[Bug 1854404] [NEW] [MIR] libslirp (as it was part of QEMU)

Launchpad Bug Tracker 1854404 at bugs.launchpad.net
Sun Feb 2 14:23:18 UTC 2020 

You have been subscribed to a public bug by Christian Ehrhardt  (paelzer):

[Availability]

- Package is already in Ubuntu universe and was added in focal:

 libslirp | 4.0.0-2 | focal/universe | source
 libslirp0 | 4.0.0-2 | focal/universe | amd64, arm64, armhf, ppc64el, s390x

- Source package builds: libslirp0 and libslirp-dev:

$ dpkg -L libslirp0
/.
/usr
/usr/lib
/usr/lib/x86_64-linux-gnu
/usr/lib/x86_64-linux-gnu/libslirp.so.0.0.0
/usr/share
/usr/share/doc
/usr/share/doc/libslirp0
/usr/share/doc/libslirp0/changelog.Debian.gz
/usr/share/doc/libslirp0/copyright
/usr/lib/x86_64-linux-gnu/libslirp.so.0

$ dpkg -L libslirp-dev 
/.
/usr
/usr/include
/usr/include/slirp
/usr/include/slirp/libslirp-version.h
/usr/include/slirp/libslirp.h
/usr/lib
/usr/lib/x86_64-linux-gnu
/usr/lib/x86_64-linux-gnu/pkgconfig
/usr/lib/x86_64-linux-gnu/pkgconfig/slirp.pc
/usr/share
/usr/share/doc
/usr/share/doc/libslirp-dev
/usr/share/doc/libslirp-dev/copyright
/usr/lib/x86_64-linux-gnu/libslirp.so
/usr/share/doc/libslirp-dev/changelog.Debian.gz

[Rationale]

The library, whose this package distributes, was part of QEMU, and has
been spinned off just recently:

commit 7c57bdd820
Author: Marc-André Lureau <marcandre.lureau at redhat.com>
Date:   Wed Apr 24 08:00:41 2019

    build-sys: move slirp as git submodule project
    
    The slirp project is now hosted on freedesktop at:
    https://gitlab.freedesktop.org/slirp.
    
    The libslirp source was extracted from qemu/slirp filtered through
    clang-format (available in project tree). The qemu slirp directory can
    be swapped by a git submodule.
    
    Signed-off-by: Marc-André Lureau <marcandre.lureau at redhat.com>
    Message-Id: <20190424110041.8175-3-marcandre.lureau at redhat.com>
    Signed-off-by: Samuel Thibault <samuel.thibault at ens-lyon.org>

But it is still used as a dependency for QEMU project (CONFIG_SLIRP),
and that's why it should, IMO, be maintained in [main].

[Security]

- https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libslirp - shows 2
CVEs:

  - CVE-2019-15890 - libslirp 4.0.0 has a use-after-free in ip_reass in ip_input.c.
  - CVE-2019-14378 - ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overflow via a large packet because it mishandles a case involving the first fragment.
  
- both cves were handled by Debian as well:

  - https://lists.debian.org/debian-lts-announce/2019/09/msg00021.html
  - https://www.debian.org/security/2019/dsa-4506

[Quality assurance]

- Both package install fine. libslirp-dev correctly includes the .so
alias to latest libslirp0 .so.0 file.

- Packages don't have any debconf questions.

- No long-term outstanding issues:

  * There are no bugs in launchpad for libslirp
  * There are no bugs in Debian project for libslirp
  * There are 3 on-going registered issues upstream:
    - To make slirp as a standalone process and not a lib.
    - To rewrite slip in rust (some examples given, nothing big)
    - Create integration with OSS fuzz project
  * Fixes to be merged: 

- Overall package seems really well maintained, specially by Marc-André
from the QEMU team.

- Important bugs:
  - https://gitlab.freedesktop.org/slirp/libslirp/merge_requests/20/commits
  - we should make sure to include those fixes before feature freeze

- Package does NOT deal with exotic hardware.

- Packages does NOT have any DEP8 tests. Upstream has a TODO on
integrating source code with automated fuzzing only. A consumer project
(https://github.com/rootless-containers/slirp4netns/) seem to have tests
that stress libslirp and that could help us in bringing something as
DEP8 tests.

- Package has debian/watch AND the MR asking it to be imported to git-
ubuntu was already done (https://code.launchpad.net/~rafaeldtinoco/usd-
importer/+git/usd-importer/+merge/376164).

- There are some lintian warnings:

$ lintian --pedantic ../libslirp_4.0.0-2.dsc 
P: libslirp source: debian-rules-not-executable
P: libslirp source: file-contains-trailing-whitespace debian/control (line 35)
P: libslirp source: package-uses-old-debhelper-compat-version 11
P: libslirp source: rules-requires-root-missing
P: libslirp source: unversioned-copyright-format-uri http://dep.debian.net/deps/dep5
P: libslirp source: uses-debhelper-compat-file

that should be fixed.

- Package does not rely on obsolete dependencies.

[UI standards]

N/A

[Dependencies]

- All the dependencies are in [main]:

$ apt-cache depends libslirp0
libslirp0
  Depends: libc6
  Depends: libglib2.0-0
  
$ apt-cache depends libslirp-dev 
libslirp-dev
  Depends: libslirp0

[Standards compliance]

- Package DOES follow the FHS and Debian Policy standards (4.4.1).

- Source package is quite simple.

[Maintenance]

- The Server team will subscribe for the package for maintenance.
- Package is maintained by the QEMU Debian team also.

[Background]

General purpose TCP-IP emulator library (development files) libslirp is
a user-mode networking library used by virtual machines, containers or
various tools.

In QEMU, libslirp is used by the NET_CLIENT_DRIVER_USER for the legacy
network drivers. It is also key part of recent rootless-containers
initiatives (slirp4netns, for example).

** Affects: libslirp (Ubuntu)
     Importance: Medium
         Status: In Progress

-- 
[MIR] libslirp (as it was part of QEMU)
https://bugs.launchpad.net/bugs/1854404
You received this bug notification because you are a member of Ubuntu Package Archive Administrators, which is subscribed to the bug report.

More information about the ubuntu-archive mailing list