rpms/libslirp
5
0
Fork 0
Code Issues Pull Requests Releases Activity

import libslirp-4.3.1-1.module+el8.4.0+10198+36d1d0e3

Browse Source
This commit is contained in:
CentOS Sources 2021-03-30 10:47:55 -04:00 committed by Stepan Oksanichenko
parent de6e309e39
commit 088e3bfb53
4 changed files with 17 additions and 200 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/libslirp-4.3.0.tar.xz
SOURCES/libslirp-4.3.1.tar.xz

2
.libslirp.metadata
View File

@ -1 +1 @@
09f0c96d08a37a21eda73f4df8fb81a321361ad4 SOURCES/libslirp-4.3.0.tar.xz
f69c50c264a465bde6fe0cd6b577e2f1c0b20ece SOURCES/libslirp-4.3.1.tar.xz

191
SOURCES/libslirp-coverity.patch
View File

@ -1,191 +0,0 @@
From 0b83636e914a894b324836e3fb2f20a2f7599fc4 Mon Sep 17 00:00:00 2001
From: Jindrich Novy <jnovy@redhat.com>
Date: Wed, 27 May 2020 11:01:02 +0200
Subject: [PATCH] Fix possible infinite loops and use-after-free
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Error: USE_AFTER_FREE (CWE-416): [#def1]
libslirp-4.3.0/src/ip_icmp.c:79: freed_arg: "icmp_detach" frees "slirp->icmp.so_next".
libslirp-4.3.0/src/ip_icmp.c:79: deref_arg: Calling "icmp_detach" dereferences freed pointer "slirp->icmp.so_next".
77| {
78| while (slirp->icmp.so_next != &slirp->icmp) {
79|-> icmp_detach(slirp->icmp.so_next);
80| }
81| }
Error: USE_AFTER_FREE (CWE-416): [#def27]
libslirp-4.3.0/src/udp.c:56: freed_arg: "udp_detach" frees "slirp->udb.so_next".
libslirp-4.3.0/src/udp.c:56: deref_arg: Calling "udp_detach" dereferences freed pointer "slirp->udb.so_next".
54| {
55| while (slirp->udb.so_next != &slirp->udb) {
56|-> udp_detach(slirp->udb.so_next);
57| }
58| }
Signed-off-by: Jindrich Novy <jnovy@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
---
src/ip_icmp.c | 7 +++++--
src/udp.c | 5 ++++-
2 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/src/ip_icmp.c b/src/ip_icmp.c
index fe0add4..7533595 100644
--- libslirp-4.3.0/src/ip_icmp.c
+++ libslirp-4.3.0/src/ip_icmp.c
@@ -75,8 +75,11 @@ void icmp_init(Slirp *slirp)
void icmp_cleanup(Slirp *slirp)
{
- while (slirp->icmp.so_next != &slirp->icmp) {
- icmp_detach(slirp->icmp.so_next);
+ struct socket *so, *so_next;
+
+ for (so = slirp->icmp.so_next; so != &slirp->icmp; so = so_next) {
+ so_next = so->so_next;
+ icmp_detach(so);
}
}
diff --git a/src/udp.c b/src/udp.c
index 6bde20f..9ed1e74 100644
--- libslirp-4.3.0/src/udp.c
+++ libslirp-4.3.0/src/udp.c
@@ -52,7 +52,10 @@ void udp_init(Slirp *slirp)
void udp_cleanup(Slirp *slirp)
{
- while (slirp->udb.so_next != &slirp->udb) {
+ struct socket *so, *so_next;
+
+ for (so = slirp->udb.so_next; so != &slirp->udb; so = so_next) {
+ so_next = so->so_next;
udp_detach(slirp->udb.so_next);
}
}
--
2.26.2
From 2d79c0b7d78e55624790a102fbd924a4259eef16 Mon Sep 17 00:00:00 2001
From: Jindrich Novy <jnovy@redhat.com>
Date: Wed, 27 May 2020 11:07:19 +0200
Subject: [PATCH] Use secure string copy to avoid overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Error: STRING_OVERFLOW (CWE-120): [#def2]
libslirp-4.3.0/src/ip_icmp.c:277: fixed_size_dest: You might overrun the 20-character fixed-size string "bufa" by copying the return value of "inet_ntoa" without checking the length.
275| if (slirp_debug & DBG_MISC) {
276| char bufa[20], bufb[20];
277|-> strcpy(bufa, inet_ntoa(ip->ip_src));
278| strcpy(bufb, inet_ntoa(ip->ip_dst));
279| DEBUG_MISC(" %.16s to %.16s", bufa, bufb);
Error: STRING_OVERFLOW (CWE-120): [#def3]
libslirp-4.3.0/src/ip_icmp.c:278: fixed_size_dest: You might overrun the 20-character fixed-size string "bufb" by copying the return value of "inet_ntoa" without checking the length.
276| char bufa[20], bufb[20];
277| strcpy(bufa, inet_ntoa(ip->ip_src));
278|-> strcpy(bufb, inet_ntoa(ip->ip_dst));
279| DEBUG_MISC(" %.16s to %.16s", bufa, bufb);
280| }
Signed-off-by: Jindrich Novy <jnovy@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
---
src/ip_icmp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/ip_icmp.c b/src/ip_icmp.c
index 7533595..13a0e55 100644
--- libslirp-4.3.0/src/ip_icmp.c
+++ libslirp-4.3.0/src/ip_icmp.c
@@ -277,8 +277,8 @@ void icmp_send_error(struct mbuf *msrc, uint8_t type, uint8_t code, int minsize,
ip = mtod(msrc, struct ip *);
if (slirp_debug & DBG_MISC) {
char bufa[20], bufb[20];
- strcpy(bufa, inet_ntoa(ip->ip_src));
- strcpy(bufb, inet_ntoa(ip->ip_dst));
+ slirp_pstrcpy(bufa, sizeof(bufa), inet_ntoa(ip->ip_src));
+ slirp_pstrcpy(bufb, sizeof(bufb), inet_ntoa(ip->ip_dst));
DEBUG_MISC(" %.16s to %.16s", bufa, bufb);
}
if (ip->ip_off & IP_OFFMASK)
--
2.26.2
From 961a676e93fe7d599d3856e63bd132fe0d2decb2 Mon Sep 17 00:00:00 2001
From: Jindrich Novy <jnovy@redhat.com>
Date: Wed, 27 May 2020 11:16:57 +0200
Subject: [PATCH] Check lseek() for failure
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Error: CHECKED_RETURN (CWE-252): [#def26]
libslirp-4.3.0/src/tftp.c:121: check_return: Calling "lseek(spt->fd, block_nr * spt->block_size, 0)" without checking return value. This library function may fail and return an error code.
119|
120| if (len) {
121|-> lseek(spt->fd, block_nr * spt->block_size, SEEK_SET);
122|
123| bytes_read = read(spt->fd, buf, len);
Signed-off-by: Jindrich Novy <jnovy@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
---
src/tftp.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/tftp.c b/src/tftp.c
index c209145..c6950ee 100644
--- libslirp-4.3.0/src/tftp.c
+++ libslirp-4.3.0/src/tftp.c
@@ -118,7 +118,9 @@ static int tftp_read_data(struct tftp_session *spt, uint32_t block_nr,
}
if (len) {
- lseek(spt->fd, block_nr * spt->block_size, SEEK_SET);
+ if (lseek(spt->fd, block_nr * spt->block_size, SEEK_SET) == (off_t)-1) {
+ return -1;
+ }
bytes_read = read(spt->fd, buf, len);
}
--
2.26.2
From b0fc01a6b8cf6a50a1af69845cca692cc42dd970 Mon Sep 17 00:00:00 2001
From: Jindrich Novy <jnovy@redhat.com>
Date: Wed, 27 May 2020 11:18:36 +0200
Subject: [PATCH] Be sure to initialize sockaddr structure
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Error: UNINIT (CWE-457): [#def30]
libslirp-4.3.0/src/udp.c:325: var_decl: Declaring variable "addr" without initializer.
libslirp-4.3.0/src/udp.c:342: uninit_use_in_call: Using uninitialized value "addr". Field "addr.sin_zero" is uninitialized when calling "bind".
Signed-off-by: Jindrich Novy <jnovy@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
---
src/udp.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/udp.c b/src/udp.c
index 9ed1e74..0ad44d7 100644
--- libslirp-4.3.0/src/udp.c
+++ libslirp-4.3.0/src/udp.c
@@ -329,6 +329,7 @@ struct socket *udp_listen(Slirp *slirp, uint32_t haddr, unsigned hport,
struct socket *so;
socklen_t addrlen = sizeof(struct sockaddr_in);
+ memset(&addr, 0, sizeof(addr));
so = socreate(slirp);
so->s = slirp_socket(AF_INET, SOCK_DGRAM, 0);
if (so->s < 0) {
--
2.26.2

