diff -Nru slirp-1.0.17/debian/changelog slirp-1.0.17/debian/changelog
--- slirp-1.0.17/debian/changelog	2012-08-16 11:58:21.000000000 +0200
+++ slirp-1.0.17/debian/changelog	2020-01-25 23:27:43.000000000 +0100
@@ -1,3 +1,9 @@
+slirp (1:1.0.17-7+deb8u1) jessie-security; urgency=high
+
+  * Fix for CVE-2020-7039 (Closes: #949085)
+
+ -- Roberto Lumbreras <rover@debian.org>  Sat, 25 Jan 2020 23:27:43 +0100
+
 slirp (1:1.0.17-7) unstable; urgency=low
 
   * Fix IPCP negotiation fails for 64-bit hosts (Closes: #685056)
diff -Nru slirp-1.0.17/debian/patches/014_CVE-2020-7039.patch slirp-1.0.17/debian/patches/014_CVE-2020-7039.patch
--- slirp-1.0.17/debian/patches/014_CVE-2020-7039.patch	1970-01-01 01:00:00.000000000 +0100
+++ slirp-1.0.17/debian/patches/014_CVE-2020-7039.patch	2020-01-25 23:27:43.000000000 +0100
@@ -0,0 +1,113 @@
+Description: CVE-2020-7039 fix
+ .
+ tcp_emu: Fix oob access
+ https://gitlab.freedesktop.org/slirp/libslirp/commit/2655fffed7a9e765bcb4701dd876e9dab975f289
+ The main loop only checks for one available byte, while we sometimes need two bytes.
+ .
+ slirp: use correct size while emulating IRC commands 
+ https://gitlab.freedesktop.org/slirp/libslirp/commit/ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9
+ While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size
+ 'm->m_size' to write DCC commands via snprintf(3). This may
+ lead to OOB write access, because 'bptr' points somewhere in
+ the middle of 'mbuf' buffer, not at the start. Use M_FREEROOM(m)
+ size to avoid OOB access.
+ Reported-by: default avatarVishnu Dev TJ <vishnudevtj@gmail.com>
+ Signed-off-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
+ Reviewed-by: Samuel Thibault's avatarSamuel Thibault <samuel.thibault@ens-lyon.org>
+ Message-Id: <20200109094228.79764-2-ppandit@redhat.com>
+ .
+ slirp: use correct size while emulating commands 
+ https://gitlab.freedesktop.org/slirp/libslirp/commit/82ebe9c370a0e2970fb5695aa19aa5214a6a1c80
+ While emulating services in tcp_emu(), it uses 'mbuf' size
+ 'm->m_size' to write commands via snprintf(3). Use M_FREEROOM(m)
+ size to avoid possible OOB access.
+ Signed-off-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
+ Signed-off-by: Samuel Thibault's avatarSamuel Thibault <samuel.thibault@ens-lyon.org>
+ Message-Id: <20200109094228.79764-3-ppandit@redhat.com>
+ .
