), n1, 1); - } -@@ -882,6 +882,9 @@ int tcp_emu(struct socket *so, struct mb - break; - - case 5: -+ if (bptr == m->m_data + m->m_len - 1) -+ return 1; /* We need two bytes */ -+ - /* - * The difference between versions 1.0 and - * 2.0 is here. For future versions of -@@ -897,6 +900,10 @@ int tcp_emu(struct socket *so, struct mb - /* This is the field containing the port - * number that RA-player is listening to. - */ -+ -+ if (bptr == m->m_data + m->m_len - 1) -+ return 1; /* We need two bytes */ -+ - lport = (((uint8_t *)bptr)[0] << 8) + ((uint8_t *)bptr)[1]; - if (lport < 6970) - lport += 256; /* don't know why */ diff --git a/SOURCES/slirp4netns-CVE-2020-8608.patch b/SOURCES/slirp4netns-CVE-2020-8608.patch deleted file mode 100644 index 76450ea..0000000 --- a/SOURCES/slirp4netns-CVE-2020-8608.patch +++ /dev/null @@ -1,255 +0,0 @@ -From 68ccb8021a838066f0951d4b2817eb6b6f10a843 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= -Date: Mon, 27 Jan 2020 10:24:14 +0100 -Subject: [PATCH] tcp_emu: fix unsafe snprintf() usages -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Various calls to snprintf() assume that snprintf() returns "only" the -number of bytes written (excluding terminating NUL). - -https://pubs.opengroup.org/onlinepubs/9699919799/functions/snprintf.html#tag_16_159_04 - -"Upon successful completion, the snprintf() function shall return the -number of bytes that would be written to s had n been sufficiently -large excluding the terminating null byte." - -Before patch ce131029, if there isn't enough room in "m_data" for the -"DCC ..." message, we overflow "m_data". - -After the patch, if there isn't enough room for the same, we don't -overflow "m_data", but we set "m_len" out-of-bounds. The next time an -access is bounded by "m_len", we'll have a buffer overflow then. - -Use slirp_fmt*() to fix potential OOB memory access. - -Reported-by: Laszlo Ersek -Signed-off-by: Marc-André Lureau -Reviewed-by: Samuel Thibault -Message-Id: <20200127092414.169796-7-marcandre.lureau@redhat.com> ---- - src/tcp_subr.c | 44 +++++++++++++++++++++----------------------- - 1 file changed, 21 insertions(+), 23 deletions(-) - -diff -up ./slirp4netns-2244b9b6461afeccad1678fac3d6e478c28b4ad6/vendor/libslirp/src/tcp_subr.c.CVE-2020-8608 ./slirp4netns-2244b9b6461afeccad1678fac3d6e478c28b4ad6/vendor/libslirp/src/tcp_subr.c ---- slirp4netns-2244b9b6461afeccad1678fac3d6e478c28b4ad6/vendor/libslirp/src/tcp_subr.c.CVE-2020-8608 2020-02-06 13:31:33.592822770 +0100 -+++ slirp4netns-2244b9b6461afeccad1678fac3d6e478c28b4ad6/vendor/libslirp/src/tcp_subr.c 2020-02-06 13:31:33.594822795 +0100 -@@ -640,8 +640,7 @@ int tcp_emu(struct socket *so, struct mb - NTOHS(n1); - NTOHS(n2); - m_inc(m, snprintf(NULL, 0, "%d,%d\r\n", n1, n2) + 1); -- m->m_len = snprintf(m->m_data, M_ROOM(m), "%d,%d\r\n", n1, n2); -- assert(m->m_len < M_ROOM(m)); -+ m->m_len = slirp_fmt(m->m_data, M_ROOM(m), "%d,%d\r\n", n1, n2); - } else { - *eol = '\r'; - } -@@ -681,9 +680,9 @@ int tcp_emu(struct socket *so, struct mb - n4 = (laddr & 0xff); - - m->m_len = bptr - m->m_data; /* Adjust length */ -- m->m_len += snprintf(bptr, M_FREEROOM(m), -- "ORT %d,%d,%d,%d,%d,%d\r\n%s", n1, n2, n3, n4, -- n5, n6, x == 7 ? buff : ""); -+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), -+ "ORT %d,%d,%d,%d,%d,%d\r\n%s", -+ n1, n2, n3, n4, n5, n6, x == 7 ? buff : ""); - return 1; - } else if ((bptr = (char *)strstr(m->m_data, "27 Entering")) != NULL) { - /* -@@ -716,10 +715,9 @@ int tcp_emu(struct socket *so, struct mb - n4 = (laddr & 0xff); - - m->m_len = bptr - m->m_data; /* Adjust length */ -- m->m_len += snprintf(bptr, M_FREEROOM(m), -- "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s", -- n1, n2, n3, n4, n5, n6, x == 7 ? buff : ""); -- -+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), -+ "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s", -+ n1, n2, n3, n4, n5, n6, x == 7 ? buff : ""); - return 1; - } - -@@ -742,8 +740,8 @@ int tcp_emu(struct socket *so, struct mb - if (m->m_data[m->m_len - 1] == '\0' && lport != 0 && - (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr, - htons(lport), SS_FACCEPTONCE)) != NULL) -- m->m_len = snprintf(m->m_data, M_ROOM(m), -- "%d", ntohs(so->so_fport)) + 1; -+ m->m_len = slirp_fmt0(m->m_data, M_ROOM(m), -+ "%d", ntohs(so->so_fport)); - return 1; - - case EMU_IRC: -@@ -762,10 +760,10 @@ int tcp_emu(struct socket *so, struct mb - return 1; - } - m->m_len = bptr - m->m_data; /* Adjust length */ -- m->m_len += snprintf(bptr, M_FREEROOM(m), -- "DCC CHAT chat %lu %u%c\n", -- (unsigned long)ntohl(so->so_faddr.s_addr), -- ntohs(so->so_fport), 1); -+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), -+ "DCC CHAT chat %lu %u%c\n", -+ (unsigned long)ntohl(so->so_faddr.s_addr), -+ ntohs(so->so_fport), 1); - } else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport, - &n1) == 4) { - if ((so = tcp_listen(slirp, INADDR_ANY, 0, htonl(laddr), -@@ -773,10 +771,10 @@ int tcp_emu(struct socket *so, struct mb - return 1; - } - m->m_len = bptr - m->m_data; /* Adjust length */ -- m->m_len += snprintf(bptr, M_FREEROOM(m), -- "DCC SEND %s %lu %u %u%c\n", buff, -- (unsigned long)ntohl(so->so_faddr.s_addr), -- ntohs(so->so_fport), n1, 1); -+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), -+ "DCC SEND %s %lu %u %u%c\n", buff, -+ (unsigned long)ntohl(so->so_faddr.s_addr), -+ ntohs(so->so_fport), n1, 1); - } else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport, - &n1) == 4) { - if ((so = tcp_listen(slirp, INADDR_ANY, 0, htonl(laddr), -@@ -784,10 +782,10 @@ int tcp_emu(struct socket *so, struct mb - return 1; - } - m->m_len = bptr - m->m_data; /* Adjust length */ -- m->m_len += snprintf(bptr, M_FREEROOM(m), -- "DCC MOVE %s %lu %u %u%c\n", buff, -- (unsigned long)ntohl(so->so_faddr.s_addr), -- ntohs(so->so_fport), n1, 1); -+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), -+ "DCC MOVE %s %lu %u %u%c\n", buff, -+ (unsigned long)ntohl(so->so_faddr.s_addr), -+ ntohs(so->so_fport), n1, 1); - } - return 1; - -From 30648c03b27fb8d9611b723184216cd3174b6775 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= -Date: Mon, 27 Jan 2020 10:24:09 +0100 -Subject: [PATCH] util: add slirp_fmt() helpers -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Various calls to snprintf() in libslirp assume that snprintf() returns -"only" the number of bytes written (excluding terminating NUL). - -https://pubs.opengroup.org/onlinepubs/9699919799/functions/snprintf.html#tag_16_159_04 - -"Upon successful completion, the snprintf() function shall return the -number of bytes that would be written to s had n been sufficiently -large excluding the terminating null byte." - -Introduce slirp_fmt() that handles several pathological cases the -way libslirp usually expect: - -- treat error as fatal (instead of silently returning -1) - -- fmt0() will always \0 end - -- return the number of bytes actually written (instead of what would -have been written, which would usually result in OOB later), including -the ending \0 for fmt0() - -- warn if truncation happened (instead of ignoring) - -Other less common cases can still be handled with strcpy/snprintf() etc. - -Signed-off-by: Marc-André Lureau -Reviewed-by: Samuel Thibault -Message-Id: <20200127092414.169796-2-marcandre.lureau@redhat.com> ---- - src/util.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ - src/util.h | 3 +++ - 2 files changed, 65 insertions(+) - -diff --git a/src/util.c b/src/util.c -index e596087..e3b6257 100644 ---- a/vendor/libslirp/src/util.c -+++ b/vendor/libslirp/src/util.c -@@ -364,3 +364,65 @@ void slirp_pstrcpy(char *buf, int buf_size, const char *str) - } - *q = '\0'; - } -+ -+static int slirp_vsnprintf(char *str, size_t size, -+ const char *format, va_list args) -+{ -+ int rv = vsnprintf(str, size, format, args); -+ -+ if (rv < 0) { -+ g_error("vsnprintf() failed: %s", g_strerror(errno)); -+ } -+ -+ return rv; -+} -+ -+/* -+ * A snprintf()-like function that: -+ * - returns the number of bytes written (excluding optional \0-ending) -+ * - dies on error -+ * - warn on truncation -+ */ -+int slirp_fmt(char *str, size_t