--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Cc: Roberto Lumbreras <rover@debian.org>
- Subject: buster-pu: package slirp/1:1.0.17-8
- From: Thorsten Alteholz <debian@alteholz.de>
- Date: Tue, 22 Dec 2020 13:31:56 +0000 (UTC)
- Message-id: <alpine.DEB.2.21.2012221326590.27692@postfach.intern.alteholz.me>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
The attached debdiff for slirp fixes CVE-2020-8608 and CVE-2020-7039 in
Buster.
Both are marked as no-dsa by the security team.
After upload of DLA-2076-1 and DLA-2142-1 to Jessie-LTS no one complained
about something broken.
Thorsten
diff -Nru slirp-1.0.17/debian/changelog slirp-1.0.17/debian/changelog
--- slirp-1.0.17/debian/changelog 2015-06-25 17:03:50.000000000 +0200
+++ slirp-1.0.17/debian/changelog 2020-12-21 20:03:02.000000000 +0100
@@ -1,3 +1,15 @@
+slirp (1:1.0.17-8+deb10u1) buster; urgency=high
+
+ * CVE-2020-7039
+ Due to mismanagement of memory, a heap-based buffer overflow or
+ other out-of-bounds access might happen, which can lead to a DoS
+ or potential execute arbitrary code.
+ * CVE-2020-8608
+ Prevent a buffer overflow vulnerability due to incorrect usage
+ of return values from snprintf.
+
+ -- Thorsten Alteholz <debian@alteholz.de> Mon, 21 Dec 2020 20:03:02 +0100
+
slirp (1:1.0.17-8) unstable; urgency=low
* Fix FTBFS with GCC 5.0 (Closes: #778124)
diff -Nru slirp-1.0.17/debian/patches/CVE-2020-7039.patch slirp-1.0.17/debian/patches/CVE-2020-7039.patch
--- slirp-1.0.17/debian/patches/CVE-2020-7039.patch 1970-01-01 01:00:00.000000000 +0100
+++ slirp-1.0.17/debian/patches/CVE-2020-7039.patch 2020-12-18 11:59:58.000000000 +0100
@@ -0,0 +1,113 @@
+Description: CVE-2020-7039 fix
+ .
+ tcp_emu: Fix oob access
+ https://gitlab.freedesktop.org/slirp/libslirp/commit/2655fffed7a9e765bcb4701dd876e9dab975f289
+ The main loop only checks for one available byte, while we sometimes need two bytes.
+ .
+ slirp: use correct size while emulating IRC commands
+ https://gitlab.freedesktop.org/slirp/libslirp/commit/ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9
+ While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size
+ 'm->m_size' to write DCC commands via snprintf(3). This may
+ lead to OOB write access, because 'bptr' points somewhere in
+ the middle of 'mbuf' buffer, not at the start. Use M_FREEROOM(m)
+ size to avoid OOB access.
+ Reported-by: default avatarVishnu Dev TJ <vishnudevtj@gmail.com>
+ Signed-off-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
+ Reviewed-by: Samuel Thibault's avatarSamuel Thibault <samuel.thibault@ens-lyon.org>
+ Message-Id: <20200109094228.79764-2-ppandit@redhat.com>
+ .
+ slirp: use correct size while emulating commands
+ https://gitlab.freedesktop.org/slirp/libslirp/commit/82ebe9c370a0e2970fb5695aa19aa5214a6a1c80
+ While emulating services in tcp_emu(), it uses 'mbuf' size
+ 'm->m_size' to write commands via snprintf(3). Use M_FREEROOM(m)
+ size to avoid possible OOB access.
+ Signed-off-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
+ Signed-off-by: Samuel Thibault's avatarSamuel Thibault <samuel.thibault@ens-lyon.org>
+ Message-Id: <20200109094228.79764-3-ppandit@redhat.com>
+ .
+Author: Roberto Lumbreras <rover@debian.org>
+
+Index: slirp-1.0.17/src/tcp_subr.c
+===================================================================
+--- slirp-1.0.17.orig/src/tcp_subr.c 2020-01-24 12:02:44.164951544 +0100
++++ slirp-1.0.17/src/tcp_subr.c 2020-01-24 20:04:00.773372684 +0100
+@@ -1015,8 +1015,7 @@
+ n4 = (laddr & 0xff);
+
+ m->m_len = bptr - m->m_data; /* Adjust length */
+- /* SECURITY TODO: Length Check */
+- m->m_len += sprintf(bptr,"ORT %d,%d,%d,%d,%d,%d\r\n%s",
++ m->m_len += snprintf(bptr, M_FREEROOM(m), "ORT %d,%d,%d,%d,%d,%d\r\n%s",
+ n1, n2, n3, n4, n5, n6, x==7?buff:"");
+ return 1;
+ } else if ((bptr = (char *)strstr(m->m_data, "27 Entering")) != NULL) {
+@@ -1047,8 +1046,8 @@
+ n4 = (laddr & 0xff);
+
+ m->m_len = bptr - m->m_data; /* Adjust length */
+- /* SECURITY TODO: length check */
+- m->m_len += sprintf(bptr,"27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
++ m->m_len += snprintf(bptr, M_FREEROOM(m),
++ "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
+ n1, n2, n3, n4, n5, n6, x==7?buff:"");
+
+ return 1;
+@@ -1072,7 +1071,7 @@
+ }
+ if (m->m_data[m->m_len-1] == '\0' && lport != 0 &&
+ (so = solisten(0, so->so_laddr.s_addr, htons(lport), SS_FACCEPTONCE)) != NULL)
+- m->m_len = sprintf(m->m_data, "%d", ntohs(so->so_fport))+1;
++ m->m_len = snprintf(m->m_data, M_ROOM(m), "%d", ntohs(so->so_fport)) + 1;
+ return 1;
+
+ case EMU_IRC:
+@@ -1089,8 +1088,7 @@
+ return 1;
+
+ m->m_len = bptr - m->m_data; /* Adjust length */
+- /* SECURITY TODO: length check */
+- m->m_len += sprintf(bptr, "DCC CHAT chat %lu %u%c\n",
++ m->m_len += snprintf(bptr, M_FREEROOM(m), "DCC CHAT chat %lu %u%c\n",
+ (unsigned long)ntohl(so->so_faddr.s_addr),
+ ntohs(so->so_fport), 1);
+ } else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport, &n1) == 4) {
+@@ -1098,7 +1096,7 @@
+ return 1;
+
+ m->m_len = bptr - m->m_data; /* Adjust length */
+- m->m_len += sprintf(bptr, "DCC SEND %s %lu %u %u%c\n",
++ m->m_len += snprintf(bptr, M_FREEROOM(m), "DCC SEND %s %lu %u %u%c\n",
+ buff, (unsigned long)ntohl(so->so_faddr.s_addr),
+ ntohs(so->so_fport), n1, 1);
+ } else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport, &n1) == 4) {
+@@ -1106,8 +1104,7 @@
+ return 1;
+
+ m->m_len = bptr - m->m_data; /* Adjust length */
+- /* SECURITY TODO: length check */
+- m->m_len += sprintf(bptr, "DCC MOVE %s %lu %u %u%c\n",
++ m->m_len += snprintf(bptr, M_FREEROOM(m), "DCC MOVE %s %lu %u %u%c\n",
+ buff, (unsigned long)ntohl(so->so_faddr.s_addr),
+ ntohs(so->so_fport), n1, 1);
+ }
+@@ -1193,6 +1190,9 @@
+ break;
+
+ case 5:
++ if (bptr == m->m_data + m->m_len - 1)
++ return 1; /* We need two bytes */
++
+ /*
+ * The difference between versions 1.0 and
+ * 2.0 is here. For future versions of
+@@ -1208,6 +1208,10 @@
+ /* This is the field containing the port
+ * number that RA-player is listening to.
+ */
++
++ if (bptr == m->m_data + m->m_len - 1)
++ return 1; /* We need two bytes */
++
+ lport = (((u_char*)bptr)[0] << 8)
+ + ((u_char *)bptr)[1];
+ if (lport < 6970)
diff -Nru slirp-1.0.17/debian/patches/CVE-2020-8608.patch slirp-1.0.17/debian/patches/CVE-2020-8608.patch
--- slirp-1.0.17/debian/patches/CVE-2020-8608.patch 1970-01-01 01:00:00.000000000 +0100
+++ slirp-1.0.17/debian/patches/CVE-2020-8608.patch 2020-12-18 14:56:21.000000000 +0100
@@ -0,0 +1,149 @@
+--- slirp-1.0.17.orig/src/misc.c
++++ slirp-1.0.17/src/misc.c
+@@ -8,6 +8,7 @@
+ #define WANT_SYS_IOCTL_H
+ #include <slirp.h>
+ #include <assert.h>
++#include "debug.h"
+
+ u_int curtime, time_fasttimo, last_slowtimo, detach_time;
+ u_int detach_wait = 600000; /* 10 minutes */
+@@ -1014,9 +1015,64 @@ char *s2;
+ return ptr;
+ }
+
++static int slirp_vsnprintf(char *str, size_t size,
++ const char *format, va_list args)
++{
++ int rv = vsnprintf(str, size, format, args);
++
++ if (rv < 0) {
++ DEBUG_ERROR(("vsnprintf() failed: %s", strerror(errno)));
++ }
++
++ return rv;
++}
++
++/*
++ * A snprintf()-like function that:
++ * - returns the number of bytes written (excluding optional \0-ending)
++ * - dies on error
++ * - warn on truncation
++ */
++int slirp_fmt(char *str, size_t size, const char *format, ...)
++{
++ va_list args;
++ int rv;
+
++ va_start(args, format);
++ rv = slirp_vsnprintf(str, size, format, args);
++ va_end(args);
+
++ if (rv > size) {
++ DEBUG_ERROR((dfd, "vsnprintf() truncation"));
++ }
+
++ return MIN(rv, size);
++}
+
++/*
++ * A snprintf()-like function that:
++ * - always \0-end (unless size == 0)
++ * - returns the number of bytes actually written, including \0 ending
++ * - dies on error
++ * - warn on truncation
++ */
++int slirp_fmt0(char *str, size_t size, const char *format, ...)
