Bug#977895: buster-pu: package slirp/1:1.0.17-8

2021-01-19 Thread Thorsten Alteholz 




On Thu, 31 Dec 2020, Adam D. Barratt wrote:

Please go ahead.


The package is uploaded now.

  Thorsten

Bug#977895: buster-pu: package slirp/1:1.0.17-8

2020-12-31 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Tue, 2020-12-22 at 13:31 +, Thorsten Alteholz wrote:
> The attached debdiff for slirp fixes CVE-2020-8608 and CVE-2020-7039
> in  Buster.
> 
> Both are marked as no-dsa by the security team.
> 

Please go ahead.

Regards,

Adam

Bug#977895: buster-pu: package slirp/1:1.0.17-8

2020-12-22 Thread Thorsten Alteholz 

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

The attached debdiff for slirp fixes CVE-2020-8608 and CVE-2020-7039 in 
Buster.


Both are marked as no-dsa by the security team.

After upload of DLA-2076-1 and DLA-2142-1 to Jessie-LTS no one complained 
about something broken.


  Thorsten
diff -Nru slirp-1.0.17/debian/changelog slirp-1.0.17/debian/changelog
--- slirp-1.0.17/debian/changelog   2015-06-25 17:03:50.0 +0200
+++ slirp-1.0.17/debian/changelog   2020-12-21 20:03:02.0 +0100
@@ -1,3 +1,15 @@
+slirp (1:1.0.17-8+deb10u1) buster; urgency=high
+
+  * CVE-2020-7039
+Due to mismanagement of memory, a heap-based buffer overflow or
+other out-of-bounds access might happen, which can lead to a DoS
+or potential execute arbitrary code.
+  * CVE-2020-8608
+Prevent a buffer overflow vulnerability due to incorrect usage
+of return values from snprintf.
+
+ -- Thorsten Alteholz   Mon, 21 Dec 2020 20:03:02 +0100
+
 slirp (1:1.0.17-8) unstable; urgency=low
 
   * Fix FTBFS with GCC 5.0 (Closes: #778124)
diff -Nru slirp-1.0.17/debian/patches/CVE-2020-7039.patch 
slirp-1.0.17/debian/patches/CVE-2020-7039.patch
--- slirp-1.0.17/debian/patches/CVE-2020-7039.patch 1970-01-01 
01:00:00.0 +0100
+++ slirp-1.0.17/debian/patches/CVE-2020-7039.patch 2020-12-18 
11:59:58.0 +0100
@@ -0,0 +1,113 @@
+Description: CVE-2020-7039 fix
+ .
+ tcp_emu: Fix oob access
+ 
https://gitlab.freedesktop.org/slirp/libslirp/commit/2655fffed7a9e765bcb4701dd876e9dab975f289
+ The main loop only checks for one available byte, while we sometimes need two 
bytes.
+ .
+ slirp: use correct size while emulating IRC commands 
+ 
https://gitlab.freedesktop.org/slirp/libslirp/commit/ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9
+ While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size
+ 'm->m_size' to write DCC commands via snprintf(3). This may
+ lead to OOB write access, because 'bptr' points somewhere in
+ the middle of 'mbuf' buffer, not at the start. Use M_FREEROOM(m)
+ size to avoid OOB access.
+ Reported-by: default avatarVishnu Dev TJ 
+ Signed-off-by: default avatarPrasad J Pandit 
+ Reviewed-by: Samuel Thibault's avatarSamuel Thibault 

+ Message-Id: <20200109094228.79764-2-ppan...@redhat.com>
+ .
+ slirp: use correct size while emulating commands 
+ 
https://gitlab.freedesktop.org/slirp/libslirp/commit/82ebe9c370a0e2970fb5695aa19aa5214a6a1c80
+ While emulating services in tcp_emu(), it uses 'mbuf' size
+ 'm->m_size' to write commands via snprintf(3). Use M_FREEROOM(m)
+ size to avoid possible OOB access.
+ Signed-off-by: default avatarPrasad J Pandit 
+ Signed-off-by: Samuel Thibault's avatarSamuel Thibault 

+ Message-Id: <20200109094228.79764-3-ppan...@redhat.com>
+ .
+Author: Roberto Lumbreras 
+
+Index: slirp-1.0.17/src/tcp_subr.c
+===
+--- slirp-1.0.17.orig/src/tcp_subr.c   2020-01-24 12:02:44.164951544 +0100
 slirp-1.0.17/src/tcp_subr.c2020-01-24 20:04:00.773372684 +0100
+@@ -1015,8 +1015,7 @@
+   n4 =  (laddr & 0xff);
+ 
+   m->m_len = bptr - m->m_data; /* Adjust length */
+-/* SECURITY TODO: Length Check */
+-  m->m_len += sprintf(bptr,"ORT %d,%d,%d,%d,%d,%d\r\n%s",
++  m->m_len += snprintf(bptr, M_FREEROOM(m), "ORT 
%d,%d,%d,%d,%d,%d\r\n%s",
+   n1, n2, n3, n4, n5, n6, 
x==7?buff:"");
+   return 1;
+   } else if ((bptr = (char *)strstr(m->m_data, "27 Entering")) != 
NULL) {
+@@ -1047,8 +1046,8 @@
+   n4 =  (laddr & 0xff);
+ 
+   m->m_len = bptr - m->m_data; /* Adjust length */
+-  /* SECURITY TODO: length check */
+-  m->m_len += sprintf(bptr,"27 Entering Passive Mode 
(%d,%d,%d,%d,%d,%d)\r\n%s",
++  m->m_len += snprintf(bptr, M_FREEROOM(m),
++  "27 Entering Passive Mode 
(%d,%d,%d,%d,%d,%d)\r\n%s",
+   n1, n2, n3, n4, n5, n6, 
x==7?buff:"");
+ 
+   return 1;
+@@ -1072,7 +1071,7 @@
+   }
+   if (m->m_data[m->m_len-1] == '\0' && lport != 0 &&
+   (so = solisten(0, so->so_laddr.s_addr, htons(lport), 
SS_FACCEPTONCE)) != NULL)
+-  m->m_len = sprintf(m->m_data, "%d", 
ntohs(so->so_fport))+1;
++  m->m_len = snprintf(m->m_data, M_ROOM(m), "%d", 
ntohs(so->so_fport)) + 1;
+   return 1;
+ 
+case EMU_IRC:
+@@ -1089,8 +1088,7 @@
+   return 1;
+ 
+   m->m_len = bptr - m->m_data; /* Adjust length */
+-  /* SECURITY TODO: length check */
+-  m->m_len += sprintf(bptr, "DCC CHAT chat %lu %u%c\n",
+