* Fri Aug 2 2019 Marc-André Lureau <marcandre.lureau@redhat.com> - 4.0.0-3

- Fix CVE-2019-14378, rhbz#1735654
2019-08-02 14:29:43 +04:00 · 2019-08-02 14:29:43 +04:00 · d7af790873
commit d7af790873
parent d39ab11662
2 changed files with 45 additions and 2 deletions
--- a/0001-Fix-heap-overflow-in-ip_reass-on-big-packet-input.patch
+++ b/0001-Fix-heap-overflow-in-ip_reass-on-big-packet-input.patch
@ -0,0 +1,38 @@
+From 126c04acbabd7ad32c2b018fe10dfac2a3bc1210 Mon Sep 17 00:00:00 2001
+From: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Date: Sun, 28 Jul 2019 19:11:24 +0200
+Subject: [PATCH] Fix heap overflow in ip_reass on big packet input
+
+When the first fragment does not fit in the preallocated buffer, q will
+already be pointing to the ext buffer, so we mustn't try to update it.
+
+Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+---
+ src/ip_input.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/ip_input.c b/src/ip_input.c
+index 50c7657..8c75d91 100644
+--- a/src/ip_input.c
+++ b/src/ip_input.c
+@@ -326,6 +326,8 @@ insert:
+     q = fp->frag_link.next;
+     m = dtom(slirp, q);
+ 
+    int was_ext = m->m_flags & M_EXT;
+
+     q = (struct ipasfrag *)q->ipf_next;
+     while (q != (struct ipasfrag *)&fp->frag_link) {
+         struct mbuf *t = dtom(slirp, q);
+@@ -348,7 +350,7 @@ insert:
+      * the old buffer (in the mbuf), so we must point ip
+      * into the new buffer.
+      */
+-    if (m->m_flags & M_EXT) {
+    if (!was_ext && m->m_flags & M_EXT) {
+         int delta = (char *)q - m->m_dat;
+         q = (struct ipasfrag *)(m->m_ext + delta);
+     }
+-- 
+2.22.0.545.g9c9b961d7e
+
--- a/libslirp.spec
+++ b/libslirp.spec
@ -1,6 +1,6 @@
 Name:           libslirp
 Version:        4.0.0
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        A general purpose TCP-IP emulator

 # check the SPDX tags in source files for details
@ -8,6 +8,8 @@ License:        BSD and MIT
 URL:            https://gitlab.freedesktop.org/slirp/%{name}
 Source0:        %{url}/-/archive/v%{version}/%{name}-v%{version}.tar.gz

+Patch0001:      0001-Fix-heap-overflow-in-ip_reass-on-big-packet-input.patch
+BuildRequires:  git-core
 BuildRequires:  meson
 BuildRequires:  gcc
 BuildRequires:  glib2-devel
@ -27,7 +29,7 @@ developing applications that use %{name}.


 %prep
-%autosetup -n %{name}-v%{version}
+%autosetup -S git_am -n %{name}-v%{version}

 %build
 %meson
@ -51,6 +53,9 @@ developing applications that use %{name}.


 %changelog
+* Fri Aug  2 2019 Marc-André Lureau <marcandre.lureau@redhat.com> - 4.0.0-3
+- Fix CVE-2019-14378, rhbz#1735654
+
 * Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 4.0.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild