Message ID | 20201107185256.1175545-1-fontaine.fabrice@gmail.com |
---|---|
State | Accepted |
Headers | show |
Series | [1/2] package/slirp: security bump to version 4.3.1 | expand |
On Sat, Nov 7, 2020 at 10:53 AM Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote: > > - Use an up to date fork (spice slirp is archived and has not been > updated since 2012) > - Add COPYRIGHT as the license file > - BSD-4-Clause has been replaced by BSD-3-Clause since > https://gitlab.freedesktop.org/slirp/libslirp/-/commit/3bac39137a652b24b89d5b9e2a39600619fbe1d3 > https://gitlab.freedesktop.org/slirp/libslirp/-/commit/f9f6e69c4e1d9a43af30bfe791b31789ffa04954 > - Add hash file > - Switch to meson-package > - Fix multiple security vulnerabilities: CVE-2014-3640, CVE-2017-11434, > CVE-2019-6778, CVE-2019-9824, CVE-2019-14378 and CVE-2020-10756 > > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Alistair > --- > package/slirp/Config.in | 17 ++++++----------- > package/slirp/slirp.hash | 3 +++ > package/slirp/slirp.mk | 20 +++++++------------- > 3 files changed, 16 insertions(+), 24 deletions(-) > create mode 100644 package/slirp/slirp.hash > > diff --git a/package/slirp/Config.in b/package/slirp/Config.in > index 51dea9700f..8f57c4fa6a 100644 > --- a/package/slirp/Config.in > +++ b/package/slirp/Config.in > @@ -1,16 +1,10 @@ > config BR2_PACKAGE_SLIRP > bool "slirp" > help > - The Spice project aims to provide a complete open source > - solution for interaction with virtualized desktop devices. > - The Spice project deals with both the virtualized devices > - and the front-end. Interaction between front-end and > - back-end is done using VD-Interfaces. > + libslirp is a user-mode networking library used by virtual > + machines, containers or various tools. > > - This package implements the slirp-part for Spice. Slirp > - emulates a PPP or SLIP connection over a normal terminal. > - > - http://www.spice-space.org/ > + https://gitlab.freedesktop.org/slirp/libslirp/ > > NOTE: > This package has some history of a unique kind: > @@ -21,5 +15,6 @@ config BR2_PACKAGE_SLIRP > - during that period, QEMU (Fabrice BELLARD) forked the code > and included it in QEMU > - and it was imported from this breed by the Spice project > - around May 2009 > - - which is what we use here > + around May 2009 which archived it in 2012 > + - So we switched to > + https://gitlab.freedesktop.org/slirp/libslirp > diff --git a/package/slirp/slirp.hash b/package/slirp/slirp.hash > new file mode 100644 > index 0000000000..3051179df9 > --- /dev/null > +++ b/package/slirp/slirp.hash > @@ -0,0 +1,3 @@ > +# Locally computed: > +sha256 6b1641f04d41bc45f94018ac8d42d3c9f3ba0e463cbeacf5f26fe83fc050161e libslirp-v4.3.1.tar.bz2 > +sha256 b28aecf4796a6a22054167f0a976de13d9db335669d37afd2dc7ea4c335e1e13 COPYRIGHT > diff --git a/package/slirp/slirp.mk b/package/slirp/slirp.mk > index 7cfead65e2..4351818952 100644 > --- a/package/slirp/slirp.mk > +++ b/package/slirp/slirp.mk > @@ -4,18 +4,12 @@ > # > ################################################################################ > > -# There's no tarball releases of slirp, so we use the git repo > -# Also, there's no tag, so we use a random SHA1 (master's HEAD > -# of today) > -SLIRP_VERSION = 8c2da74c1385242f20799fec8c04f8378edc6550 > -SLIRP_SITE = git://anongit.freedesktop.org/spice/slirp > -SLIRP_LICENSE = BSD-4-Clause, BSD-2-Clause > -# Note: The license file 'COPYRIGHT' is missing from the sources, > -# although some files refer to it. > +SLIRP_VERSION = 4.3.1 > +SLIRP_SOURCE = libslirp-v$(SLIRP_VERSION).tar.bz2 > +SLIRP_SITE = \ > + https://gitlab.freedesktop.org/slirp/libslirp/-/archive/v$(SLIRP_VERSION) > +SLIRP_LICENSE = BSD-3-Clause > +SLIRP_LICENSE_FILES = COPYRIGHT > SLIRP_INSTALL_STAGING = YES > > -# As we're using the git tree, there's no ./configure, > -# so we need to autoreconf. > -SLIRP_AUTORECONF = YES > - > -$(eval $(autotools-package)) > +$(eval $(meson-package)) > -- > 2.28.0 > > _______________________________________________ > buildroot mailing list > buildroot@busybox.net > http://lists.busybox.net/mailman/listinfo/buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes: > - Use an up to date fork (spice slirp is archived and has not been > updated since 2012) > - Add COPYRIGHT as the license file > - BSD-4-Clause has been replaced by BSD-3-Clause since > https://gitlab.freedesktop.org/slirp/libslirp/-/commit/3bac39137a652b24b89d5b9e2a39600619fbe1d3 > https://gitlab.freedesktop.org/slirp/libslirp/-/commit/f9f6e69c4e1d9a43af30bfe791b31789ffa04954 > - Add hash file > - Switch to meson-package > - Fix multiple security vulnerabilities: CVE-2014-3640, CVE-2017-11434, > CVE-2019-6778, CVE-2019-9824, CVE-2019-14378 and CVE-2020-10756 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Committed, thanks. I believe qemu also uses an embedded copy of slirp. Could/should we change it to use this package instead?
