commit: d30c6855d7a1a594e6259685a4dc22e1bb6acf93 Author: Zac Medico <zmedico <AT> gentoo <DOT> org> AuthorDate: Thu Nov 26 20:50:17 2020 +0000 Commit: Zac Medico <zmedico <AT> gentoo <DOT> org> CommitDate: Thu Nov 26 20:52:42 2020 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d30c6855
net-libs/libslirp: Revbump to 4.3.1-r1 Fixes CVE-2020-29129 and CVE-2020-29130. Bug: https://bugs.gentoo.org/756910 Package-Manager: Portage-3.0.10, Repoman-3.0.2 Signed-off-by: Zac Medico <zmedico <AT> gentoo.org> .../libslirp-4.3.1-bug-756910-check-pkt_len.patch | 48 ++++++++++++++++++++++ net-libs/libslirp/libslirp-4.3.1-r1.ebuild | 39 ++++++++++++++++++ 2 files changed, 87 insertions(+) diff --git a/net-libs/libslirp/files/libslirp-4.3.1-bug-756910-check-pkt_len.patch b/net-libs/libslirp/files/libslirp-4.3.1-bug-756910-check-pkt_len.patch new file mode 100644 index 00000000000..aef7f19ba13 --- /dev/null +++ b/net-libs/libslirp/files/libslirp-4.3.1-bug-756910-check-pkt_len.patch @@ -0,0 +1,48 @@ +From: Prasad J Pandit <p...@fedoraproject.org> +Date: Thu, 26 Nov 2020 13:57:06 +0000 +Subject: [PATCH] slirp: check pkt_len before reading protocol header + +While processing ARP/NCSI packets in 'arp_input' or 'ncsi_input' +routines, ensure that pkt_len is large enough to accommodate the +respective protocol headers, lest it should do an OOB access. +Add check to avoid it. + +Reported-by: Qiuhao Li @outlook.com; +Signed-off-by: Prasad J Pandit <p...@fedoraproject.org> +--- + src/ncsi.c | 4 ++++ + src/slirp.c | 4 ++++ + 2 files changed, 8 insertions(+) + +diff --git a/src/ncsi.c b/src/ncsi.c +index 3c1dfef..75dcc08 100644 +--- a/src/ncsi.c ++++ b/src/ncsi.c +@@ -148,6 +148,10 @@ void ncsi_input(Slirp *slirp, const uint8_t *pkt, int pkt_len) + uint32_t checksum; + uint32_t *pchecksum; + ++ if (pkt_len < ETH_HLEN + sizeof(struct ncsi_pkt_hdr)) { ++ return; /* packet too short */ ++ } ++ + memset(ncsi_reply, 0, sizeof(ncsi_reply)); + + memset(reh->h_dest, 0xff, ETH_ALEN); +diff --git a/src/slirp.c b/src/slirp.c +index 9bead0c..abb6f9a 100644 +--- a/src/slirp.c ++++ b/src/slirp.c +@@ -860,6 +860,10 @@ static void arp_input(Slirp *slirp, const uint8_t *pkt, int pkt_len) + return; + } + ++ if (pkt_len < ETH_HLEN + sizeof(struct slirp_arphdr)) { ++ return; /* packet too short */ ++ } ++ + ar_op = ntohs(ah->ar_op); + switch (ar_op) { + case ARPOP_REQUEST: +-- +2.28.0 diff --git a/net-libs/libslirp/libslirp-4.3.1-r1.ebuild b/net-libs/libslirp/libslirp-4.3.1-r1.ebuild new file mode 100644 index 00000000000..90da793ff23 --- /dev/null +++ b/net-libs/libslirp/libslirp-4.3.1-r1.ebuild @@ -0,0 +1,39 @@ +# Copyright 1999-2020 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit meson + +KEYWORDS="~amd64 ~arm64 ~ppc ~ppc64 ~x86" +MY_P="${PN}-v${PV}" +SRC_URI="https://gitlab.freedesktop.org/slirp/libslirp/-/archive/v${PV}/${MY_P}.tar.gz -> ${P}.tar.gz" +DESCRIPTION="A general purpose TCP-IP emulator used by virtual machine hypervisors to provide virtual networking services." +HOMEPAGE="https://gitlab.freedesktop.org/slirp/libslirp"; + +LICENSE="BSD" +SLOT="0" +IUSE="static-libs" + +RDEPEND="dev-libs/glib:=" + +DEPEND="${RDEPEND}" + +S=${WORKDIR}/${MY_P} + +PATCHES=( + "${FILESDIR}/libslirp-4.3.1-bug-756910-check-pkt_len.patch" +) + +src_prepare() { + default + echo "${PV}" > .tarball-version || die + echo -e "#!${BASH}\necho -n \$(cat '${S}/.tarball-version')" > build-aux/git-version-gen || die +} + +src_configure() { + local emesonargs=( + -Ddefault_library=$(usex static-libs both shared) + ) + meson_src_configure +}
