Re: Update for buster slirp4netns CVE-2019-9824
Copying the debian-release mailing list, hope that's OK with everyone.
On 8/24/19 6:05 AM, Moritz Mühlenhoff wrote:
> On Sun, Aug 11, 2019 at 09:10:52PM +0200, Salvatore Bonaccorso wrote:
>> Hi Reinhard,
>>
>> Apologies it took that long to come back to you in the first place.
>>
>> On Wed, Aug 07, 2019 at 06:13:08PM -0400, Reinhard Tartler wrote:
>>> Hi Security Team,
>>>
>>> I have not received an answer to my question below. Any chance you
>>> could get back to me on that?
>>
>> Unless I severely missunderstand something, slirp4netns is useful for
>> instance for networking with unprivileged containers and it needs user
>> namespaces to be enabled.
>>
>> By default those are for good reasons disabled in Debian, as well in
>> buster.
>>
>> As such I would have said it would be enough to fix this issue for the
>> upcoming point release on 7th september (so there is stil enough time
>> to preare updates).
>>
>> Can we route you towards the point release for it? It would though be
>> good to as well include as well the fix for the new CVE-2019-14378
>> (#933742) as well. Prerequisites though that it gets accepted for
>> stable is that the fix is as well first in unstable.
>
> Agreed, enabling unprivileged user namespaces is not fully supported
> by security support and Debian explicitly disables them by default
> as it causes a ton of security issues in the Linux kernel (which
> are often still fixed, but e.g. no DSAs are being released for such
> issues).
>
> As such, can you fix slirp4netns by the 10.1 buster point release?
>
Done, I've just uploaded 0.2.3 to buster, fixing two CVEs:
Changes:
slirp4netns (0.2.3-1) buster; urgency=medium
.
* New upstream releases:
- 0.2.2: check sscanf result when emulating ident, CVE-2019-9824
- 0.2.3: Fixes heap overflow in included libslirp, Closes: #933742,
CVE-2019-14378
Checksums-Sha1:
459c12f439d0f2ba629d1ad5791ca49041931709 2087 slirp4netns_0.2.3-1.dsc
befcd9e2f1b1fbf8b51ccac4b83536e22af12003 136459 slirp4netns_0.2.3.orig.tar.gz
370b1cf92bf21491038fc08f9d4fa3fcba432878 3968 slirp4netns_0.2.3-1.debian.tar.xz
Best,
-rt
Reply to: