Compare commits

..

No commits in common. "c8s-stream-4.0" and "c8-stream-1.0" have entirely different histories.

6 changed files with 177 additions and 175 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/v1.1.8.tar.gz SOURCES/slirp4netns-c4e1bc5.tar.gz

View File

@ -1 +1 @@
9f7965d1151311e6af4be9d3c0093ff86f1a3e4d SOURCES/v1.1.8.tar.gz c80717510d48cfe56eec27e93a4fe92182faca0b SOURCES/slirp4netns-c4e1bc5.tar.gz

View File

@ -1,74 +0,0 @@
From 103cf5a3f83406f4a22b8d1899518e5fa4a351d8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Tue, 15 Feb 2022 11:46:06 +0400
Subject: [PATCH] Replace deprecated inet_ntoa with safer inet_ntop
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
inet_ntoa() is a legacy API with MT issues. Use the recommended
alternative instead. This makes some code checkers happy, and could
potentially fix issues if other parts of the process were to use
inet_ntoa() at the same time..
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
---
main.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/main.c b/main.c
index c79508e10f4d..2c38dc0da1af 100644
--- a/main.c
+++ b/main.c
@@ -257,6 +257,7 @@ static int recvfd(int sock)
static int parent(int sock, int ready_fd, int exit_fd, const char *api_socket,
struct slirp4netns_config *cfg, pid_t target_pid)
{
+ char str[INET6_ADDRSTRLEN];
int rc, tapfd;
if ((tapfd = recvfd(sock)) < 0) {
return tapfd;
@@ -265,23 +266,22 @@ static int parent(int sock, int ready_fd, int exit_fd, const char *api_socket,
close(sock);
printf("Starting slirp\n");
printf("* MTU: %d\n", cfg->mtu);
- printf("* Network: %s\n", inet_ntoa(cfg->vnetwork));
- printf("* Netmask: %s\n", inet_ntoa(cfg->vnetmask));
- printf("* Gateway: %s\n", inet_ntoa(cfg->vhost));
- printf("* DNS: %s\n", inet_ntoa(cfg->vnameserver));
- printf("* Recommended IP: %s\n", inet_ntoa(cfg->recommended_vguest));
+ printf("* Network: %s\n", inet_ntop(AF_INET, &cfg->vnetwork, str, sizeof(str)));
+ printf("* Netmask: %s\n", inet_ntop(AF_INET, &cfg->vnetmask, str, sizeof(str)));
+ printf("* Gateway: %s\n", inet_ntop(AF_INET, &cfg->vhost, str, sizeof(str)));
+ printf("* DNS: %s\n", inet_ntop(AF_INET, &cfg->vnameserver, str, sizeof(str)));
+ printf("* Recommended IP: %s\n", inet_ntop(AF_INET, &cfg->recommended_vguest, str, sizeof(str)));
if (api_socket != NULL) {
printf("* API Socket: %s\n", api_socket);
}
#if SLIRP_CONFIG_VERSION_MAX >= 2
if (cfg->enable_outbound_addr) {
printf("* Outbound IPv4: %s\n",
- inet_ntoa(cfg->outbound_addr.sin_addr));
+ inet_ntop(AF_INET, &cfg->outbound_addr.sin_addr, str, sizeof(str)));
}
if (cfg->enable_outbound_addr6) {
- char str[INET6_ADDRSTRLEN];
- if (inet_ntop(AF_INET6, &cfg->outbound_addr6.sin6_addr, str,
- INET6_ADDRSTRLEN) != NULL) {
+ if (inet_ntop(AF_INET6, &cfg->outbound_addr6.sin6_addr,
+ str, sizeof(str)) != NULL) {
printf("* Outbound IPv6: %s\n", str);
}
}
@@ -290,7 +290,7 @@ static int parent(int sock, int ready_fd, int exit_fd, const char *api_socket,
printf(
"WARNING: 127.0.0.1:* on the host is accessible as %s (set "
"--disable-host-loopback to prohibit connecting to 127.0.0.1:*)\n",
- inet_ntoa(cfg->vhost));
+ inet_ntop(AF_INET, &cfg->vhost, str, sizeof(str)));
}
if (cfg->enable_sandbox && geteuid() != 0) {
if ((rc = nsenter(target_pid, NULL, NULL, true)) < 0) {
--
2.34.1.428.gdcc0cd074f0c

