[Bug 1854404] Re: [MIR] libslirp (as it was part of QEMU)
Override component to main libslirp 4.1.0-2 in focal: universe/misc -> main libslirp-dev 4.1.0-2 in focal amd64: universe/libdevel/optional/100% -> main libslirp-dev 4.1.0-2 in focal arm64: universe/libdevel/optional/100% -> main libslirp-dev 4.1.0-2 in focal armhf: universe/libdevel/optional/100% -> main libslirp-dev 4.1.0-2 in focal ppc64el: universe/libdevel/optional/100% -> main libslirp-dev 4.1.0-2 in focal s390x: universe/libdevel/optional/100% -> main libslirp0 4.1.0-2 in focal amd64: universe/libs/optional/100% -> main libslirp0 4.1.0-2 in focal arm64: universe/libs/optional/100% -> main libslirp0 4.1.0-2 in focal armhf: universe/libs/optional/100% -> main libslirp0 4.1.0-2 in focal ppc64el: universe/libs/optional/100% -> main libslirp0 4.1.0-2 in focal s390x: universe/libs/optional/100% -> main 11 publications overridden. ** Changed in: libslirp (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854404 Title: [MIR] libslirp (as it was part of QEMU) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libslirp/+bug/1854404/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854404] Re: [MIR] libslirp (as it was part of QEMU)
Now showing up in component mismatch due to new qemu, ready for promotion by AA -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854404 Title: [MIR] libslirp (as it was part of QEMU) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libslirp/+bug/1854404/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854404] Re: [MIR] libslirp (as it was part of QEMU)
Subscribed Archive Admins to be aware - correctly linked in https://people.canonical.com/~ubuntu-archive/component-mismatches- proposed.html -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854404 Title: [MIR] libslirp (as it was part of QEMU) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libslirp/+bug/1854404/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854404] Re: [MIR] libslirp (as it was part of QEMU)
ubuntu-server is now subscribed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854404 Title: [MIR] libslirp (as it was part of QEMU) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libslirp/+bug/1854404/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854404] Re: [MIR] libslirp (as it was part of QEMU)
Thanks Alex, so this is ready once qemu 4.2 lands to promote libslirp then. I'll ask Josh to subscribe us right away today so we can stay on top of known issues. Setting "in progress" reflecting that this is ok to be promoted and waits for the change that pulls it in. ** Changed in: libslirp (Ubuntu) Importance: Undecided => Medium ** Changed in: libslirp (Ubuntu) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854404 Title: [MIR] libslirp (as it was part of QEMU) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libslirp/+bug/1854404/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854404] Re: [MIR] libslirp (as it was part of QEMU)
@paelzer - ACK - thanks for the heads up - I've retriaged those two CVEs in our tracker to mark them against libslirp in focal as well (https://git.launchpad.net/ubuntu-cve- tracker/commit/?id=baaf4d0b4e11b494ec6439344c31d17d88cd57aa) ** Changed in: libslirp (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854404 Title: [MIR] libslirp (as it was part of QEMU) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libslirp/+bug/1854404/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854404] Re: [MIR] libslirp (as it was part of QEMU)
[Summary] - MIR Team ack - Info: this will be pulled into main on the merge of qemu 4.2 @Server Team - none of the minor issues is critical (e.g. d/copyright, fine to let Debian sort that out, no delta needed) @Security - I'm not requesting a review (done in the past as part of qemu), just an ack that from now on have this on your usual security-issue-monitoring [Duplication] - The code was in qemu but now is split, no duplication. [Embedded sources and static linking] - No embedded sources [Security] - doeis not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not open a port - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) - does parse data formats (network traffic from guest) - There were CVE issues in the past, but after all the individual maintenance of the lib was just one of the reasons to split it so that should be fine - CVEs were reported above, and it will be continuing to be security critical for guest breakout scenarios @Security - I'm not requesting a review as you essentially have done that way back when qemu was added. Just an ack from you that you'll from now on have this on your usual security-issue-monitoring would be nice to go on with this. [Common blockers] - does not FTBFS currently? - As mentioned in the bug description it does not have a test suite, but that is just upstream - the slirp4netns tests makes this better than it was as part of qemu - server team will subscribe - not user visible (translations) - no python concerns as no python is in the package [Packaging red flags] - no Ubuntu delta - symbols tracking is in place - d/watch in place - updates should be "as qemu" which was fine so far - current release is packaged - Lintian warnings exist but are ok - d/rules is as clean as possible - no Built-Using [Upstream red flags] - no Errors/warnings during the build - no Incautious use of malloc/sprintf (as it was in qemu) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no user management - no use of setuid - no important bugs (crashers, etc) in Debian or Ubuntu - no Dependency on webkit, qtwebkit, seed or libgoa-* ** Changed in: libslirp (Ubuntu) Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854404 Title: [MIR] libslirp (as it was part of QEMU) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libslirp/+bug/1854404/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854404] Re: [MIR] libslirp (as it was part of QEMU)