22
SPECS/libslirp.spec
View File

@ -1,16 +1,12 @@
Name: libslirp
Version: 4.3.0
Release: 3%{?dist}
Version: 4.3.1
Release: 1%{?dist}
Summary: A general purpose TCP-IP emulator
# check the SPDX tags in source files for details
License: BSD and MIT
URL: https://gitlab.freedesktop.org/slirp/%{name}
Source0: %{url}/-/archive/v%{version}/%{name}-%{version}.tar.xz
# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1821193
# backported: https://gitlab.freedesktop.org/slirp/libslirp/-/merge_requests/41
Patch0: libslirp-coverity.patch
Source0: https://elmarco.fedorapeople.org/libslirp-%{version}.tar.xz
BuildRequires: git-core
BuildRequires: meson
BuildRequires: gcc
@ -55,6 +51,18 @@ developing applications that use %{name}.
%changelog
* Thu Jul 30 2020 Jindrich Novy <jnovy@redhat.com> - 4.3.1-1
- update to https://gitlab.freedesktop.org/slirp/libslirp/-/releases/v4.3.1
- Related: #1821193
* Wed Jul 08 2020 Jindrich Novy <jnovy@redhat.com> - 4.3.0-5
- replace patch for CVE-2020-10756 with dedicated upstream one
- Related: #1821193
* Fri Jul 03 2020 Jindrich Novy <jnovy@redhat.com> - 4.3.0-4
- fix "CVE-2020-10756 QEMU: slirp: networking out-of-bounds read information disclosure vulnerability"
- Related: #1821193
* Thu May 28 2020 Jindrich Novy <jnovy@redhat.com> - 4.3.0-3
- fix static analysis issues merged upstream
(https://gitlab.freedesktop.org/slirp/libslirp/-/merge_requests/41)