View File

@ -0,0 +1,34 @@
From 126c04acbabd7ad32c2b018fe10dfac2a3bc1210 Mon Sep 17 00:00:00 2001
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date: Sun, 28 Jul 2019 19:11:24 +0200
Subject: [PATCH] Fix heap overflow in ip_reass on big packet input
When the first fragment does not fit in the preallocated buffer, q will
already be pointing to the ext buffer, so we mustn't try to update it.
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
---
src/ip_input.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff -up ./slirp4netns-c4e1bc5a5e6987f3a352ca524f13320a2d483398/qemu/slirp/ip_input.c.CVE-2019-14378 ./slirp4netns-c4e1bc5a5e6987f3a352ca524f13320a2d483398/qemu/slirp/ip_input.c
--- slirp4netns-c4e1bc5a5e6987f3a352ca524f13320a2d483398/qemu/slirp/ip_input.c.CVE-2019-14378 2019-09-27 11:04:30.215413671 +0200
+++ slirp4netns-c4e1bc5a5e6987f3a352ca524f13320a2d483398/qemu/slirp/ip_input.c 2019-09-27 11:04:30.216413682 +0200
@@ -333,6 +333,8 @@ insert:
q = fp->frag_link.next;
m = dtom(slirp, q);
+ int was_ext = m->m_flags & M_EXT;
+
q = (struct ipasfrag *) q->ipf_next;
while (q != (struct ipasfrag*)&fp->frag_link) {
struct mbuf *t = dtom(slirp, q);
@@ -355,7 +357,7 @@ insert:
* the old buffer (in the mbuf), so we must point ip
* into the new buffer.
*/
- if (m->m_flags & M_EXT) {
+ if (!was_ext && m->m_flags & M_EXT) {
int delta = (char *)q - m->m_dat;
q = (struct ipasfrag *)(m->m_ext + delta);
}

View File

@ -0,0 +1,123 @@
From 2655fffed7a9e765bcb4701dd876e9dab975f289 Mon Sep 17 00:00:00 2001
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date: Wed, 8 Jan 2020 00:58:48 +0100
Subject: [PATCH] tcp_emu: Fix oob access
The main loop only checks for one available byte, while we sometimes
need two bytes.
2.24.1
From 82ebe9c370a0e2970fb5695aa19aa5214a6a1c80 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 9 Jan 2020 15:12:28 +0530
Subject: [PATCH] slirp: use correct size while emulating commands
While emulating services in tcp_emu(), it uses 'mbuf' size
'm->m_size' to write commands via snprintf(3). Use M_FREEROOM(m)
size to avoid possible OOB access.
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200109094228.79764-3-ppandit@redhat.com>
2.24.1
From ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 9 Jan 2020 15:12:27 +0530
Subject: [PATCH] slirp: use correct size while emulating IRC commands
While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size
'm->m_size' to write DCC commands via snprintf(3). This may
lead to OOB write access, because 'bptr' points somewhere in
the middle of 'mbuf' buffer, not at the start. Use M_FREEROOM(m)
size to avoid OOB access.
Reported-by: Vishnu Dev TJ <vishnudevtj@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200109094228.79764-2-ppandit@redhat.com>
---
CHANGELOG.md | 1 +
src/tcp_subr.c | 7 +++++++
2 files changed, 8 insertions(+)
diff -up slirp4netns-c4e1bc5a5e6987f3a352ca524f13320a2d483398/qemu/slirp/tcp_subr.c.CVE-2020-7039 slirp4netns-c4e1bc5a5e6987f3a352ca524f13320a2d483398/qemu/slirp/tcp_subr.c
--- slirp4netns-c4e1bc5a5e6987f3a352ca524f13320a2d483398/qemu/slirp/tcp_subr.c.CVE-2020-7039 2020-01-16 11:13:39.558653385 +0100
+++ slirp4netns-c4e1bc5a5e6987f3a352ca524f13320a2d483398/qemu/slirp/tcp_subr.c 2020-01-16 14:23:54.027184429 +0100
@@ -704,7 +704,7 @@ tcp_emu(struct socket *so, struct mbuf *
n4 = (laddr & 0xff);
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len += snprintf(bptr, m->m_size - m->m_len,
+ m->m_len += snprintf(bptr, M_FREEROOM(m),
"ORT %d,%d,%d,%d,%d,%d\r\n%s",
n1, n2, n3, n4, n5, n6, x==7?buff:"");
return 1;
@@ -737,7 +737,7 @@ tcp_emu(struct socket *so, struct mbuf *
n4 = (laddr & 0xff);
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len += snprintf(bptr, m->m_size - m->m_len,
+ m->m_len += snprintf(bptr, M_FREEROOM(m),
"27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
n1, n2, n3, n4, n5, n6, x==7?buff:"");
@@ -763,7 +763,7 @@ tcp_emu(struct socket *so, struct mbuf *
if (m->m_data[m->m_len-1] == '\0' && lport != 0 &&
(so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr,
htons(lport), SS_FACCEPTONCE)) != NULL)
- m->m_len = snprintf(m->m_data, m->m_size, "%d",
+ m->m_len = snprintf(m->m_data, M_ROOM(m), "%d",
ntohs(so->so_fport)) + 1;
return 1;
@@ -783,7 +783,7 @@ tcp_emu(struct socket *so, struct mbuf *
return 1;
}
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len += snprintf(bptr, m->m_size,
+ m->m_len += snprintf(bptr, M_FREEROOM(m),
"DCC CHAT chat %lu %u%c\n",
(unsigned long)ntohl(so->so_faddr.s_addr),
ntohs(so->so_fport), 1);
@@ -794,7 +794,7 @@ tcp_emu(struct socket *so, struct mbuf *
return 1;
}
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len += snprintf(bptr, m->m_size,
+ m->m_len += snprintf(bptr, M_FREEROOM(m),
"DCC SEND %s %lu %u %u%c\n", buff,
(unsigned long)ntohl(so->so_faddr.s_addr),
ntohs(so->so_fport), n1, 1);
@@ -805,7 +805,7 @@ tcp_emu(struct socket *so, struct mbuf *
return 1;
}
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len += snprintf(bptr, m->m_size,
+ m->m_len += snprintf(bptr, M_FREEROOM(m),
"DCC MOVE %s %lu %u %u%c\n", buff,
(unsigned long)ntohl(so->so_faddr.s_addr),
ntohs(so->so_fport), n1, 1);
@@ -892,6 +892,9 @@ tcp_emu(struct socket *so, struct mbuf *
break;
case 5:
+ if (bptr == m->m_data + m->m_len - 1)
+ return 1; /* We need two bytes */
+
/*
* The difference between versions 1.0 and
* 2.0 is here. For future versions of
@@ -907,6 +910,9 @@ tcp_emu(struct socket *so, struct mbuf *
/* This is the field containing the port
* number that RA-player is listening to.
*/
+ if (bptr == m->m_data + m->m_len - 1)
+ return 1; /* We need two bytes */
+
lport = (((u_char*)bptr)[0] << 8)
+ ((u_char *)bptr)[1];
if (lport < 6970)

