import slirp4netns-0.1-5.dev.gitc4e1bc5.module+el8.3.0+7197+26156b7d

.gitignore

@@ -0,0 +1 @@
+SOURCES/slirp4netns-c4e1bc5.tar.gz

.slirp4netns.metadata

@@ -0,0 +1 @@
+c80717510d48cfe56eec27e93a4fe92182faca0b SOURCES/slirp4netns-c4e1bc5.tar.gz

SOURCES/slirp4netns-CVE-2019-14378.patch

@@ -0,0 +1,34 @@
+From 126c04acbabd7ad32c2b018fe10dfac2a3bc1210 Mon Sep 17 00:00:00 2001
+From: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Date: Sun, 28 Jul 2019 19:11:24 +0200
+Subject: [PATCH] Fix heap overflow in ip_reass on big packet input
+
+When the first fragment does not fit in the preallocated buffer, q will
+already be pointing to the ext buffer, so we mustn't try to update it.
+
+Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+---
+ src/ip_input.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff -up ./slirp4netns-c4e1bc5a5e6987f3a352ca524f13320a2d483398/qemu/slirp/ip_input.c.CVE-2019-14378 ./slirp4netns-c4e1bc5a5e6987f3a352ca524f13320a2d483398/qemu/slirp/ip_input.c
+--- slirp4netns-c4e1bc5a5e6987f3a352ca524f13320a2d483398/qemu/slirp/ip_input.c.CVE-2019-14378	2019-09-27 11:04:30.215413671 +0200
++++ slirp4netns-c4e1bc5a5e6987f3a352ca524f13320a2d483398/qemu/slirp/ip_input.c	2019-09-27 11:04:30.216413682 +0200
+@@ -333,6 +333,8 @@ insert:
+     q = fp->frag_link.next;
+ 	m = dtom(slirp, q);
+ 
++	int was_ext = m->m_flags & M_EXT;
++
+ 	q = (struct ipasfrag *) q->ipf_next;
+ 	while (q != (struct ipasfrag*)&fp->frag_link) {
+ 	  struct mbuf *t = dtom(slirp, q);
+@@ -355,7 +357,7 @@ insert:
+ 	 * the old buffer (in the mbuf), so we must point ip
+ 	 * into the new buffer.
+ 	 */
+-	if (m->m_flags & M_EXT) {
++	if (!was_ext && m->m_flags & M_EXT) {
+ 	  int delta = (char *)q - m->m_dat;
+ 	  q = (struct ipasfrag *)(m->m_ext + delta);
+ 	}

