Wed Dec 2 18:19:30 +04 2020 Marc-André Lureau <marcandre.lureau@redhat.com> - 4.4.0-1
- new version
This commit is contained in:
parent
982d63f6e4
commit
ab95d04b04
1
.gitignore
vendored
1
.gitignore
vendored
@ -4,3 +4,4 @@
|
||||
/libslirp-v4.3.0.tar.gz
|
||||
/libslirp-4.3.0.tar.xz
|
||||
/libslirp-4.3.1.tar.xz
|
||||
/libslirp-4.4.0.tar.xz
|
||||
|
@ -1,59 +0,0 @@
|
||||
From 2e1dcbc0c2af64fcb17009eaf2ceedd81be2b27f Mon Sep 17 00:00:00 2001
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 26 Nov 2020 19:27:06 +0530
|
||||
Subject: [PATCH] slirp: check pkt_len before reading protocol header
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
While processing ARP/NCSI packets in 'arp_input' or 'ncsi_input'
|
||||
routines, ensure that pkt_len is large enough to accommodate the
|
||||
respective protocol headers, lest it should do an OOB access.
|
||||
Add check to avoid it.
|
||||
|
||||
CVE-2020-29129 CVE-2020-29130
|
||||
QEMU: slirp: out-of-bounds access while processing ARP/NCSI packets
|
||||
-> https://www.openwall.com/lists/oss-security/2020/11/27/1
|
||||
|
||||
Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <20201126135706.273950-1-ppandit@redhat.com>
|
||||
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
---
|
||||
src/ncsi.c | 4 ++++
|
||||
src/slirp.c | 4 ++++
|
||||
2 files changed, 8 insertions(+)
|
||||
|
||||
diff --git a/src/ncsi.c b/src/ncsi.c
|
||||
index 3c1dfef..75dcc08 100644
|
||||
--- a/src/ncsi.c
|
||||
+++ b/src/ncsi.c
|
||||
@@ -148,6 +148,10 @@ void ncsi_input(Slirp *slirp, const uint8_t *pkt, int pkt_len)
|
||||
uint32_t checksum;
|
||||
uint32_t *pchecksum;
|
||||
|
||||
+ if (pkt_len < ETH_HLEN + sizeof(struct ncsi_pkt_hdr)) {
|
||||
+ return; /* packet too short */
|
||||
+ }
|
||||
+
|
||||
memset(ncsi_reply, 0, sizeof(ncsi_reply));
|
||||
|
||||
memset(reh->h_dest, 0xff, ETH_ALEN);
|
||||
diff --git a/src/slirp.c b/src/slirp.c
|
||||
index 9bead0c..abb6f9a 100644
|
||||
--- a/src/slirp.c
|
||||
+++ b/src/slirp.c
|
||||
@@ -860,6 +860,10 @@ static void arp_input(Slirp *slirp, const uint8_t *pkt, int pkt_len)
|
||||
return;
|
||||
}
|
||||
|
||||
+ if (pkt_len < ETH_HLEN + sizeof(struct slirp_arphdr)) {
|
||||
+ return; /* packet too short */
|
||||
+ }
|
||||
+
|
||||
ar_op = ntohs(ah->ar_op);
|
||||
switch (ar_op) {
|
||||
case ARPOP_REQUEST:
|
||||
--
|
||||
2.29.0
|
||||
|
@ -1,13 +1,12 @@
|
||||
Name: libslirp
|
||||
Version: 4.3.1
|
||||
Release: 3%{?dist}
|
||||
Version: 4.4.0
|
||||
Release: 1%{?dist}
|
||||
Summary: A general purpose TCP-IP emulator
|
||||
|
||||
# check the SPDX tags in source files for details
|
||||
License: BSD and MIT
|
||||
URL: https://gitlab.freedesktop.org/slirp/%{name}
|
||||
Source0: %{url}/-/archive/v%{version}/%{name}-%{version}.tar.xz
|
||||
Patch0001: 0001-slirp-check-pkt_len-before-reading-protocol-header.patch
|
||||
|
||||
BuildRequires: git-core
|
||||
BuildRequires: meson
|
||||
@ -53,6 +52,9 @@ developing applications that use %{name}.
|
||||
|
||||
|
||||
%changelog
|
||||
* Wed Dec 2 18:19:30 +04 2020 Marc-André Lureau <marcandre.lureau@redhat.com> - 4.4.0-1
|
||||
- new version
|
||||
|
||||
* Fri Nov 27 20:10:28 +04 2020 Marc-André Lureau <marcandre.lureau@redhat.com> - 4.3.1-3
|
||||
- Fix CVE-2020-29129 CVE-2020-29130 out-of-bounds access while processing ARP/NCSI packets
|
||||
rhbz#1902232
|
||||
|
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (libslirp-4.3.1.tar.xz) = b34793d67dbe15302a16562ce6e63063eec04f8ca1a6fdb5c10891de9fbcc59877c30d4883cd8c5d911147981401b93dacae538a5b85253bde5e44edea6c228c
|
||||
SHA512 (libslirp-4.4.0.tar.xz) = 5b02d1ed505af6cfa1db3b1f3dc785f16e7518ab8c3f9abe02a2dc277a5dce2ba120617c0f27d9be8a8471e087612a7ac184af348bd3f0517f2715bb57517445
|
||||
|
Loading…
Reference in New Issue
Block a user