++{
++ va_list args;
++ int rv;
+
++ va_start(args, format);
++ rv = slirp_vsnprintf(str, size, format, args);
++ va_end(args);
++
++ if (rv >= size) {
++ DEBUG_ERROR((dfd, "vsnprintf() truncation"));
++ if (size > 0)
++ str[size - 1] = '\0';
++ rv = size;
++ } else {
++ rv += 1; /* include \0 */
++ }
+
++ return rv;
++}
+--- slirp-1.0.17.orig/src/misc.h
++++ slirp-1.0.17/src/misc.h
+@@ -29,6 +29,9 @@ char *strdup _P((const char *));
+
+ void do_wait _P((int));
+
++int slirp_fmt(char *str, size_t size, const char *format, ...);
++int slirp_fmt0(char *str, size_t size, const char *format, ...);
++
+ #define EMU_NONE 0x0
+
+ /* TCP emulations */
+--- slirp-1.0.17.orig/src/tcp_subr.c
++++ slirp-1.0.17/src/tcp_subr.c
+@@ -1015,8 +1015,8 @@ do_prompt:
+ n4 = (laddr & 0xff);
+
+ m->m_len = bptr - m->m_data; /* Adjust length */
+- m->m_len += snprintf(bptr, M_FREEROOM(m), "ORT %d,%d,%d,%d,%d,%d\r\n%s",
+- n1, n2, n3, n4, n5, n6, x==7?buff:"");
++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), "ORT %d,%d,%d,%d,%d,%d\r\n%s",
++ n1, n2, n3, n4, n5, n6, x==7?buff:"");
+ return 1;
+ } else if ((bptr = (char *)strstr(m->m_data, "27 Entering")) != NULL) {
+ /*
+@@ -1046,9 +1046,9 @@ do_prompt:
+ n4 = (laddr & 0xff);
+
+ m->m_len = bptr - m->m_data; /* Adjust length */
+- m->m_len += snprintf(bptr, M_FREEROOM(m),
+- "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
+- n1, n2, n3, n4, n5, n6, x==7?buff:"");
++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
++ "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
++ n1, n2, n3, n4, n5, n6, x==7?buff:"");
+
+ return 1;
+ }
+@@ -1071,7 +1071,7 @@ do_prompt:
+ }
+ if (m->m_data[m->m_len-1] == '\0' && lport != 0 &&
+ (so = solisten(0, so->so_laddr.s_addr, htons(lport), SS_FACCEPTONCE)) != NULL)
+- m->m_len = snprintf(m->m_data, M_ROOM(m), "%d", ntohs(so->so_fport)) + 1;
++ m->m_len = slirp_fmt0(m->m_data, M_ROOM(m), "%d", ntohs(so->so_fport)) + 1;
+ return 1;
+
+ case EMU_IRC:
+@@ -1088,7 +1088,7 @@ do_prompt:
+ return 1;
+
+ m->m_len = bptr - m->m_data; /* Adjust length */
+- m->m_len += snprintf(bptr, M_FREEROOM(m), "DCC CHAT chat %lu %u%c\n",
++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), "DCC CHAT chat %lu %u%c\n",
+ (unsigned long)ntohl(so->so_faddr.s_addr),
+ ntohs(so->so_fport), 1);
+ } else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport, &n1) == 4) {
+@@ -1096,7 +1096,7 @@ do_prompt:
+ return 1;
+
+ m->m_len = bptr - m->m_data; /* Adjust length */
+- m->m_len += snprintf(bptr, M_FREEROOM(m), "DCC SEND %s %lu %u %u%c\n",
++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), "DCC SEND %s %lu %u %u%c\n",
+ buff, (unsigned long)ntohl(so->so_faddr.s_addr),
+ ntohs(so->so_fport), n1, 1);
+ } else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport, &n1) == 4) {
+@@ -1104,7 +1104,7 @@ do_prompt:
+ return 1;
+
+ m->m_len = bptr - m->m_data; /* Adjust length */
+- m->m_len += snprintf(bptr, M_FREEROOM(m), "DCC MOVE %s %lu %u %u%c\n",
++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), "DCC MOVE %s %lu %u %u%c\n",
+ buff, (unsigned long)ntohl(so->so_faddr.s_addr),
+ ntohs(so->so_fport), n1, 1);
+ }
diff -Nru slirp-1.0.17/debian/patches/series slirp-1.0.17/debian/patches/series
--- slirp-1.0.17/debian/patches/series 2012-08-16 11:26:11.000000000 +0200
+++ slirp-1.0.17/debian/patches/series 2020-12-18 14:56:36.000000000 +0100
@@ -9,3 +9,6 @@
009-i-hate-perl.patch
010-fullbolt-fix.patch
011-sizeof_ipv4.patch
+
+CVE-2020-7039.patch
+CVE-2020-8608.patch
--- End Message ---