[Bug 1854404] [NEW] [MIR] libslirp (as it was part of QEMU)
Launchpad Bug Tracker
1854404 at bugs.launchpad.net
Sun Feb 2 14:23:18 UTC 2020
You have been subscribed to a public bug by Christian Ehrhardt (paelzer):
[Availability]
- Package is already in Ubuntu universe and was added in focal:
libslirp | 4.0.0-2 | focal/universe | source
libslirp0 | 4.0.0-2 | focal/universe | amd64, arm64, armhf, ppc64el, s390x
- Source package builds: libslirp0 and libslirp-dev:
$ dpkg -L libslirp0
/.
/usr
/usr/lib
/usr/lib/x86_64-linux-gnu
/usr/lib/x86_64-linux-gnu/libslirp.so.0.0.0
/usr/share
/usr/share/doc
/usr/share/doc/libslirp0
/usr/share/doc/libslirp0/changelog.Debian.gz
/usr/share/doc/libslirp0/copyright
/usr/lib/x86_64-linux-gnu/libslirp.so.0
$ dpkg -L libslirp-dev
/.
/usr
/usr/include
/usr/include/slirp
/usr/include/slirp/libslirp-version.h
/usr/include/slirp/libslirp.h
/usr/lib
/usr/lib/x86_64-linux-gnu
/usr/lib/x86_64-linux-gnu/pkgconfig
/usr/lib/x86_64-linux-gnu/pkgconfig/slirp.pc
/usr/share
/usr/share/doc
/usr/share/doc/libslirp-dev
/usr/share/doc/libslirp-dev/copyright
/usr/lib/x86_64-linux-gnu/libslirp.so
/usr/share/doc/libslirp-dev/changelog.Debian.gz
[Rationale]
The library, whose this package distributes, was part of QEMU, and has
been spinned off just recently:
commit 7c57bdd820
Author: Marc-André Lureau <marcandre.lureau at redhat.com>
Date: Wed Apr 24 08:00:41 2019
build-sys: move slirp as git submodule project
The slirp project is now hosted on freedesktop at:
https://gitlab.freedesktop.org/slirp.
The libslirp source was extracted from qemu/slirp filtered through
clang-format (available in project tree). The qemu slirp directory can
be swapped by a git submodule.
Signed-off-by: Marc-André Lureau <marcandre.lureau at redhat.com>
Message-Id: <20190424110041.8175-3-marcandre.lureau at redhat.com>
Signed-off-by: Samuel Thibault <samuel.thibault at ens-lyon.org>
But it is still used as a dependency for QEMU project (CONFIG_SLIRP),
and that's why it should, IMO, be maintained in [main].
[Security]
- https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libslirp - shows 2
CVEs:
- CVE-2019-15890 - libslirp 4.0.0 has a use-after-free in ip_reass in ip_input.c.
- CVE-2019-14378 - ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overflow via a large packet because it mishandles a case involving the first fragment.
- both cves were handled by Debian as well:
- https://lists.debian.org/debian-lts-announce/2019/09/msg00021.html
- https://www.debian.org/security/2019/dsa-4506
[Quality assurance]
- Both package install fine. libslirp-dev correctly includes the .so
alias to latest libslirp0 .so.0 file.
- Packages don't have any debconf questions.
- No long-term outstanding issues:
* There are no bugs in launchpad for libslirp
* There are no bugs in Debian project for libslirp
* There are 3 on-going registered issues upstream:
- To make slirp as a standalone process and not a lib.
- To rewrite slip in rust (some examples given, nothing big)
- Create integration with OSS fuzz project
* Fixes to be merged:
- Overall package seems really well maintained, specially by Marc-André
from the QEMU team.
- Important bugs:
- https://gitlab.freedesktop.org/slirp/libslirp/merge_requests/20/commits
- we should make sure to include those fixes before feature freeze
- Package does NOT deal with exotic hardware.
- Packages does NOT have any DEP8 tests. Upstream has a TODO on
integrating source code with automated fuzzing only. A consumer project
(https://github.com/rootless-containers/slirp4netns/) seem to have tests
that stress libslirp and that could help us in bringing something as
DEP8 tests.
- Package has debian/watch AND the MR asking it to be imported to git-
ubuntu was already done (https://code.launchpad.net/~rafaeldtinoco/usd-
importer/+git/usd-importer/+merge/376164).
- There are some lintian warnings:
$ lintian --pedantic ../libslirp_4.0.0-2.dsc
P: libslirp source: debian-rules-not-executable
P: libslirp source: file-contains-trailing-whitespace debian/control (line 35)
P: libslirp source: package-uses-old-debhelper-compat-version 11
P: libslirp source: rules-requires-root-missing
P: libslirp source: unversioned-copyright-format-uri http://dep.debian.net/deps/dep5
P: libslirp source: uses-debhelper-compat-file
that should be fixed.
- Package does not rely on obsolete dependencies.
[UI standards]
N/A
[Dependencies]
- All the dependencies are in [main]:
$ apt-cache depends libslirp0
libslirp0
Depends: libc6
Depends: libglib2.0-0
$ apt-cache depends libslirp-dev
libslirp-dev
Depends: libslirp0
[Standards compliance]
- Package DOES follow the FHS and Debian Policy standards (4.4.1).
- Source package is quite simple.
[Maintenance]
- The Server team will subscribe for the package for maintenance.
- Package is maintained by the QEMU Debian team also.
[Background]
General purpose TCP-IP emulator library (development files) libslirp is
a user-mode networking library used by virtual machines, containers or
various tools.
In QEMU, libslirp is used by the NET_CLIENT_DRIVER_USER for the legacy
network drivers. It is also key part of recent rootless-containers
initiatives (slirp4netns, for example).
** Affects: libslirp (Ubuntu)
Importance: Medium
Status: In Progress
--
[MIR] libslirp (as it was part of QEMU)
https://bugs.launchpad.net/bugs/1854404
You received this bug notification because you are a member of Ubuntu Package Archive Administrators, which is subscribed to the bug report.
More information about the ubuntu-archive
mailing list