Re: Update for buster slirp4netns CVE-2019-9824

To: Moritz Mühlenhoff <jmm@inutil.org>
Cc: team@security.debian.org, debian-release@lists.debian.org
Subject: Re: Update for buster slirp4netns CVE-2019-9824
From: Reinhard Tartler <siretart@debian.org>
Date: Sun, 25 Aug 2019 09:33:58 -0400
Message-id: <[🔎] 817a08d6-0156-1c30-7aed-43d5a5f357e7@debian.org>
In-reply-to: <20190824100540.GB2216@pisco.westfalen.local>
References: <69fd8f56-a477-9752-6d95-7210bd260422@debian.org> <9a866a37-fdf0-748c-6e0d-8ee7c078be2c@debian.org> <20190811191052.GA25355@eldamar.local> <20190824100540.GB2216@pisco.westfalen.local>

Copying the debian-release mailing list, hope that's OK with everyone.

On 8/24/19 6:05 AM, Moritz Mühlenhoff wrote:
> On Sun, Aug 11, 2019 at 09:10:52PM +0200, Salvatore Bonaccorso wrote:
>> Hi Reinhard,
>>
>> Apologies it took that long to come back to you in the first place.
>>
>> On Wed, Aug 07, 2019 at 06:13:08PM -0400, Reinhard Tartler wrote:
>>> Hi Security Team,
>>>
>>> I have not received an answer to my question below. Any chance you
>>> could get back to me on that?
>>
>> Unless I severely missunderstand something, slirp4netns is useful for
>> instance for networking with unprivileged containers and it needs user
>> namespaces to be enabled.
>>
>> By default those are for good reasons disabled in Debian, as well in
>> buster.
>>
>> As such I would have said it would be enough to fix this issue for the
>> upcoming point release on 7th september (so there is stil enough time
>> to preare updates).
>>
>> Can we route you towards the point release for it? It would though be
>> good to as well include as well the fix for the new CVE-2019-14378
>> (#933742) as well. Prerequisites though that it gets accepted for
>> stable is that the fix is as well first in unstable.
> 
> Agreed, enabling unprivileged user namespaces is not fully supported
> by security support and Debian explicitly disables them by default
> as it causes a ton of security issues in the Linux kernel (which
> are often still fixed, but e.g. no DSAs are being released for such
> issues).
> 
> As such, can you fix slirp4netns by the 10.1 buster point release?
> 

Done, I've just uploaded 0.2.3 to buster, fixing two CVEs:

Changes:
 slirp4netns (0.2.3-1) buster; urgency=medium
 .
   * New upstream releases:
     - 0.2.2: check sscanf result when emulating ident, CVE-2019-9824
     - 0.2.3: Fixes heap overflow in included libslirp, Closes: #933742,
       CVE-2019-14378
Checksums-Sha1:
 459c12f439d0f2ba629d1ad5791ca49041931709 2087 slirp4netns_0.2.3-1.dsc
 befcd9e2f1b1fbf8b51ccac4b83536e22af12003 136459 slirp4netns_0.2.3.orig.tar.gz
 370b1cf92bf21491038fc08f9d4fa3fcba432878 3968 slirp4netns_0.2.3-1.debian.tar.xz


Best,
-rt

Reply to:

Follow-Ups:
- buster-pu: package slirp4netns/0.2.3-1
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#935739: stretch-pu: package sendmail/8.15.2-8+deb9u1
Next by Date: NEW changes in stable-new
Previous by thread: Bug#935739: stretch-pu: package sendmail/8.15.2-8+deb9u1
Next by thread: buster-pu: package slirp4netns/0.2.3-1
Index(es):
- Date
- Thread