diff --git a/.gitignore b/.gitignore index 85cb472..b6b398d 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/slirp4netns-c4e1bc5.tar.gz +SOURCES/slirp4netns-4992082.tar.gz diff --git a/.slirp4netns.metadata b/.slirp4netns.metadata index 04c495f..71f2023 100644 --- a/.slirp4netns.metadata +++ b/.slirp4netns.metadata @@ -1 +1 @@ -c80717510d48cfe56eec27e93a4fe92182faca0b SOURCES/slirp4netns-c4e1bc5.tar.gz +77325a3614d2e7a6dbaf5f52d82cb1e67e181cf9 SOURCES/slirp4netns-4992082.tar.gz diff --git a/SOURCES/slirp4netns-CVE-2019-14378.patch b/SOURCES/slirp4netns-CVE-2019-14378.patch new file mode 100644 index 0000000..3177eb4 --- /dev/null +++ b/SOURCES/slirp4netns-CVE-2019-14378.patch @@ -0,0 +1,34 @@ +From 126c04acbabd7ad32c2b018fe10dfac2a3bc1210 Mon Sep 17 00:00:00 2001 +From: Samuel Thibault +Date: Sun, 28 Jul 2019 19:11:24 +0200 +Subject: [PATCH] Fix heap overflow in ip_reass on big packet input + +When the first fragment does not fit in the preallocated buffer, q will +already be pointing to the ext buffer, so we mustn't try to update it. + +Signed-off-by: Samuel Thibault +--- + src/ip_input.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff -up ./slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/ip_input.c.CVE-2019-14378 ./slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/ip_input.c +--- slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/ip_input.c.CVE-2019-14378 2019-09-26 11:58:44.898400528 +0200 ++++ slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/ip_input.c 2019-09-26 11:58:44.899400540 +0200 +@@ -331,6 +331,8 @@ insert: + q = fp->frag_link.next; + m = dtom(slirp, q); + ++ int was_ext = m->m_flags & M_EXT; ++ + q = (struct ipasfrag *) q->ipf_next; + while (q != (struct ipasfrag*)&fp->frag_link) { + struct mbuf *t = dtom(slirp, q); +@@ -353,7 +355,7 @@ insert: + * the old buffer (in the mbuf), so we must point ip + * into the new buffer. + */ +- if (m->m_flags & M_EXT) { ++ if (!was_ext && m->m_flags & M_EXT) { + int delta = (char *)q - m->m_dat; + q = (struct ipasfrag *)(m->m_ext + delta); + } diff --git a/SPECS/slirp4netns.spec b/SPECS/slirp4netns.spec index 8096d34..11ba4ad 100644 --- a/SPECS/slirp4netns.spec +++ b/SPECS/slirp4netns.spec @@ -1,20 +1,22 @@ %global git0 https://github.com/rootless-containers/%{name} -%global commit0 c4e1bc5a5e6987f3a352ca524f13320a2d483398 +%global commit0 4992082b2af77c09bca6bd8504e2ebfa5e118c18 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) Name: slirp4netns -Version: 0.1 -Release: 2.dev.git%{shortcommit0}%{?dist} -# no go-md2man in ix86 and ppc64 -ExcludeArch: %{ix86} ppc64 +Version: 0.3.0 +Release: 4%{?dist} +# no go-md2man in ix86 +ExcludeArch: %{ix86} Summary: slirp for network namespaces License: GPLv2 URL: %{git0} Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz +Patch0: slirp4netns-CVE-2019-14378.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: gcc BuildRequires: git +BuildRequires: glib2-devel BuildRequires: go-md2man BuildRequires: make @@ -28,9 +30,7 @@ BuildArch: noarch %description devel %{summary} -This package contains library source intended for -building other packages which use import path with -%{import_path} prefix. +This package contains the devel files for %{name}. %prep %autosetup -Sgit -n %{name}-%{commit0} @@ -55,6 +55,18 @@ make DESTDIR=%{buildroot} install install-man %{_mandir}/man1/%{name}.1.gz %changelog +* Thu Sep 26 2019 Jindrich Novy - 0.3.0-4 +- Fix CVE-2019-14378 (#1755595). + +* Fri Jun 07 2019 Lokesh Mandvekar - 0.3.0-3 +- Resolves: #1683217 - BR: glib2-devel + +* Fri Jun 07 2019 Lokesh Mandvekar - 0.3.0-2 +- Resolves: #1683217 - bump slirp4netns to v0.3.0 + +* Thu Feb 28 2019 Lokesh Mandvekar - 0.3.0-1.alpha.2.git30883b5 +- bump to v0.3.0-alpha.2 + * Fri Nov 16 2018 Frantisek Kluknavsky - 0.1-2.dev.gitc4e1bc5 - changed summary