diff --git a/.gitignore b/.gitignore index b6b398d..93bb5e4 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/slirp4netns-4992082.tar.gz +SOURCES/slirp4netns-2244b9b.tar.gz diff --git a/.slirp4netns.metadata b/.slirp4netns.metadata index 71f2023..770e700 100644 --- a/.slirp4netns.metadata +++ b/.slirp4netns.metadata @@ -1 +1 @@ -77325a3614d2e7a6dbaf5f52d82cb1e67e181cf9 SOURCES/slirp4netns-4992082.tar.gz +6138ed71e3430984a7c3e851413f62ad524feadd SOURCES/slirp4netns-2244b9b.tar.gz diff --git a/SOURCES/slirp4netns-CVE-2019-14378.patch b/SOURCES/slirp4netns-CVE-2019-14378.patch deleted file mode 100644 index f9fdd0f..0000000 --- a/SOURCES/slirp4netns-CVE-2019-14378.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 126c04acbabd7ad32c2b018fe10dfac2a3bc1210 Mon Sep 17 00:00:00 2001 -From: Samuel Thibault -Date: Sun, 28 Jul 2019 19:11:24 +0200 -Subject: [PATCH] Fix heap overflow in ip_reass on big packet input - -When the first fragment does not fit in the preallocated buffer, q will -already be pointing to the ext buffer, so we mustn't try to update it. - -Signed-off-by: Samuel Thibault ---- - src/ip_input.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff -up ./slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/ip_input.c.CVE-2019-14378 ./slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/ip_input.c ---- slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/ip_input.c.CVE-2019-14378 2019-09-26 11:57:51.211754081 +0200 -+++ slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/ip_input.c 2019-09-26 11:57:51.213754105 +0200 -@@ -331,6 +331,8 @@ insert: - q = fp->frag_link.next; - m = dtom(slirp, q); - -+ int was_ext = m->m_flags & M_EXT; -+ - q = (struct ipasfrag *) q->ipf_next; - while (q != (struct ipasfrag*)&fp->frag_link) { - struct mbuf *t = dtom(slirp, q); -@@ -353,7 +355,7 @@ insert: - * the old buffer (in the mbuf), so we must point ip - * into the new buffer. - */ -- if (m->m_flags & M_EXT) { -+ if (!was_ext && m->m_flags & M_EXT) { - int delta = (char *)q - m->m_dat; - q = (struct ipasfrag *)(m->m_ext + delta); - } diff --git a/SOURCES/slirp4netns-CVE-2019-15890.patch b/SOURCES/slirp4netns-CVE-2019-15890.patch deleted file mode 100644 index c28c455..0000000 --- a/SOURCES/slirp4netns-CVE-2019-15890.patch +++ /dev/null @@ -1,40 +0,0 @@ -From c59279437eda91841b9d26079c70b8a540d41204 Mon Sep 17 00:00:00 2001 -From: Samuel Thibault -Date: Mon, 26 Aug 2019 00:55:03 +0200 -Subject: [PATCH] ip_reass: Fix use after free - -Using ip_deq after m_free might read pointers from an allocation reuse. - -This would be difficult to exploit, but that is still related with -CVE-2019-14378 which generates fragmented IP packets that would trigger this -issue and at least produce a DoS. - -Signed-off-by: Samuel Thibault ---- - src/ip_input.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff -up slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/ip_input.c.CVE-2019-15890 slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/ip_input.c ---- slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/ip_input.c.CVE-2019-15890 2020-02-26 14:58:52.081548244 +0100 -+++ slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/ip_input.c 2020-02-26 15:00:48.144123448 +0100 -@@ -297,6 +297,7 @@ ip_reass(Slirp *slirp, struct ip *ip, st - */ - while (q != (struct ipasfrag*)&fp->frag_link && - ip->ip_off + ip->ip_len > q->ipf_off) { -+ struct ipasfrag *prev; - i = (ip->ip_off + ip->ip_len) - q->ipf_off; - if (i < q->ipf_len) { - q->ipf_len -= i; -@@ -304,9 +305,10 @@ ip_reass(Slirp *slirp, struct ip *ip, st - m_adj(dtom(slirp, q), i); - break; - } -+ prev = q; - q = q->ipf_next; -- m_free(dtom(slirp, q->ipf_prev)); -- ip_deq(q->ipf_prev); -+ ip_deq(prev); -+ m_free(dtom(slirp, prev)); - } - - insert: diff --git a/SOURCES/slirp4netns-CVE-2020-7039.patch b/SOURCES/slirp4netns-CVE-2020-7039.patch index 3ed5218..c1c8eef 100644 --- a/SOURCES/slirp4netns-CVE-2020-7039.patch +++ b/SOURCES/slirp4netns-CVE-2020-7039.patch @@ -44,84 +44,89 @@ Message-Id: <20200109094228.79764-2-ppandit@redhat.com> src/tcp_subr.c | 7 +++++++ 2 files changed, 8 insertions(+) -diff -up slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/tcp_subr.c.CVE-2020-7039 slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/tcp_subr.c ---- slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/tcp_subr.c.CVE-2020-7039 2020-01-16 11:12:46.862064816 +0100 -+++ slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/tcp_subr.c 2020-01-16 14:07:45.614874831 +0100 -@@ -709,7 +709,7 @@ tcp_emu(struct socket *so, struct mbuf * - n4 = (laddr & 0xff); +diff -up ./slirp4netns-2244b9b6461afeccad1678fac3d6e478c28b4ad6/vendor/libslirp/src/tcp_subr.c.CVE-2020-7039 ./slirp4netns-2244b9b6461afeccad1678fac3d6e478c28b4ad6/vendor/libslirp/src/tcp_subr.c +--- slirp4netns-2244b9b6461afeccad1678fac3d6e478c28b4ad6/vendor/libslirp/src/tcp_subr.c.CVE-2020-7039 2020-01-16 11:12:50.670108250 +0100 ++++ slirp4netns-2244b9b6461afeccad1678fac3d6e478c28b4ad6/vendor/libslirp/src/tcp_subr.c 2020-01-16 11:12:50.672108272 +0100 +@@ -681,7 +681,7 @@ int tcp_emu(struct socket *so, struct mb + n4 = (laddr & 0xff); - m->m_len = bptr - m->m_data; /* Adjust length */ -- m->m_len += snprintf(bptr, m->m_size - m->m_len, -+ m->m_len += snprintf(bptr, M_FREEROOM(m), - "ORT %d,%d,%d,%d,%d,%d\r\n%s", - n1, n2, n3, n4, n5, n6, x==7?buff:""); - return 1; -@@ -742,7 +742,7 @@ tcp_emu(struct socket *so, struct mbuf * - n4 = (laddr & 0xff); + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, m->m_size - m->m_len, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), + "ORT %d,%d,%d,%d,%d,%d\r\n%s", n1, n2, n3, n4, + n5, n6, x == 7 ? buff : ""); + return 1; +@@ -716,8 +716,7 @@ int tcp_emu(struct socket *so, struct mb + n4 = (laddr & 0xff); - m->m_len = bptr - m->m_data; /* Adjust length */ -- m->m_len += snprintf(bptr, m->m_size - m->m_len, -+ m->m_len += snprintf(bptr, M_FREEROOM(m), - "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s", - n1, n2, n3, n4, n5, n6, x==7?buff:""); + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += +- snprintf(bptr, m->m_size - m->m_len, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), + "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s", + n1, n2, n3, n4, n5, n6, x == 7 ? buff : ""); -@@ -768,8 +768,9 @@ tcp_emu(struct socket *so, struct mbuf * - if (m->m_data[m->m_len-1] == '\0' && lport != 0 && - (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr, - htons(lport), SS_FACCEPTONCE)) != NULL) -- m->m_len = snprintf(m->m_data, m->m_size, "%d", -- ntohs(so->so_fport)) + 1; -+ m->m_len = snprintf(m->m_data, M_ROOM(m), -+ "%d", ntohs(so->so_fport)) + 1; -+ - return 1; +@@ -743,8 +742,8 @@ int tcp_emu(struct socket *so, struct mb + if (m->m_data[m->m_len - 1] == '\0' && lport != 0 && + (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr, + htons(lport), SS_FACCEPTONCE)) != NULL) +- m->m_len = +- snprintf(m->m_data, m->m_size, "%d", ntohs(so->so_fport)) + 1; ++ m->m_len = snprintf(m->m_data, M_ROOM(m), ++ "%d", ntohs(so->so_fport)) + 