SOURCES/slirp4netns-CVE-2020-7039.patch

@@ -0,0 +1,123 @@
+From 2655fffed7a9e765bcb4701dd876e9dab975f289 Mon Sep 17 00:00:00 2001
+From: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Date: Wed, 8 Jan 2020 00:58:48 +0100
+Subject: [PATCH] tcp_emu: Fix oob access
+
+The main loop only checks for one available byte, while we sometimes
+need two bytes.
+
+2.24.1
+
+From 82ebe9c370a0e2970fb5695aa19aa5214a6a1c80 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 9 Jan 2020 15:12:28 +0530
+Subject: [PATCH] slirp: use correct size while emulating commands
+
+While emulating services in tcp_emu(), it uses 'mbuf' size
+'m->m_size' to write commands via snprintf(3). Use M_FREEROOM(m)
+size to avoid possible OOB access.
+
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Message-Id: <20200109094228.79764-3-ppandit@redhat.com>
+
+2.24.1
+
+From ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 9 Jan 2020 15:12:27 +0530
+Subject: [PATCH] slirp: use correct size while emulating IRC commands
+
+While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size
+'m->m_size' to write DCC commands via snprintf(3). This may
+lead to OOB write access, because 'bptr' points somewhere in
+the middle of 'mbuf' buffer, not at the start. Use M_FREEROOM(m)
+size to avoid OOB access.
+
+Reported-by: Vishnu Dev TJ <vishnudevtj@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Message-Id: <20200109094228.79764-2-ppandit@redhat.com>
+
+---
+ CHANGELOG.md   | 1 +
+ src/tcp_subr.c | 7 +++++++
+ 2 files changed, 8 insertions(+)
+
+diff -up slirp4netns-c4e1bc5a5e6987f3a352ca524f13320a2d483398/qemu/slirp/tcp_subr.c.CVE-2020-7039 slirp4netns-c4e1bc5a5e6987f3a352ca524f13320a2d483398/qemu/slirp/tcp_subr.c
+--- slirp4netns-c4e1bc5a5e6987f3a352ca524f13320a2d483398/qemu/slirp/tcp_subr.c.CVE-2020-7039	2020-01-16 11:13:39.558653385 +0100
++++ slirp4netns-c4e1bc5a5e6987f3a352ca524f13320a2d483398/qemu/slirp/tcp_subr.c	2020-01-16 14:23:54.027184429 +0100
+@@ -704,7 +704,7 @@ tcp_emu(struct socket *so, struct mbuf *
+ 			n4 =  (laddr & 0xff);
+ 
+ 			m->m_len = bptr - m->m_data; /* Adjust length */
+-                        m->m_len += snprintf(bptr, m->m_size - m->m_len,
++                        m->m_len += snprintf(bptr, M_FREEROOM(m),
+                                              "ORT %d,%d,%d,%d,%d,%d\r\n%s",
+                                              n1, n2, n3, n4, n5, n6, x==7?buff:"");
+ 			return 1;
+@@ -737,7 +737,7 @@ tcp_emu(struct socket *so, struct mbuf *
+ 			n4 =  (laddr & 0xff);
+ 
+ 			m->m_len = bptr - m->m_data; /* Adjust length */
+-			m->m_len += snprintf(bptr, m->m_size - m->m_len,
++			m->m_len += snprintf(bptr, M_FREEROOM(m),
+                                              "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
+                                              n1, n2, n3, n4, n5, n6, x==7?buff:"");
+ 
+@@ -763,7 +763,7 @@ tcp_emu(struct socket *so, struct mbuf *
+ 		if (m->m_data[m->m_len-1] == '\0' && lport != 0 &&
+ 		    (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr,
+ 		                     htons(lport), SS_FACCEPTONCE)) != NULL)
+-                    m->m_len = snprintf(m->m_data, m->m_size, "%d",
++                    m->m_len = snprintf(m->m_data, M_ROOM(m), "%d",
+                                         ntohs(so->so_fport)) + 1;
+ 		return 1;
+ 
+@@ -783,7 +783,7 @@ tcp_emu(struct socket *so, struct mbuf *
+ 				return 1;
+ 			}
+ 			m->m_len = bptr - m->m_data; /* Adjust length */
+-                        m->m_len += snprintf(bptr, m->m_size,
++                        m->m_len += snprintf(bptr, M_FREEROOM(m),
+                                              "DCC CHAT chat %lu %u%c\n",
+                                              (unsigned long)ntohl(so->so_faddr.s_addr),
+                                              ntohs(so->so_fport), 1);
+@@ -794,7 +794,7 @@ tcp_emu(struct socket *so, struct mbuf *
+ 				return 1;
+ 			}
+ 			m->m_len = bptr - m->m_data; /* Adjust length */
+-                        m->m_len += snprintf(bptr, m->m_size,
++                        m->m_len += snprintf(bptr, M_FREEROOM(m),
+                                              "DCC SEND %s %lu %u %u%c\n", buff,
+                                              (unsigned long)ntohl(so->so_faddr.s_addr),
+                                              ntohs(so->so_fport), n1, 1);
+@@ -805,7 +805,7 @@ tcp_emu(struct socket *so, struct mbuf *
+ 				return 1;
+ 			}
+ 			m->m_len = bptr - m->m_data; /* Adjust length */
+-                        m->m_len += snprintf(bptr, m->m_size,
++                        m->m_len += snprintf(bptr, M_FREEROOM(m),
+                                              "DCC MOVE %s %lu %u %u%c\n", buff,
+                                              (unsigned long)ntohl(so->so_faddr.s_addr),
+                                              ntohs(so->so_fport), n1, 1);
+@@ -892,6 +892,9 @@ tcp_emu(struct socket *so, struct mbuf *
+ 				break;
+ 
+ 			 case 5:
++				if (bptr == m->m_data + m->m_len - 1)
++				    return 1; /* We need two bytes */
++
+ 				/*
+ 				 * The difference between versions 1.0 and
+ 				 * 2.0 is here. For future versions of
+@@ -907,6 +910,9 @@ tcp_emu(struct socket *so, struct mbuf *
+ 				/* This is the field containing the port
+ 				 * number that RA-player is listening to.
+ 				 */
++				if (bptr == m->m_data + m->m_len - 1)
++				    return 1; /* We need two bytes */
++
+ 				lport = (((u_char*)bptr)[0] << 8)
+ 				+ ((u_char *)bptr)[1];
+ 				if (lport < 6970)

SPECS/slirp4netns.spec

@@ -0,0 +1,77 @@
+%global git0 https://github.com/rootless-containers/%{name}
+%global commit0 c4e1bc5a5e6987f3a352ca524f13320a2d483398
+%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
+
+Name: slirp4netns
+Version: 0.1
+Release: 5.dev.git%{shortcommit0}%{?dist}
+# no go-md2man in ix86 and ppc64
+ExcludeArch: %{ix86} ppc64
+Summary: slirp for network namespaces
+License: GPLv2
+URL: %{git0}
+Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
+Patch0: slirp4netns-CVE-2019-14378.patch
+Patch1: slirp4netns-CVE-2020-7039.patch
+BuildRequires: autoconf
+BuildRequires: automake
+BuildRequires: gcc
+BuildRequires: git
+BuildRequires: go-md2man
+BuildRequires: make
+
+%description
+User-mode networking for unprivileged network namespaces.
+
+%package devel
+Summary: %{summary}
+BuildArch: noarch
+
+%description devel
+%{summary}
+
+This package contains library source intended for
+building other packages which use import path with
+%{import_path} prefix.
+
+%prep
+%autosetup -Sgit -n %{name}-%{commit0}
+
+%build
+./autogen.sh
+./configure --prefix=%{_usr} --libdir=%{_libdir}
+%{__make} generate-man
+
+%install
+make DESTDIR=%{buildroot} install install-man
+
+%check
+
+#define license tag if not already defined
+%{!?_licensedir:%global license %doc}
+
+%files
+%license COPYING
+%doc README.md
+%{_bindir}/%{name}
+%{_mandir}/man1/%{name}.1.gz
+
+%changelog
+* Thu Jan 16 2020 Jindrich Novy <jnovy@redhat.com> - 0.1-5.dev.gitc4e1bc5
+- backport fix for CVE-2020-7039
+- Resolves: #1791578
+
+* Thu Nov 28 2019 Jindrich Novy <jnovy@redhat.com> - 0.1-4.dev.gitc4e1bc5
+- actually add CVE-2019-14378 patch to dist-git
+- Related: RHELPLAN-25139
+
+* Fri Sep 27 2019 Jindrich Novy <jnovy@redhat.com> - 0.1-3.dev.gitc4e1bc5
+- Fix CVE-2019-14378 (#1768394).
+
+* Fri Nov 16 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 0.1-2.dev.gitc4e1bc5
+- changed summary
+
+* Fri Aug 10 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.1-1.dev.gitc4e1bc5
+- First package for RHEL 8
+- import from Fedora rawhide
+- Exclude ix86 and ppc64