.gitignore

@@ -1 +1 @@
-SOURCES/slirp4netns-c4e1bc5.tar.gz
+SOURCES/v1.1.8.tar.gz

.slirp4netns.metadata

@@ -1 +1 @@
-c80717510d48cfe56eec27e93a4fe92182faca0b SOURCES/slirp4netns-c4e1bc5.tar.gz
+9f7965d1151311e6af4be9d3c0093ff86f1a3e4d SOURCES/v1.1.8.tar.gz

SOURCES/1.1.8-0001-Replace-deprecated-inet_ntoa-with-safer-inet_ntop.patch

@@ -0,0 +1,74 @@
+From 103cf5a3f83406f4a22b8d1899518e5fa4a351d8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Tue, 15 Feb 2022 11:46:06 +0400
+Subject: [PATCH] Replace deprecated inet_ntoa with safer inet_ntop
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+inet_ntoa() is a legacy API with MT issues. Use the recommended
+alternative instead. This makes some code checkers happy, and could
+potentially fix issues if other parts of the process were to use
+inet_ntoa() at the same time..
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+---
+ main.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/main.c b/main.c
+index c79508e10f4d..2c38dc0da1af 100644
+--- a/main.c
++++ b/main.c
+@@ -257,6 +257,7 @@ static int recvfd(int sock)
+ static int parent(int sock, int ready_fd, int exit_fd, const char *api_socket,
+                   struct slirp4netns_config *cfg, pid_t target_pid)
+ {
++    char str[INET6_ADDRSTRLEN];
+     int rc, tapfd;
+     if ((tapfd = recvfd(sock)) < 0) {
+         return tapfd;
+@@ -265,23 +266,22 @@ static int parent(int sock, int ready_fd, int exit_fd, const char *api_socket,
+     close(sock);
+     printf("Starting slirp\n");
+     printf("* MTU:             %d\n", cfg->mtu);
+-    printf("* Network:         %s\n", inet_ntoa(cfg->vnetwork));
+-    printf("* Netmask:         %s\n", inet_ntoa(cfg->vnetmask));
+-    printf("* Gateway:         %s\n", inet_ntoa(cfg->vhost));
+-    printf("* DNS:             %s\n", inet_ntoa(cfg->vnameserver));
+-    printf("* Recommended IP:  %s\n", inet_ntoa(cfg->recommended_vguest));
++    printf("* Network:         %s\n", inet_ntop(AF_INET, &cfg->vnetwork, str, sizeof(str)));
++    printf("* Netmask:         %s\n", inet_ntop(AF_INET, &cfg->vnetmask, str, sizeof(str)));
++    printf("* Gateway:         %s\n", inet_ntop(AF_INET, &cfg->vhost, str, sizeof(str)));
++    printf("* DNS:             %s\n", inet_ntop(AF_INET, &cfg->vnameserver, str, sizeof(str)));
++    printf("* Recommended IP:  %s\n", inet_ntop(AF_INET, &cfg->recommended_vguest, str, sizeof(str)));
+     if (api_socket != NULL) {
+         printf("* API Socket:      %s\n", api_socket);
+     }
+ #if SLIRP_CONFIG_VERSION_MAX >= 2
+     if (cfg->enable_outbound_addr) {
+         printf("* Outbound IPv4:    %s\n",
+-               inet_ntoa(cfg->outbound_addr.sin_addr));
++               inet_ntop(AF_INET, &cfg->outbound_addr.sin_addr, str, sizeof(str)));
+     }
+     if (cfg->enable_outbound_addr6) {
+-        char str[INET6_ADDRSTRLEN];
+-        if (inet_ntop(AF_INET6, &cfg->outbound_addr6.sin6_addr, str,
+-                      INET6_ADDRSTRLEN) != NULL) {
++        if (inet_ntop(AF_INET6, &cfg->outbound_addr6.sin6_addr,
++                      str, sizeof(str)) != NULL) {
+             printf("* Outbound IPv6:    %s\n", str);
+         }
+     }
+@@ -290,7 +290,7 @@ static int parent(int sock, int ready_fd, int exit_fd, const char *api_socket,
+         printf(
+             "WARNING: 127.0.0.1:* on the host is accessible as %s (set "
+             "--disable-host-loopback to prohibit connecting to 127.0.0.1:*)\n",
+-            inet_ntoa(cfg->vhost));
++            inet_ntop(AF_INET, &cfg->vhost, str, sizeof(str)));
+     }
+     if (cfg->enable_sandbox && geteuid() != 0) {
+         if ((rc = nsenter(target_pid, NULL, NULL, true)) < 0) {
+-- 
+2.34.1.428.gdcc0cd074f0c
+