size, const char *format, ...) -+{ -+ va_list args; -+ int rv; -+ -+ va_start(args, format); -+ rv = slirp_vsnprintf(str, size, format, args); -+ va_end(args); -+ -+ if (rv > size) { -+ g_critical("vsnprintf() truncation"); -+ } -+ -+ return MIN(rv, size); -+} -+ -+/* -+ * A snprintf()-like function that: -+ * - always \0-end (unless size == 0) -+ * - returns the number of bytes actually written, including \0 ending -+ * - dies on error -+ * - warn on truncation -+ */ -+int slirp_fmt0(char *str, size_t size, const char *format, ...) -+{ -+ va_list args; -+ int rv; -+ -+ va_start(args, format); -+ rv = slirp_vsnprintf(str, size, format, args); -+ va_end(args); -+ -+ if (rv >= size) { -+ g_critical("vsnprintf() truncation"); -+ if (size > 0) -+ str[size - 1] = '\0'; -+ rv = size; -+ } else { -+ rv += 1; /* include \0 */ -+ } -+ -+ return rv; -+} -diff --git a/src/util.h b/src/util.h -index e9c3073..5530c46 100644 ---- a/vendor/libslirp/src/util.h -+++ b/vendor/libslirp/src/util.h -@@ -181,4 +181,7 @@ static inline int slirp_socket_set_fast_reuse(int fd) - - void slirp_pstrcpy(char *buf, int buf_size, const char *str); - -+int slirp_fmt(char *str, size_t size, const char *format, ...); -+int slirp_fmt0(char *str, size_t size, const char *format, ...); -+ - #endif --- -2.24.1 - diff --git a/SPECS/slirp4netns.spec b/SPECS/slirp4netns.spec index 95a2fbb..cf2f046 100644 --- a/SPECS/slirp4netns.spec +++ b/SPECS/slirp4netns.spec @@ -1,16 +1,12 @@ %global git0 https://github.com/rootless-containers/%{name} -%global commit0 21fdece2737dc24ffa3f01a341b8a6854f8b13b4 -%global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) Name: slirp4netns -Version: 0.4.2 -Release: 3.git%{shortcommit0}%{?dist} +Version: 1.0.1 +Release: 1%{?dist} Summary: slirp for network namespaces License: GPLv2 URL: %{git0} -Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz -Patch0: slirp4netns-CVE-2020-7039.patch -Patch1: slirp4netns-CVE-2020-8608.patch +Source0: %{git0}/archive/v%{version}.tar.gz BuildRequires: autoconf BuildRequires: automake BuildRequires: gcc @@ -20,6 +16,7 @@ BuildRequires: go-md2man BuildRequires: libcap-devel BuildRequires: libseccomp-devel BuildRequires: make +BuildRequires: libslirp-devel %description slirp for network namespaces, without copying buffers across the namespaces. @@ -36,7 +33,7 @@ building other packages which use import path with %{import_path} prefix. %prep -%autosetup -Sgit -n %{name}-%{commit0} +%autosetup -Sgit %build ./autogen.sh @@ -58,44 +55,10 @@ make DESTDIR=%{buildroot} install install-man %{_mandir}/man1/%{name}.1.gz %changelog -* Thu Feb 06 2020 Jindrich Novy - 0.4.2-3.git21fdece -- Fix CVE-2020-8608 -- Resolves: #1798979 +* Mon May 11 2020 Jindrich Novy - 1.0.1-1 +- update to https://github.com/rootless-containers/slirp4netns/archive/v1.0.1.tar.gz +- Related: RHELPLAN-39206 -* Thu Jan 16 2020 Jindrich Novy - 0.4.2-2.git21fdece -- Fix CVE-2020-7039. -Resolves: #1791576 - -* Mon Nov 25 2019 Jindrich Novy - 0.4.2-1.git21fdece -- update to latest 0.4.2, fixes bug 1763454 -- Related: RHELPLAN-25139 - -* Thu Oct 31 2019 Jindrich Novy - 0.4.0-2 -- add new BR: libseccomp-devel -- Related: #1766774 - -* Wed Oct 30 2019 Jindrich Novy - 0.4.0-1 -- update to v.0.4.0 -- sync with fedora spec -- drop applied CVE-2019-14378 patch -- Resolves: #1766774 - -* Thu Sep 26 2019 Jindrich Novy - 0.3.0-4 -- Fix CVE-2019-14378 (#1755595). - -* Fri Jun 07 2019 Lokesh Mandvekar - 0.3.0-3 -- Resolves: #1683217 - BR: glib2-devel - -* Fri Jun 07 2019 Lokesh Mandvekar - 0.3.0-2 -- Resolves: #1683217 - bump slirp4netns to v0.3.0 - -* Thu Feb 28 2019 Lokesh Mandvekar - 0.3.0-1.alpha.2.git30883b5 -- bump to v0.3.0-alpha.2 - -* Fri Nov 16 2018 Frantisek Kluknavsky - 0.1-2.dev.gitc4e1bc5 -- changed summary - -* Fri Aug 10 2018 Lokesh Mandvekar - 0.1-1.dev.gitc4e1bc5 -- First package for RHEL 8 -- import from Fedora rawhide -- Exclude ix86 and ppc64 +* Fri Apr 10 2020 Jindrich Novy - 0.4.3-1 +- update to https://github.com/rootless-containers/slirp4netns/archive/v0.4.3.tar.gz +- Related: RHELPLAN-39206