** Description changed: [Availability] - TODO: The package must already be in the Ubuntu universe, and must build - for the architectures it is designed to work on. + - Package is already in Ubuntu universe and was added in focal: - TODO: mention which binaries we actually want (if the package builds - more than one). Check the dependency-tree.txt file which binary we - actually need vs the debian/control file in the source + libslirp | 4.0.0-2 | focal/universe | source + libslirp0 | 4.0.0-2 | focal/universe | amd64, arm64, armhf, ppc64el, s390x + + - Source package builds: libslirp0 and libslirp-dev: + + $ dpkg -L libslirp0 + /. + /usr + /usr/lib + /usr/lib/x86_64-linux-gnu + /usr/lib/x86_64-linux-gnu/libslirp.so.0.0.0 + /usr/share + /usr/share/doc + /usr/share/doc/libslirp0 + /usr/share/doc/libslirp0/changelog.Debian.gz + /usr/share/doc/libslirp0/copyright + /usr/lib/x86_64-linux-gnu/libslirp.so.0 + + $ dpkg -L libslirp-dev + /. + /usr + /usr/include + /usr/include/slirp + /usr/include/slirp/libslirp-version.h + /usr/include/slirp/libslirp.h + /usr/lib + /usr/lib/x86_64-linux-gnu + /usr/lib/x86_64-linux-gnu/pkgconfig + /usr/lib/x86_64-linux-gnu/pkgconfig/slirp.pc + /usr/share + /usr/share/doc + /usr/share/doc/libslirp-dev + /usr/share/doc/libslirp-dev/copyright + /usr/lib/x86_64-linux-gnu/libslirp.so + /usr/share/doc/libslirp-dev/changelog.Debian.gz [Rationale] - TODO: check if this code (or older versions of it) was part of mailman2 - already - if it was leave here: This code was formerly part of mailman2 - which is in main, but was split into an extra package and evolved from - there on its own) + The library, whose this package distributes, was part of QEMU, and has + been spinned off just recently: + + commit 7c57bdd820 + Author: Marc-André Lureau + Date: Wed Apr 24 08:00:41 2019 + + build-sys: move slirp as git submodule project + + The slirp project is now hosted on freedesktop at: + https://gitlab.freedesktop.org/slirp. + + The libslirp source was extracted from qemu/slirp filtered through + clang-format (available in project tree). The qemu slirp directory can + be swapped by a git submodule. + + Signed-off-by: Marc-André Lureau + Message-Id: <20190424110041.8175-3-marcandre.lur...@redhat.com> + Signed-off-by: Samuel Thibault + + But it is still used as a dependency for QEMU project (CONFIG_SLIRP), + and that's why it should, IMO, be maintained in [main]. [Security] - TODO: check the security History of the package - - http://people.ubuntu.com/~ubuntu-security/cve/universe.html - - http://cve.mitre.org/cve/cve.html + - https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libslirp - shows 2 + CVEs: + + - CVE-2019-15890 - libslirp 4.0.0 has a use-after-free in ip_reass in ip_input.c. + - CVE-2019-14378 - ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overflow via a large packet because it mishandles a case involving the first fragment. + + - both cves were handled by Debian as well: + + - https://lists.debian.org/debian-lts-announce/2019/09/msg00021.html + - https://www.debian.org/security/2019/dsa-4506 [Quality assurance] - The mailman3 stacks as of now (Disco) installs fine and provides a base - config. But due to the nature of the package that needs further modification - to be of real use. + - Both package install fine. libslirp-dev correctly includes the .so + alias to latest libslirp0 .so.0 file. - TODO: The package must not ask debconf questions higher than medium if - it is going to be installed by default. The debconf questions must have - reasonable defaults. + - Packages don't have any debconf questions. - TODO: There are no long-term outstanding bugs which affect the usability - of the program to a major degree. To support a package, we must be - reasonably convinced that upstream supports and cares for the package. + - No long-term outstanding issues: - TODO: The status of important bugs in Debian's, Ubuntu's, and upstream's - bug tracking systems must be evaluated. Important bugs must be pointed - out and discussed in the MIR report. + * There are no bugs in launchpad for libslirp + * There are no bugs in Debian project for libslirp + * There are 3 on-going registered issues upstream: + - To make slirp as a standalone process and not a lib. + - To rewrite slip in rust (some examples given, nothing big) + - Create integration with OSS fuzz project + * Fixes to be merged: - TODO: The package is maintained well in Debian/Ubuntu (check out the - Debian PTS) + - Overall package seems really well maintained, specially by Marc-André + from the QEMU team. - TODO: The package should not deal with exotic hardware which we cannot - support. + - Important bugs: + - https://gitlab.freedesktop.org/slirp/libslirp/merge_requests/20/commits + - we should make sure to include those fixes before feature freeze - TODO: If the package