SOURCES/slirp4netns-CVE-2019-14378.patch

@@ -1,34 +0,0 @@
-From 126c04acbabd7ad32c2b018fe10dfac2a3bc1210 Mon Sep 17 00:00:00 2001
-From: Samuel Thibault <samuel.thibault@ens-lyon.org>
-Date: Sun, 28 Jul 2019 19:11:24 +0200
-Subject: [PATCH] Fix heap overflow in ip_reass on big packet input
-
-When the first fragment does not fit in the preallocated buffer, q will
-already be pointing to the ext buffer, so we mustn't try to update it.
-
-Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
----
- src/ip_input.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff -up ./slirp4netns-c4e1bc5a5e6987f3a352ca524f13320a2d483398/qemu/slirp/ip_input.c.CVE-2019-14378 ./slirp4netns-c4e1bc5a5e6987f3a352ca524f13320a2d483398/qemu/slirp/ip_input.c
---- slirp4netns-c4e1bc5a5e6987f3a352ca524f13320a2d483398/qemu/slirp/ip_input.c.CVE-2019-14378	2019-09-27 11:04:30.215413671 +0200
-+++ slirp4netns-c4e1bc5a5e6987f3a352ca524f13320a2d483398/qemu/slirp/ip_input.c	2019-09-27 11:04:30.216413682 +0200
-@@ -333,6 +333,8 @@ insert:
-     q = fp->frag_link.next;
- 	m = dtom(slirp, q);
- 
-+	int was_ext = m->m_flags & M_EXT;
-+
- 	q = (struct ipasfrag *) q->ipf_next;
- 	while (q != (struct ipasfrag*)&fp->frag_link) {
- 	  struct mbuf *t = dtom(slirp, q);
-@@ -355,7 +357,7 @@ insert:
- 	 * the old buffer (in the mbuf), so we must point ip
- 	 * into the new buffer.
- 	 */
--	if (m->m_flags & M_EXT) {
-+	if (!was_ext && m->m_flags & M_EXT) {
- 	  int delta = (char *)q - m->m_dat;
- 	  q = (struct ipasfrag *)(m->m_ext + delta);
- 	}