+Author: Roberto Lumbreras <rover@debian.org>
+
+Index: slirp-1.0.17/src/tcp_subr.c
+===================================================================
+--- slirp-1.0.17.orig/src/tcp_subr.c	2020-01-24 12:02:44.164951544 +0100
++++ slirp-1.0.17/src/tcp_subr.c	2020-01-24 20:04:00.773372684 +0100
+@@ -1015,8 +1015,7 @@
+ 			n4 =  (laddr & 0xff);
+ 
+ 			m->m_len = bptr - m->m_data; /* Adjust length */
+-            /* SECURITY TODO: Length Check */
+-			m->m_len += sprintf(bptr,"ORT %d,%d,%d,%d,%d,%d\r\n%s",
++			m->m_len += snprintf(bptr, M_FREEROOM(m), "ORT %d,%d,%d,%d,%d,%d\r\n%s",
+ 					    n1, n2, n3, n4, n5, n6, x==7?buff:"");
+ 			return 1;
+ 		} else if ((bptr = (char *)strstr(m->m_data, "27 Entering")) != NULL) {
+@@ -1047,8 +1046,8 @@
+ 			n4 =  (laddr & 0xff);
+ 
+ 			m->m_len = bptr - m->m_data; /* Adjust length */
+-			/* SECURITY TODO: length check */
+-			m->m_len += sprintf(bptr,"27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
++			m->m_len += snprintf(bptr, M_FREEROOM(m),
++					    "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
+ 					    n1, n2, n3, n4, n5, n6, x==7?buff:"");
+ 
+ 			return 1;
+@@ -1072,7 +1071,7 @@
+ 		}
+ 		if (m->m_data[m->m_len-1] == '\0' && lport != 0 &&
+ 		    (so = solisten(0, so->so_laddr.s_addr, htons(lport), SS_FACCEPTONCE)) != NULL)
+-			m->m_len = sprintf(m->m_data, "%d", ntohs(so->so_fport))+1;
++			m->m_len = snprintf(m->m_data, M_ROOM(m), "%d", ntohs(so->so_fport)) + 1;
+ 		return 1;
+ 
+ 	 case EMU_IRC:
+@@ -1089,8 +1088,7 @@
+ 				return 1;
+ 
+ 			m->m_len = bptr - m->m_data; /* Adjust length */
+-			/* SECURITY TODO: length check */
+-			m->m_len += sprintf(bptr, "DCC CHAT chat %lu %u%c\n",
++			m->m_len += snprintf(bptr, M_FREEROOM(m), "DCC CHAT chat %lu %u%c\n",
+ 			     (unsigned long)ntohl(so->so_faddr.s_addr),
+ 			     ntohs(so->so_fport), 1);
+ 		} else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport, &n1) == 4) {
+@@ -1098,7 +1096,7 @@
+ 				return 1;
+ 
+ 			m->m_len = bptr - m->m_data; /* Adjust length */
+-			m->m_len += sprintf(bptr, "DCC SEND %s %lu %u %u%c\n",
++			m->m_len += snprintf(bptr, M_FREEROOM(m), "DCC SEND %s %lu %u %u%c\n",
+ 			      buff, (unsigned long)ntohl(so->so_faddr.s_addr),
+ 			      ntohs(so->so_fport), n1, 1);
+ 		} else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport, &n1) == 4) {
+@@ -1106,8 +1104,7 @@
+ 				return 1;
+ 
+ 			m->m_len = bptr - m->m_data; /* Adjust length */
+-			/* SECURITY TODO: length check */
+-			m->m_len += sprintf(bptr, "DCC MOVE %s %lu %u %u%c\n",
++			m->m_len += snprintf(bptr, M_FREEROOM(m), "DCC MOVE %s %lu %u %u%c\n",
+ 			      buff, (unsigned long)ntohl(so->so_faddr.s_addr),
+ 			      ntohs(so->so_fport), n1, 1);
+ 		}
+@@ -1193,6 +1190,9 @@
+ 				break;
+ 				
+ 			 case 5: 
++				if (bptr == m->m_data + m->m_len - 1)
++				   return 1; /* We need two bytes */
++
+ 				/*
+ 				 * The difference between versions 1.0 and
+ 				 * 2.0 is here. For future versions of
+@@ -1208,6 +1208,10 @@
+ 				/* This is the field containing the port
+ 				 * number that RA-player is listening to.
+ 				 */
++
++				if (bptr == m->m_data + m->m_len - 1)
++				   return 1; /* We need two bytes */
++
+ 				lport = (((u_char*)bptr)[0] << 8) 
+ 				+ ((u_char *)bptr)[1];
+ 				if (lport < 6970)      
diff -Nru slirp-1.0.17/debian/patches/series slirp-1.0.17/debian/patches/series
--- slirp-1.0.17/debian/patches/series	2012-08-16 11:26:11.000000000 +0200
+++ slirp-1.0.17/debian/patches/series	2020-01-25 23:27:43.000000000 +0100
@@ -9,3 +9,4 @@
 009-i-hate-perl.patch
 010-fullbolt-fix.patch
 011-sizeof_ipv4.patch
+014_CVE-2020-7039.patch