All of lore.kernel.org
 help / color / mirror / Atom feed
From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH 1/1] package/slirp: security bump to version 4.6.1
Date: Thu,  1 Jul 2021 22:38:42 +0200	[thread overview]
Message-ID: <20210701203842.470599-1-fontaine.fabrice@gmail.com> (raw)

mtod()-related buffer overflows (CVE-2021-3592 #44, CVE-2021-3593 #45,
CVE-2021-3594 #47, CVE-2021-3595 #46).

Drop patch (already in version)

https://gitlab.freedesktop.org/slirp/libslirp/-/blob/v4.6.1/CHANGELOG.md

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 ...t_len-before-reading-protocol-header.patch | 60 -------------------
 package/slirp/slirp.hash                      |  2 +-
 package/slirp/slirp.mk                        |  9 +--
 3 files changed, 3 insertions(+), 68 deletions(-)
 delete mode 100644 package/slirp/0001-slirp-check-pkt_len-before-reading-protocol-header.patch

diff --git a/package/slirp/0001-slirp-check-pkt_len-before-reading-protocol-header.patch b/package/slirp/0001-slirp-check-pkt_len-before-reading-protocol-header.patch
deleted file mode 100644
index 4046144712..0000000000
--- a/package/slirp/0001-slirp-check-pkt_len-before-reading-protocol-header.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From 2e1dcbc0c2af64fcb17009eaf2ceedd81be2b27f Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Thu, 26 Nov 2020 19:27:06 +0530
-Subject: [PATCH] slirp: check pkt_len before reading protocol header
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-While processing ARP/NCSI packets in 'arp_input' or 'ncsi_input'
-routines, ensure that pkt_len is large enough to accommodate the
-respective protocol headers, lest it should do an OOB access.
-Add check to avoid it.
-
-CVE-2020-29129 CVE-2020-29130
-  QEMU: slirp: out-of-bounds access while processing ARP/NCSI packets
- -> https://www.openwall.com/lists/oss-security/2020/11/27/1
-
-Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-Id: <20201126135706.273950-1-ppandit@redhat.com>
-Reviewed-by: Marc-Andr? Lureau <marcandre.lureau@redhat.com>
-Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
----
- src/ncsi.c  | 4 ++++
- src/slirp.c | 4 ++++
- 2 files changed, 8 insertions(+)
-
-diff --git a/src/ncsi.c b/src/ncsi.c
-index 3c1dfef..75dcc08 100644
---- a/src/ncsi.c
-+++ b/src/ncsi.c
-@@ -148,6 +148,10 @@ void ncsi_input(Slirp *slirp, const uint8_t *pkt, int pkt_len)
-     uint32_t checksum;
-     uint32_t *pchecksum;
- 
-+    if (pkt_len < ETH_HLEN + sizeof(struct ncsi_pkt_hdr)) {
-+        return; /* packet too short */
-+    }
-+
-     memset(ncsi_reply, 0, sizeof(ncsi_reply));
- 
-     memset(reh->h_dest, 0xff, ETH_ALEN);
-diff --git a/src/slirp.c b/src/slirp.c
-index 9bead0c..abb6f9a 100644
---- a/src/slirp.c
-+++ b/src/slirp.c
-@@ -860,6 +860,10 @@ static void arp_input(Slirp *slirp, const uint8_t *pkt, int pkt_len)
-         return;
-     }
- 
-+    if (pkt_len < ETH_HLEN + sizeof(struct slirp_arphdr)) {
-+        return; /* packet too short */
-+    }
-+
-     ar_op = ntohs(ah->ar_op);
-     switch (ar_op) {
-     case ARPOP_REQUEST:
--- 
-2.20.1
-
diff --git a/package/slirp/slirp.hash b/package/slirp/slirp.hash
index fe295b3bfb..326b2ad246 100644
--- a/package/slirp/slirp.hash
+++ b/package/slirp/slirp.hash
@@ -1,3 +1,3 @@
 # Locally computed:
-sha256  388b4b08a8cc0996cc5155cb027a097dc1a7f2cfe84b1121496608ab5366cc48  libslirp-4.3.1.tar.xz
+sha256  b8a22ac4d601ba16122a67827c0f4361785d4d283f21ff8ed48d4aa1e7693477  libslirp-4.6.1.tar.xz
 sha256  b28aecf4796a6a22054167f0a976de13d9db335669d37afd2dc7ea4c335e1e13  COPYRIGHT
diff --git a/package/slirp/slirp.mk b/package/slirp/slirp.mk
index ff92c60517..43d2c520e9 100644
--- a/package/slirp/slirp.mk
+++ b/package/slirp/slirp.mk
@@ -4,11 +4,9 @@
 #
 ################################################################################
 
-SLIRP_VERSION = 4.3.1
+SLIRP_VERSION = 4.6.1
 SLIRP_SOURCE = libslirp-$(SLIRP_VERSION).tar.xz
-# Other "official" tarballs don't ship .tarball-version resulting in a build
-# failure: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/24
-SLIRP_SITE = https://elmarco.fedorapeople.org
+SLIRP_SITE = https://gitlab.freedesktop.org/slirp/libslirp/uploads/83b199ea6fcdfc0c243dfde8546ee4c9
 SLIRP_LICENSE = BSD-3-Clause
 SLIRP_LICENSE_FILES = COPYRIGHT
 SLIRP_CPE_ID_VENDOR = libslirp_project
@@ -16,7 +14,4 @@ SLIRP_CPE_ID_PRODUCT = libslirp
 SLIRP_INSTALL_STAGING = YES
 SLIRP_DEPENDENCIES = libglib2
 
-# 0001-slirp-check-pkt_len-before-reading-protocol-header.patch
-SLIRP_IGNORE_CVES += CVE-2020-29129 CVE-2020-29130
-
 $(eval $(meson-package))
-- 
2.30.2

             reply	other threads:[~2021-07-01 20:38 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-01 20:38 Fabrice Fontaine [this message]
2021-07-13 21:44 ` [Buildroot] [PATCH 1/1] package/slirp: security bump to version 4.6.1 Peter Korsgaard

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210701203842.470599-1-fontaine.fabrice@gmail.com \
    --to=fontaine.fabrice@gmail.com \
    --cc=buildroot@busybox.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.