SOURCES/slirp4netns-CVE-2020-7039.patch

@@ -1,123 +0,0 @@
-From 2655fffed7a9e765bcb4701dd876e9dab975f289 Mon Sep 17 00:00:00 2001
-From: Samuel Thibault <samuel.thibault@ens-lyon.org>
-Date: Wed, 8 Jan 2020 00:58:48 +0100
-Subject: [PATCH] tcp_emu: Fix oob access
-
-The main loop only checks for one available byte, while we sometimes
-need two bytes.
-
-2.24.1
-
-From 82ebe9c370a0e2970fb5695aa19aa5214a6a1c80 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Thu, 9 Jan 2020 15:12:28 +0530
-Subject: [PATCH] slirp: use correct size while emulating commands
-
-While emulating services in tcp_emu(), it uses 'mbuf' size
-'m->m_size' to write commands via snprintf(3). Use M_FREEROOM(m)
-size to avoid possible OOB access.
-
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
-Message-Id: <20200109094228.79764-3-ppandit@redhat.com>
-
-2.24.1
-
-From ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Thu, 9 Jan 2020 15:12:27 +0530
-Subject: [PATCH] slirp: use correct size while emulating IRC commands
-
-While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size
-'m->m_size' to write DCC commands via snprintf(3). This may
-lead to OOB write access, because 'bptr' points somewhere in
-the middle of 'mbuf' buffer, not at the start. Use M_FREEROOM(m)
-size to avoid OOB access.
-
-Reported-by: Vishnu Dev TJ <vishnudevtj@gmail.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
-Message-Id: <20200109094228.79764-2-ppandit@redhat.com>
-
----
- CHANGELOG.md   | 1 +
- src/tcp_subr.c | 7 +++++++
- 2 files changed, 8 insertions(+)
-
-diff -up slirp4netns-c4e1bc5a5e6987f3a352ca524f13320a2d483398/qemu/slirp/tcp_subr.c.CVE-2020-7039 slirp4netns-c4e1bc5a5e6987f3a352ca524f13320a2d483398/qemu/slirp/tcp_subr.c
---- slirp4netns-c4e1bc5a5e6987f3a352ca524f13320a2d483398/qemu/slirp/tcp_subr.c.CVE-2020-7039	2020-01-16 11:13:39.558653385 +0100
-+++ slirp4netns-c4e1bc5a5e6987f3a352ca524f13320a2d483398/qemu/slirp/tcp_subr.c	2020-01-16 14:23:54.027184429 +0100
-@@ -704,7 +704,7 @@ tcp_emu(struct socket *so, struct mbuf *
- 			n4 =  (laddr & 0xff);
- 
- 			m->m_len = bptr - m->m_data; /* Adjust length */
--                        m->m_len += snprintf(bptr, m->m_size - m->m_len,
-+                        m->m_len += snprintf(bptr, M_FREEROOM(m),
-                                              "ORT %d,%d,%d,%d,%d,%d\r\n%s",
-                                              n1, n2, n3, n4, n5, n6, x==7?buff:"");
- 			return 1;
-@@ -737,7 +737,7 @@ tcp_emu(struct socket *so, struct mbuf *
- 			n4 =  (laddr & 0xff);
- 
- 			m->m_len = bptr - m->m_data; /* Adjust length */
--			m->m_len += snprintf(bptr, m->m_size - m->m_len,
-+			m->m_len += snprintf(bptr, M_FREEROOM(m),
-                                              "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
-                                              n1, n2, n3, n4, n5, n6, x==7?buff:"");
- 
-@@ -763,7 +763,7 @@ tcp_emu(struct socket *so, struct mbuf *
- 		if (m->m_data[m->m_len-1] == '\0' && lport != 0 &&
- 		    (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr,
- 		                     htons(lport), SS_FACCEPTONCE)) != NULL)
--                    m->m_len = snprintf(m->m_data, m->m_size, "%d",
-+                    m->m_len = snprintf(m->m_data, M_ROOM(m), "%d",
-                                         ntohs(so->so_fport)) + 1;
- 		return 1;
- 
-@@ -783,7 +783,7 @@ tcp_emu(struct socket *so, struct mbuf *
- 				return 1;
- 			}
- 			m->m_len = bptr - m->m_data; /* Adjust length */
--                        m->m_len += snprintf(bptr, m->m_size,
-+                        m->m_len += snprintf(bptr, M_FREEROOM(m),
-                                              "DCC CHAT chat %lu %u%c\n",
-                                              (unsigned long)ntohl(so->so_faddr.s_addr),
-                                              ntohs(so->so_fport), 1);
-@@ -794,7 +794,7 @@ tcp_emu(struct socket *so, struct mbuf *
- 				return 1;
- 			}
- 			m->m_len = bptr - m->m_data; /* Adjust length */
--                        m->m_len += snprintf(bptr, m->m_size,
-+                        m->m_len += snprintf(bptr, M_FREEROOM(m),
-                                              "DCC SEND %s %lu %u %u%c\n", buff,
-                                              (unsigned long)ntohl(so->so_faddr.s_addr),
-                                              ntohs(so->so_fport), n1, 1);
-@@ -805,7 +805,7 @@ tcp_emu(struct socket *so, struct mbuf *
- 				return 1;
- 			}
- 			m->m_len = bptr - m->m_data; /* Adjust length */
--                        m->m_len += snprintf(bptr, m->m_size,
-+                        m->m_len += snprintf(bptr, M_FREEROOM(m),
-                                              "DCC MOVE %s %lu %u %u%c\n", buff,
-                                              (unsigned long)ntohl(so->so_faddr.s_addr),
-                                              ntohs(so->so_fport), n1, 1);
-@@ -892,6 +892,9 @@ tcp_emu(struct socket *so, struct mbuf *
- 				break;
- 
- 			 case 5:
-+				if (bptr == m->m_data + m->m_len - 1)
-+				    return 1; /* We need two bytes */
-+
- 				/*
- 				 * The difference between versions 1.0 and
- 				 * 2.0 is here. For future versions of
-@@ -907,6 +910,9 @@ tcp_emu(struct socket *so, struct mbuf *
- 				/* This is the field containing the port
- 				 * number that RA-player is listening to.
- 				 */
-+				if (bptr == m->m_data + m->m_len - 1)
-+				    return 1; /* We need two bytes */
-+
- 				lport = (((u_char*)bptr)[0] << 8)
- 				+ ((u_char *)bptr)[1];
- 				if (lport < 6970)