1; + return 1; - case EMU_IRC: -@@ -788,7 +789,7 @@ tcp_emu(struct socket *so, struct mbuf * - return 1; - } - m->m_len = bptr - m->m_data; /* Adjust length */ -- m->m_len += snprintf(bptr, m->m_size, -+ m->m_len += snprintf(bptr, M_FREEROOM(m), - "DCC CHAT chat %lu %u%c\n", - (unsigned long)ntohl(so->so_faddr.s_addr), - ntohs(so->so_fport), 1); -@@ -799,7 +800,7 @@ tcp_emu(struct socket *so, struct mbuf * - return 1; - } - m->m_len = bptr - m->m_data; /* Adjust length */ -- m->m_len += snprintf(bptr, m->m_size, -+ m->m_len += snprintf(bptr, M_FREEROOM(m), - "DCC SEND %s %lu %u %u%c\n", buff, - (unsigned long)ntohl(so->so_faddr.s_addr), - ntohs(so->so_fport), n1, 1); -@@ -810,7 +811,7 @@ tcp_emu(struct socket *so, struct mbuf * - return 1; - } - m->m_len = bptr - m->m_data; /* Adjust length */ -- m->m_len += snprintf(bptr, m->m_size, -+ m->m_len += snprintf(bptr, M_FREEROOM(m), - "DCC MOVE %s %lu %u %u%c\n", buff, - (unsigned long)ntohl(so->so_faddr.s_addr), - ntohs(so->so_fport), n1, 1); -@@ -897,6 +898,9 @@ tcp_emu(struct socket *so, struct mbuf * - break; + case EMU_IRC: +@@ -763,7 +762,8 @@ int tcp_emu(struct socket *so, struct mb + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, m->m_size, "DCC CHAT chat %lu %u%c\n", ++ m->m_len += snprintf(bptr, M_FREEROOM(m), ++ "DCC CHAT chat %lu %u%c\n", + (unsigned long)ntohl(so->so_faddr.s_addr), + ntohs(so->so_fport), 1); + } else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport, +@@ -773,8 +773,8 @@ int tcp_emu(struct socket *so, struct mb + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += +- snprintf(bptr, m->m_size, "DCC SEND %s %lu %u %u%c\n", buff, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), ++ "DCC SEND %s %lu %u %u%c\n", buff, + (unsigned long)ntohl(so->so_faddr.s_addr), + ntohs(so->so_fport), n1, 1); + } else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport, +@@ -784,8 +784,8 @@ int tcp_emu(struct socket *so, struct mb + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += +- snprintf(bptr, m->m_size, "DCC MOVE %s %lu %u %u%c\n", buff, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), ++ "DCC MOVE %s %lu %u %u%c\n", buff, + (unsigned long)ntohl(so->so_faddr.s_addr), + ntohs(so->so_fport), n1, 1); + } +@@ -871,6 +871,9 @@ int tcp_emu(struct socket *so, struct mb + break; - case 5: -+ if (bptr == m->m_data + m->m_len - 1) -+ return 1; /* We need two bytes */ + case 5: ++ if (bptr == m->m_data + m->m_len - 1) ++ return 1; /* We need two bytes */ + - /* - * The difference between versions 1.0 and - * 2.0 is here. For future versions of -@@ -912,6 +916,10 @@ tcp_emu(struct socket *so, struct mbuf * - /* This is the field containing the port - * number that RA-player is listening to. - */ + /* + * The difference between versions 1.0 and + * 2.0 is here. For future versions of +@@ -886,6 +889,10 @@ int tcp_emu(struct socket *so, struct mb + /* This is the field containing the port + * number that RA-player is listening to. + */ + -+ if (bptr == m->m_data + m->m_len - 1) -+ return 1; /* We need two bytes */ ++ if (bptr == m->m_data + m->m_len - 1) ++ return 1; /* We need two bytes */ + - lport = (((uint8_t*)bptr)[0] << 8) - + ((uint8_t *)bptr)[1]; - if (lport < 6970) + lport = (((uint8_t *)bptr)[0] << 8) + ((uint8_t *)bptr)[1]; + if (lport < 6970) + lport += 256; /* don't know why */ diff --git a/SOURCES/slirp4netns-CVE-2020-7211.patch b/SOURCES/slirp4netns-CVE-2020-7211.patch index 72be1ae..6efa8d2 100644 --- a/SOURCES/slirp4netns-CVE-2020-7211.patch +++ b/SOURCES/slirp4netns-CVE-2020-7211.patch @@ -16,23 +16,22 @@ Message-Id: <20200113121431.156708-1-ppandit@redhat.com> src/tftp.