Bug 29219 - libslirp new security issues CVE-2021-359[2-5]
Summary: libslirp new security issues CVE-2021-359[2-5]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-07-04 21:07 CEST by David Walser
Modified: 2021-10-20 23:29 CEST (History)
7 users (show)

See Also:
Source RPM: libslirp-4.4.0-1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-07-04 21:07:21 CEST 
Fedora has issued an advisory today (July 4):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SGPQZFVJCFGDSISFXPCQTTBBD7QZLJKI/

The issues are fixed upstream in 4.6.0.

Mageia 8 is also affected.
David Walser 2021-07-04 21:08:09 CEST

CC: (none) => geiger.david68210, mageia
Status comment: (none) => Fixed upstream in 4.6.0
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2021-07-05 20:43:37 CEST 
This SRPM has been comitted by various people, so assigning this globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2021-07-06 09:39:10 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the bootp_input() function and could occur while processing a udp packet that is smaller than the size of the 'bootp_t' structure. A malicious guest could use this flaw to leak 10 bytes of uninitialized heap memory from the host. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0. (CVE-2021-3592)

An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp6_input() function and could occur while processing a udp packet that is smaller than the size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0. (CVE-2021-3593)

An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp_input() function and could occur while processing a udp packet that is smaller than the size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0. (CVE-2021-3594)

An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the tftp_input() function and could occur while processing a udp packet that is smaller than the size of the 'tftp_t' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0. (CVE-2021-3595)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3592
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3593
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3594
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3595
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SGPQZFVJCFGDSISFXPCQTTBBD7QZLJKI/
========================

Updated packages in core/updates_testing:
========================
lib(64)slirp-devel-4.4.0-1.1.mga8
lib(64)slirp0-4.4.0-1.1.mga8

from SRPM:
libslirp-4.4.0-1.1.mga8.src.rpm

Status: NEW => ASSIGNED
Version: Cauldron => 8
CC: (none) => nicolas.salguero
Whiteboard: MGA8TOO => (none)
Status comment: Fixed upstream in 4.6.0 => (none)
Assignee: pkg-bugs => qa-bugs

Comment 3 Herman Viaene 2021-07-26 15:34:04 CEST 
MGA8-64 Plasma on Lenovo B50
No installation issues
No previous updates shown so
# urpmq --whatrequires lib64slirp0
lib64slirp0
qemu-system-aarch64-core
qemu-system-alpha-core
qemu-system-arm-core
and more moreof thos packages
slirp4netns.
Looked a thelast one in https://github.com/rootless-containers/slirp4netns and it looks like all I need to upset my wifi connection. Leaving for others.....

CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2021-10-16 23:19:35 CEST 
Tried on the ML to get a qemu user to test this, with no response, so I decided to take the plunge and try to learn to use qemu myself, with mixed success.

Installed virt-manager, which drew in a number of qemu packages, and lib64slirp0. Managed to create a basic Mageia 8 VM which did boot up. However, whilr the VM said the Internet connection was active, it wasn't communicating with the host wifi connection the way VirtualBox does. Perhaps a wired connection would have worked better.

Moving on, Using qarepo, I updated lib64slirp0 with no issues. Running the VM again, there was no change. Other than the Internet not properly connecting, everything else worked OK.

This update has been sitting here for over 2 months. We have two clean installs, and an incompetent qemu user seeing no changes, so at least it doesn't seem to have broken anything. I'm going to send it on its way.

Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK

Dave Hodgins 2021-10-20 21:35:12 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2021-10-20 23:29:54 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0480.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.