SPECS/slirp4netns.spec

@@ -1,27 +1,28 @@
 %global git0 https://github.com/rootless-containers/%{name}
-%global commit0 c4e1bc5a5e6987f3a352ca524f13320a2d483398
-%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
 
 Name: slirp4netns
-Version: 0.1
-Release: 5.dev.git%{shortcommit0}%{?dist}
-# no go-md2man in ix86 and ppc64
-ExcludeArch: %{ix86} ppc64
+Version: 1.1.8
+Release: 3%{?dist}
 Summary: slirp for network namespaces
 License: GPLv2
 URL: %{git0}
-Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
-Patch0: slirp4netns-CVE-2019-14378.patch
-Patch1: slirp4netns-CVE-2020-7039.patch
+# build fails on i686 with: No matching package to install: 'go-md2man'
+ExcludeArch: i686
+Source0: %{git0}/archive/v%{version}.tar.gz
+Patch0: 1.1.8-0001-Replace-deprecated-inet_ntoa-with-safer-inet_ntop.patch
 BuildRequires: autoconf
 BuildRequires: automake
 BuildRequires: gcc
+BuildRequires: glib2-devel
 BuildRequires: git
 BuildRequires: go-md2man
+BuildRequires: libcap-devel
+BuildRequires: libseccomp-devel
 BuildRequires: make
+BuildRequires: libslirp-devel
 
 %description
-User-mode networking for unprivileged network namespaces.
+slirp for network namespaces, without copying buffers across the namespaces.
 
 %package devel
 Summary: %{summary}
@@ -35,9 +36,11 @@ building other packages which use import path with
 %{import_path} prefix.
 
 %prep
-%autosetup -Sgit -n %{name}-%{commit0}
+%autosetup -Sgit
 
 %build
+export CFLAGS="%{optflags} -D_GNU_SOURCE -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64"
+export LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
 ./autogen.sh
 ./configure --prefix=%{_usr} --libdir=%{_libdir}
 %{__make} generate-man
@@ -57,16 +60,98 @@ make DESTDIR=%{buildroot} install install-man
 %{_mandir}/man1/%{name}.1.gz
 
 %changelog
-* Thu Jan 16 2020 Jindrich Novy <jnovy@redhat.com> - 0.1-5.dev.gitc4e1bc5
-- backport fix for CVE-2020-7039
-- Resolves: #1791578
+* Tue Mar 14 2023 Jindrich Novy <jnovy@redhat.com> - 1.1.8-3
+- fix gating - don't use insecure functions - thanks to Marc-André Lureau
+- Related: #2176055
 