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) -diff -up slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/tftp.c.CVE-2020-7211 slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/tftp.c ---- slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/tftp.c.CVE-2020-7211 2020-01-17 08:02:02.837544967 +0100 -+++ slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/tftp.c 2020-01-17 08:14:59.569544607 +0100 -@@ -344,9 +344,13 @@ static void tftp_handle_rrq(Slirp *slirp - k += 6; /* skipping octet */ +diff -up ./slirp4netns-2244b9b6461afeccad1678fac3d6e478c28b4ad6/vendor/libslirp/src/tftp.c.CVE-2020-7211 ./slirp4netns-2244b9b6461afeccad1678fac3d6e478c28b4ad6/vendor/libslirp/src/tftp.c +--- slirp4netns-2244b9b6461afeccad1678fac3d6e478c28b4ad6/vendor/libslirp/src/tftp.c.CVE-2020-7211 2020-01-17 08:02:07.630600572 +0100 ++++ slirp4netns-2244b9b6461afeccad1678fac3d6e478c28b4ad6/vendor/libslirp/src/tftp.c 2020-01-17 08:02:07.632600595 +0100 +@@ -344,8 +344,13 @@ static void tftp_handle_rrq(Slirp *slirp + k += 6; /* skipping octet */ - /* do sanity checks on the filename */ -- if (!strncmp(req_fname, "../", 3) || -- req_fname[strlen(req_fname) - 1] == '/' || -- strstr(req_fname, "/../")) { -+ if ( + /* do sanity checks on the filename */ +- if (!strncmp(req_fname, "../", 3) || +- req_fname[strlen(req_fname) - 1] == '/' || strstr(req_fname, "/../")) { ++ if ( +#ifdef G_OS_WIN32 -+ strstr(req_fname, "..\\") || -+ req_fname[strlen(req_fname) - 1] == '\\' || ++ strstr(req_fname, "..\\") || ++ req_fname[strlen(req_fname) - 1] == '\\' || +#endif -+ strstr(req_fname, "../") || -+ req_fname[strlen(req_fname) - 1] == '/') { - tftp_send_error(spt, 2, "Access violation", tp); - return; - } ++ strstr(req_fname, "../") || ++ req_fname[strlen(req_fname) - 1] == '/') { + tftp_send_error(spt, 2, "Access violation", tp); + return; + } diff --git a/SOURCES/slirp4netns-CVE-2020-8608.patch b/SOURCES/slirp4netns-CVE-2020-8608.patch index cb58822..76450ea 100644 --- a/SOURCES/slirp4netns-CVE-2020-8608.patch +++ b/SOURCES/slirp4netns-CVE-2020-8608.patch @@ -32,92 +32,101 @@ Message-Id: <20200127092414.169796-7-marcandre.lureau@redhat.com> src/tcp_subr.c | 44 +++++++++++++++++++++----------------------- 1 file changed, 21 insertions(+), 23 deletions(-) -diff -up slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/tcp_subr.c.orig slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/tcp_subr.c ---- slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/tcp_subr.c.orig 2020-02-06 14:57:07.786013242 +0100 -+++ slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/tcp_subr.c 2020-02-06 15:14:44.678746260 +0100 -@@ -709,9 +709,9 @@ tcp_emu(struct socket *so, struct mbuf * - n4 = (laddr & 0xff); +diff -up ./slirp4netns-2244b9b6461afeccad1678fac3d6e478c28b4ad6/vendor/libslirp/src/tcp_subr.c.CVE-2020-8608 ./slirp4netns-2244b9b6461afeccad1678fac3d6e478c28b4ad6/vendor/libslirp/src/tcp_subr.c +--- slirp4netns-2244b9b6461afeccad1678fac3d6e478c28b4ad6/vendor/libslirp/src/tcp_subr.c.CVE-2020-8608 2020-02-06 13:31:33.592822770 +0100 ++++ slirp4netns-2244b9b6461afeccad1678fac3d6e478c28b4ad6/vendor/libslirp/src/tcp_subr.c 2020-02-06 13:31:33.594822795 +0100 +@@ -640,8 +640,7 @@ int tcp_emu(struct socket *so, struct mb + NTOHS(n1); + NTOHS(n2); + m_inc(m, snprintf(NULL, 0, "%d,%d\r\n", n1, n2) + 1); +- m->m_len = snprintf(m->m_data, M_ROOM(m), "%d,%d\r\n", n1, n2); +- assert(m->m_len < M_ROOM(m)); ++ m->m_len = slirp_fmt(m->m_data, M_ROOM(m), "%d,%d\r\n", n1, n2); + } else { + *eol = '\r'; + } +@@ -681,9 +680,9 @@ int tcp_emu(struct socket *so, struct mb + n4 = (laddr & 0xff); - m->m_len = bptr - m->m_data; /* Adjust length */ -- m->m_len += snprintf(bptr, M_FREEROOM(m), -- "ORT %d,%d,%d,%d,%d,%d\r\n%s", -- n1, n2, n3, n4, n5, n6, x==7?buff:""); -+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), -+ "ORT %d,%d,%d,%d,%d,%d\r\n%s", -+ n1, n2, n3, n4, n5, n6, x == 7 ? buff : ""); - return 1; - } else if ((bptr = (char *)strstr(m->m_data, "27 Entering")) != NULL) { - /* -@@ -742,10 +742,9 @@ tcp_emu(struct socket *so, struct mbuf * - n4 = (laddr & 0xff); + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, M_FREEROOM(m), +- "ORT %d,%d,%d,%d,%d,%d\r\n%s", n1, n2, n3, n4, +- n5, n6, x == 7 ? buff : ""); ++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), ++ "ORT %d,%d,%d,%d,%d,%d\r\n%s", ++ n1, n2, n3, n4, n5, n6, x == 7 ? buff : ""); + return 1; + } else if ((bptr = (char *)strstr(m->m_data, "27 Entering")) != NULL) { + /* +@@ -716,10 +715,9 @@ int tcp_emu(struct socket *so, struct mb + n4 = (laddr & 0xff); - m->m_len = bptr - m->m_data; /* Adjust length */ -- m->m_len += snprintf(bptr, M_FREEROOM(m), -- "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s", -- n1, n2, n3, n4, n5, n6, x==7?buff:""); + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, M_FREEROOM(m), +- "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s", +- n1, n2, n3, n4, n5, n6, x == 7 ? buff : ""); - -+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), -+ "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s", -+ n1, n2, n3, n4, n5, n6, x == 7 ? buff : ""); - return 1; - } ++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), ++ "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s", ++ n1, n2, n3, n4, n5, n6, x == 7 ? buff : ""); + return 1; + } -@@ -768,9 +767,8 @@ tcp_emu(struct socket *so, struct mbuf * - if (m->m_data[m->m_len-1] == '\0' && lport != 0 && - (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr, - htons(lport), SS_FACCEPTONCE)) != NULL) -- m->m_len = snprintf(m->m_data, M_ROOM(m), -- "%d", ntohs(so->so_fport)) + 1; -- -+ m->m_len = slirp_fmt0(m->m_data, M_ROOM(m), -+ "%d", ntohs(so->so_fport)); - return 1; +@@ -742,8 +740,8 @@ int tcp_emu(struct socket *so, struct mb + if (m->m_data[m->m_len - 1] == '\0' && lport != 0 && + (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr, + htons(lport), SS_FACCEPTONCE)) != NULL) +- m->m_len = snprintf(m->m_data, M_ROOM(m), +- "%d", ntohs(so->so_fport)) + 1; ++ m->m_len = slirp_fmt0(m->m_data, M_ROOM(m), ++ "%d", ntohs(so->so_fport)); + return 1; - case EMU_IRC: -@@ -789,10 +787,10 @@ tcp_emu(struct socket *so, struct mbuf * - return 1; - } - m->m_len = bptr - m->m_data; /* Adjust length */ -- m->m_len += snprintf(bptr, M_FREEROOM(m), -- "DCC CHAT chat %lu %u%c\n", -- (unsigned long)ntohl(so->so_faddr.s_addr), -- ntohs(so->so_fport), 1); -+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), -+ "DCC CHAT chat %lu %u%c\n", -+ (unsigned long)ntohl(so->so_faddr.s_addr), -+ ntohs(so->so_fport), 1); - } else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport, &n1) == 4) { - if ((so = tcp_listen(slirp, INADDR_ANY, 0, - htonl(laddr), htons(lport), -@@ -800,10 +798,10 @@ tcp_emu(struct socket *so, struct mbuf * - return 1; - } - m->m_len = bptr - m->m_data; /* Adjust length */ -- m->m_len += snprintf(bptr, M_FREEROOM(m), -- "DCC SEND %s %lu %u %u%c\n", buff, -- (unsigned long)ntohl(so->so_faddr.s_addr), -- ntohs(so->so_fport), n1, 1); -+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), -+ "DCC SEND %s %lu %u %u%c\n", buff, -+ (unsigned long)ntohl(so->so_faddr.s_addr), -+ ntohs(so->so_fport), n1, 1); - } else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport, &n1) == 4) { - if ((so = tcp_listen(slirp, INADDR_ANY, 0, - htonl(laddr), htons(lport), -@@ -811,10 +809,10 @@ tcp_emu(struct socket *so, struct mbuf * - return 1; - } - m->m_len = bptr - m->m_data; /* Adjust length */ -- m->m_len += snprintf(bptr, M_FREEROOM(m), -- "DCC MOVE %s %lu %u %u%c\n", buff, -- (unsigned long)ntohl(so->so_faddr.s_addr), -- ntohs(so->so_fport), n1, 1); -+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), -+ "DCC MOVE %s %lu %u %u%c\n", buff, -+ (unsigned long)ntohl(so->so_faddr.s_addr), -+ ntohs(so->so_fport), n1, 1); - } - return 1; + case EMU_IRC: +@@ -762,10 +760,10 @@ int tcp_emu(struct socket *so, struct mb + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, M_FREEROOM(m), +- "DCC CHAT chat %lu %u%c\n", +- (unsigned long)ntohl(so->so_faddr.s_addr), +- ntohs(so->so_fport), 1); ++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), ++ "DCC CHAT chat %lu %u%c\n", ++ (unsigned long)ntohl(so->so_faddr.s_addr), ++ ntohs(so->so_fport), 1); + } else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport, + &n1) == 4) { + if ((so = tcp_listen(slirp, INADDR_ANY, 0, htonl(laddr), +@@ -773,10 +771,10 @@ int tcp_emu(struct socket *so, struct mb + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, M_FREEROOM(m), +- "DCC SEND %s %lu %u %u%c\n", buff, +- (unsigned long)ntohl(so->so_faddr.s_addr), +- ntohs(so->so_fport), n1, 1); ++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), ++ "DCC SEND %s %lu %u %u%c\n", buff, ++ (unsigned long)ntohl(so->so_faddr.s_addr), ++ ntohs(so->so_fport), n1, 1); + } else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport, + &n1) == 4) { + if ((so = tcp_listen(slirp, INADDR_ANY, 0, htonl(laddr), +@@ -784,10 +782,10 @@ int tcp_emu(struct socket *so, struct mb + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, M_FREEROOM(m), +- "DCC MOVE %s %lu %u %u%c\n", buff, +- (unsigned long)ntohl(so->so_faddr.s_addr), +- ntohs(so->so_fport), n1, 1); ++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), ++ "DCC MOVE %s %lu %u %u%c\n", buff, ++ (unsigned long)ntohl(so->so_faddr.s_addr), ++ ntohs(so->so_fport), n1, 1); + } + return 1; From 30648c03b27fb8d9611b723184216cd3174b6775 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= @@ -159,10 +168,11 @@ Message-Id: <20200127092414.169796-2-marcandre.lureau@redhat.com> src/util.h | 3 +++ 2 files changed, 65 insertions(+) -diff -up slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/util.c.orig slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/util.c ---- slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/util.c.orig 2019-03-28 12:45:09.000000000 +0100 -+++ slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/util.c 2020-02-06 14:57:07.786013242 +0100 -@@ -366,3 +366,65 @@ void slirp_pstrcpy(char *buf, int buf_si +diff --git a/src/util.c b/src/util.c +index e596087..e3b6257 100644 +--- a/vendor/libslirp/src/util.c ++++ b/vendor/libslirp/src/util.c +@@ -364,3 +364,65 @@ void slirp_pstrcpy(char *buf, int buf_size, const char *str) } *q = '\0'; } @@ -228,10 +238,11 @@ diff -up slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/uti + + return rv; +} -diff -up slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/util.h.orig slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/util.h ---- slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/util.h.orig 2019-03-28 12:45:09.000000000 +0100 -+++ slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/util.h 2020-02-06 14:57:07.786013242 +0100 -@@ -172,4 +172,7 @@ static inline int slirp_socket_set_fast_ +diff --git a/src/util.h b/src/util.h +index e9c3073..5530c46 100644 +--- a/vendor/libslirp/src/util.h ++++ b/vendor/libslirp/src/util.h +@@ -181,4 +181,7 @@ static inline int slirp_socket_set_fast_reuse(int fd) void slirp_pstrcpy(char *buf, int buf_size, const char *str); @@ -239,3 +250,6 @@ diff -up slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/uti +int slirp_fmt0(char *str, size_t size, const char *format, ...); + #endif +-- +2.24.1 + diff --git a/SPECS/slirp4netns.spec b/SPECS/slirp4netns.spec index 6c26000..cafffc7 100644 --- a/SPECS/slirp4netns.spec +++ b/SPECS/slirp4netns.spec @@ -1,31 +1,29 @@ %global git0 https://github.com/rootless-containers/%{name} -%global commit0 4992082b2af77c09bca6bd8504e2ebfa5e118c18 +%global commit0 2244b9b6461afeccad1678fac3d6e478c28b4ad6 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) Name: slirp4netns -Version: 0.3.0 -Release: 8%{?dist} +Version: 0.4.3 +Release: 4%{?dist} Summary: slirp for network namespaces License: GPLv2 URL: %{git0} Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz -Patch0: slirp4netns-CVE-2019-14378.patch -Patch1: slirp4netns-CVE-2020-7039.patch -Patch2: slirp4netns-CVE-2020-7211.patch -Patch3: slirp4netns-CVE-2020-8608.patch -# tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-15890 -# backported: https://gitlab.freedesktop.org/slirp/libslirp/commit/c59279437eda91841b9d26079c70b8a540d41204.patch -Patch4: slirp4netns-CVE-2019-15890.patch +Patch0: slirp4netns-CVE-2020-7039.patch +Patch1: slirp4netns-CVE-2020-7211.patch +Patch2: slirp4netns-CVE-2020-8608.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: gcc -BuildRequires: git BuildRequires: glib2-devel +BuildRequires: git BuildRequires: go-md2man +BuildRequires: libcap-devel +BuildRequires: libseccomp-devel BuildRequires: make %description -User-mode networking for unprivileged network namespaces. +slirp for network namespaces, without copying buffers across the namespaces. %package devel Summary: %{summary} @@ -61,24 +59,21 @@ make DESTDIR=%{buildroot} install install-man %{_mandir}/man1/%{name}.1.gz %changelog -* Wed Feb 26 2020 Jindrich Novy - 0.3.0-8 -- fix "CVE-2019-15890 QEMU: Slirp: use-after-free during packet reassembly" -- Resolves: #1755596 - -* Thu Feb 06 2020 Jindrich Novy - 0.3.0-7 -- backport the patch for CVE-2020-8608 to 0.3.0 (#1798975) +* Thu Feb 06 2020 Jindrich Novy - 0.4.3-4 +- Fix CVE-2020-8608 (#1798976). -* Thu Feb 06 2020 Jindrich Novy - 0.3.0-6 -- Add missing hunks to patch for CVE-2020-8608 (#1798975) +* Fri Jan 17 2020 Jindrich Novy - 0.4.3-3 +- Fix CVE-2020-7211 (#1792150). -* Thu Feb 06 2020 Jindrich Novy - 0.3.0-5 -- Fix CVE-2020-8608 (#1798975) +* Thu Jan 16 2020 Jindrich Novy - 0.4.3-2 +- Fix CVE-2020-7039 (#1791573). -* Fri Jan 17 2020 Jindrich Novy - 0.3.0-4 -- Backport fix for CVE-2020-7211 (#1792150). +* Wed Dec 18 2019 Jindrich Novy - 0.4.3-1 +- update to 0.4.3 -* Thu Jan 16 2020 Jindrich Novy - 0.3.0-3 -- Backport fix for CVE-2020-7039 (#1791572) +* Tue Dec 03 2019 Jindrich Novy - 0.4.2-1.git21fdece +- update to 0.4.2 +- Related: RHELPLAN-26239 * Thu Sep 26 2019 Jindrich Novy - 0.3.0-2 - Fix CVE-2019-14378 (#1755592).