View File

@ -1,28 +1,27 @@
%global git0 https://github.com/rootless-containers/%{name} %global git0 https://github.com/rootless-containers/%{name}
%global commit0 c4e1bc5a5e6987f3a352ca524f13320a2d483398
%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
Name: slirp4netns Name: slirp4netns
Version: 1.1.8 Version: 0.1
Release: 2%{?dist} Release: 5.dev.git%{shortcommit0}%{?dist}
# no go-md2man in ix86 and ppc64
ExcludeArch: %{ix86} ppc64
Summary: slirp for network namespaces Summary: slirp for network namespaces
License: GPLv2 License: GPLv2
URL: %{git0} URL: %{git0}
# build fails on i686 with: No matching package to install: 'go-md2man' Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
ExcludeArch: i686 Patch0: slirp4netns-CVE-2019-14378.patch
Source0: %{git0}/archive/v%{version}.tar.gz Patch1: slirp4netns-CVE-2020-7039.patch
Patch0: 1.1.8-0001-Replace-deprecated-inet_ntoa-with-safer-inet_ntop.patch
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
BuildRequires: gcc BuildRequires: gcc
BuildRequires: glib2-devel
BuildRequires: git BuildRequires: git
BuildRequires: go-md2man BuildRequires: go-md2man
BuildRequires: libcap-devel
BuildRequires: libseccomp-devel
BuildRequires: make BuildRequires: make
BuildRequires: libslirp-devel
%description %description
slirp for network namespaces, without copying buffers across the namespaces. User-mode networking for unprivileged network namespaces.
%package devel %package devel
Summary: %{summary} Summary: %{summary}
@ -36,11 +35,9 @@ building other packages which use import path with
%{import_path} prefix. %{import_path} prefix.
%prep %prep
%autosetup -Sgit %autosetup -Sgit -n %{name}-%{commit0}
%build %build
export CFLAGS="%{optflags} -D_GNU_SOURCE -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64"
export LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
./autogen.sh ./autogen.sh
./configure --prefix=%{_usr} --libdir=%{_libdir} ./configure --prefix=%{_usr} --libdir=%{_libdir}
%{__make} generate-man %{__make} generate-man
@ -60,94 +57,16 @@ make DESTDIR=%{buildroot} install install-man
%{_mandir}/man1/%{name}.1.gz %{_mandir}/man1/%{name}.1.gz
%changelog %changelog
* Fri Feb 18 2022 Jindrich Novy <jnovy@redhat.com> - 1.1.8-2 * Thu Jan 16 2020 Jindrich Novy <jnovy@redhat.com> - 0.1-5.dev.gitc4e1bc5
- fix gating - don't use insecure functions - thanks to Marc-André Lureau - backport fix for CVE-2020-7039
- Related: #2001445 - Resolves: #1791578
* Fri Dec 04 2020 Jindrich Novy <jnovy@redhat.com> - 1.1.8-1 * Thu Nov 28 2019 Jindrich Novy <jnovy@redhat.com> - 0.1-4.dev.gitc4e1bc5
- update to - actually add CVE-2019-14378 patch to dist-git
https://github.com/rootless-containers/slirp4netns/releases/tag/v1.1.8
- Related: #1883490
* Thu Dec 03 2020 Jindrich Novy <jnovy@redhat.com> - 1.1.7-2
- exclude i686 because of build failures
- Related: #1883490
* Thu Nov 26 2020 Jindrich Novy <jnovy@redhat.com> - 1.1.7-1
- update to
https://github.com/rootless-containers/slirp4netns/releases/tag/v1.1.7
- Related: #1883490
* Mon Nov 09 2020 Jindrich Novy <jnovy@redhat.com> - 1.1.6-2
- - be sure to harden the linked binary
- Related: #1883490
* Thu Nov 05 2020 Jindrich Novy <jnovy@redhat.com> - 1.1.6-1
- update to
https://github.com/rootless-containers/slirp4netns/releases/tag/v1.1.6
- Related: #1883490
* Tue Aug 11 2020 Jindrich Novy <jnovy@redhat.com> - 1.1.4-2
- use proper CFLAGS
- Related: #1821193
* Mon Jul 13 2020 Jindrich Novy <jnovy@redhat.com> - 1.1.4-1
- update to https://github.com/rootless-containers/slirp4netns/releases/tag/v1.1.4
- Related: #1821193
* Thu Jul 09 2020 Jindrich Novy <jnovy@redhat.com> - 1.1.3-1
- update to https://github.com/rootless-containers/slirp4netns/releases/tag/v1.1.3
- Related: #1821193
* Mon Jul 06 2020 Jindrich Novy <jnovy@redhat.com> - 1.1.2-1
- update to https://github.com/rootless-containers/slirp4netns/releases/tag/v1.1.2
- Related: #1821193
* Fri Jun 05 2020 Jindrich Novy <jnovy@redhat.com> - 1.1.1-1
- update to https://github.com/rootless-containers/slirp4netns/releases/tag/v1.1.1
- Related: #1821193
* Fri Jun 05 2020 Jindrich Novy <jnovy@redhat.com> - 1.1.0-1
- update to https://github.com/rootless-containers/slirp4netns/releases/tag/v1.1.0
- Related: #1821193
* Tue May 12 2020 Jindrich Novy <jnovy@redhat.com> - 1.0.1-1
- update to https://github.com/rootless-containers/slirp4netns/archive/v1.0.1.tar.gz
- Related: #1821193
* Thu Feb 06 2020 Jindrich Novy <jnovy@redhat.com> - 0.4.2-3.git21fdece
- Fix CVE-2020-8608
- Resolves: #1798979
* Thu Jan 16 2020 Jindrich Novy <jnovy@redhat.com> - 0.4.2-2.git21fdece
- Fix CVE-2020-7039.
Resolves: #1791576
* Mon Nov 25 2019 Jindrich Novy <jnovy@redhat.com> - 0.4.2-1.git21fdece
- update to latest 0.4.2, fixes bug 1763454
- Related: RHELPLAN-25139 - Related: RHELPLAN-25139
* Thu Oct 31 2019 Jindrich Novy <jnovy@redhat.com> - 0.4.0-2 * Fri Sep 27 2019 Jindrich Novy <jnovy@redhat.com> - 0.1-3.dev.gitc4e1bc5
- add new BR: libseccomp-devel - Fix CVE-2019-14378 (#1768394).
- Related: #1766774
* Wed Oct 30 2019 Jindrich Novy <jnovy@redhat.com> - 0.4.0-1
- update to v.0.4.0
- sync with fedora spec
- drop applied CVE-2019-14378 patch
- Resolves: #1766774
* Thu Sep 26 2019 Jindrich Novy <jnovy@redhat.com> - 0.3.0-4
- Fix CVE-2019-14378 (#1755595).
* Fri Jun 07 2019 Lokesh Mandvekar <lsm5@redhat.com> - 0.3.0-3
- Resolves: #1683217 - BR: glib2-devel
* Fri Jun 07 2019 Lokesh Mandvekar <lsm5@redhat.com> - 0.3.0-2
- Resolves: #1683217 - bump slirp4netns to v0.3.0
* Thu Feb 28 2019 Lokesh Mandvekar <lsm5@redhat.com> - 0.3.0-1.alpha.2.git30883b5
- bump to v0.3.0-alpha.2
* Fri Nov 16 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 0.1-2.dev.gitc4e1bc5 * Fri Nov 16 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 0.1-2.dev.gitc4e1bc5
- changed summary - changed summary