-* Thu Nov 28 2019 Jindrich Novy <jnovy@redhat.com> - 0.1-4.dev.gitc4e1bc5
-- actually add CVE-2019-14378 patch to dist-git
+* Fri Feb 18 2022 Jindrich Novy <jnovy@redhat.com> - 1.1.8-2
+- fix gating - don't use insecure functions - thanks to Marc-André Lureau
+- Related: #2001445
+
+* Fri Dec 04 2020 Jindrich Novy <jnovy@redhat.com> - 1.1.8-1
+- update to
+  https://github.com/rootless-containers/slirp4netns/releases/tag/v1.1.8
+- Related: #1883490
+
+* Thu Dec 03 2020 Jindrich Novy <jnovy@redhat.com> - 1.1.7-2
+- exclude i686 because of build failures
+- Related: #1883490
+
+* Thu Nov 26 2020 Jindrich Novy <jnovy@redhat.com> - 1.1.7-1
+- update to
+  https://github.com/rootless-containers/slirp4netns/releases/tag/v1.1.7
+- Related: #1883490
+
+* Mon Nov 09 2020 Jindrich Novy <jnovy@redhat.com> - 1.1.6-2
+- - be sure to harden the linked binary
+- Related: #1883490
+
+* Thu Nov 05 2020 Jindrich Novy <jnovy@redhat.com> - 1.1.6-1
+- update to
+  https://github.com/rootless-containers/slirp4netns/releases/tag/v1.1.6
+- Related: #1883490
+
+* Tue Aug 11 2020 Jindrich Novy <jnovy@redhat.com> - 1.1.4-2
+- use proper CFLAGS
+- Related: #1821193
+
+* Mon Jul 13 2020 Jindrich Novy <jnovy@redhat.com> - 1.1.4-1
+- update to https://github.com/rootless-containers/slirp4netns/releases/tag/v1.1.4
+- Related: #1821193
+
+* Thu Jul 09 2020 Jindrich Novy <jnovy@redhat.com> - 1.1.3-1
+- update to https://github.com/rootless-containers/slirp4netns/releases/tag/v1.1.3
+- Related: #1821193
+
+* Mon Jul 06 2020 Jindrich Novy <jnovy@redhat.com> - 1.1.2-1
+- update to https://github.com/rootless-containers/slirp4netns/releases/tag/v1.1.2
+- Related: #1821193
+
+* Fri Jun 05 2020 Jindrich Novy <jnovy@redhat.com> - 1.1.1-1
+- update to https://github.com/rootless-containers/slirp4netns/releases/tag/v1.1.1
+- Related: #1821193
+
+* Fri Jun 05 2020 Jindrich Novy <jnovy@redhat.com> - 1.1.0-1
+- update to https://github.com/rootless-containers/slirp4netns/releases/tag/v1.1.0
+- Related: #1821193
+
+* Tue May 12 2020 Jindrich Novy <jnovy@redhat.com> - 1.0.1-1
+- update to https://github.com/rootless-containers/slirp4netns/archive/v1.0.1.tar.gz
+- Related: #1821193
+
+* Thu Feb 06 2020 Jindrich Novy <jnovy@redhat.com> - 0.4.2-3.git21fdece
+- Fix CVE-2020-8608
+- Resolves: #1798979
+
+* Thu Jan 16 2020 Jindrich Novy <jnovy@redhat.com> - 0.4.2-2.git21fdece
+- Fix CVE-2020-7039.
+Resolves: #1791576
+
+* Mon Nov 25 2019 Jindrich Novy <jnovy@redhat.com> - 0.4.2-1.git21fdece
+- update to latest 0.4.2, fixes bug 1763454
 - Related: RHELPLAN-25139
 
-* Fri Sep 27 2019 Jindrich Novy <jnovy@redhat.com> - 0.1-3.dev.gitc4e1bc5
-- Fix CVE-2019-14378 (#1768394).
+* Thu Oct 31 2019 Jindrich Novy <jnovy@redhat.com> - 0.4.0-2
+- add new BR: libseccomp-devel
+- Related: #1766774
+
+* Wed Oct 30 2019 Jindrich Novy <jnovy@redhat.com> - 0.4.0-1
+- update to v.0.4.0
+- sync with fedora spec
+- drop applied CVE-2019-14378 patch
+- Resolves: #1766774
+
+* Thu Sep 26 2019 Jindrich Novy <jnovy@redhat.com> - 0.3.0-4
+- Fix CVE-2019-14378 (#1755595).
+
+* Fri Jun 07 2019 Lokesh Mandvekar <lsm5@redhat.com> - 0.3.0-3
+- Resolves: #1683217 - BR: glib2-devel
+
+* Fri Jun 07 2019 Lokesh Mandvekar <lsm5@redhat.com> - 0.3.0-2
+- Resolves: #1683217 - bump slirp4netns to v0.3.0
+
+* Thu Feb 28 2019 Lokesh Mandvekar <lsm5@redhat.com> - 0.3.0-1.alpha.2.git30883b5
+- bump to v0.3.0-alpha.2
 
 * Fri Nov 16 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 0.1-2.dev.gitc4e1bc5
 - changed summary