Hi Peter, Le mar. 10 nov. 2020 à 10:35, Peter Korsgaard <peter@korsgaard.com> a écrit : > > >>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes: > > > - Use an up to date fork (spice slirp is archived and has not been > > updated since 2012) > > - Add COPYRIGHT as the license file > > - BSD-4-Clause has been replaced by BSD-3-Clause since > > https://gitlab.freedesktop.org/slirp/libslirp/-/commit/3bac39137a652b24b89d5b9e2a39600619fbe1d3 > > https://gitlab.freedesktop.org/slirp/libslirp/-/commit/f9f6e69c4e1d9a43af30bfe791b31789ffa04954 > > - Add hash file > > - Switch to meson-package > > - Fix multiple security vulnerabilities: CVE-2014-3640, CVE-2017-11434, > > CVE-2019-6778, CVE-2019-9824, CVE-2019-14378 and CVE-2020-10756 > > > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> > > Committed, thanks. > > I believe qemu also uses an embedded copy of slirp. Could/should we > change it to use this package instead? Indeed, qemu also checks and prefers a system-wide slirp. > > -- > Bye, Peter Korsgaard Best Regards, Fabrice
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes: > - Use an up to date fork (spice slirp is archived and has not been > updated since 2012) > - Add COPYRIGHT as the license file > - BSD-4-Clause has been replaced by BSD-3-Clause since > https://gitlab.freedesktop.org/slirp/libslirp/-/commit/3bac39137a652b24b89d5b9e2a39600619fbe1d3 > https://gitlab.freedesktop.org/slirp/libslirp/-/commit/f9f6e69c4e1d9a43af30bfe791b31789ffa04954 > - Add hash file > - Switch to meson-package > - Fix multiple security vulnerabilities: CVE-2014-3640, CVE-2017-11434, > CVE-2019-6778, CVE-2019-9824, CVE-2019-14378 and CVE-2020-10756 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Committed to 2020.02.x and 2020.08.x, thanks.
diff --git a/package/slirp/Config.in b/package/slirp/Config.in index 51dea9700f..8f57c4fa6a 100644 --- a/package/slirp/Config.in +++ b/package/slirp/Config.in @@ -1,16 +1,10 @@ config BR2_PACKAGE_SLIRP bool "slirp" help - The Spice project aims to provide a complete open source - solution for interaction with virtualized desktop devices. - The Spice project deals with both the virtualized devices - and the front-end. Interaction between front-end and - back-end is done using VD-Interfaces. + libslirp is a user-mode networking library used by virtual + machines, containers or various tools. - This package implements the slirp-part for Spice. Slirp - emulates a PPP or SLIP connection over a normal terminal. - - http://www.spice-space.org/ + https://gitlab.freedesktop.org/slirp/libslirp/ NOTE: This package has some history of a unique kind: @@ -21,5 +15,6 @@ config BR2_PACKAGE_SLIRP - during that period, QEMU (Fabrice BELLARD) forked the code and included it in QEMU - and it was imported from this breed by the Spice project - around May 2009 - - which is what we use here + around May 2009 which archived it in 2012 + - So we switched to + https://gitlab.freedesktop.org/slirp/libslirp diff --git a/package/slirp/slirp.hash b/package/slirp/slirp.hash new file mode 100644 index 0000000000..3051179df9 --- /dev/null +++ b/package/slirp/slirp.hash @@ -0,0 +1,3 @@ +# Locally computed: +sha256 6b1641f04d41bc45f94018ac8d42d3c9f3ba0e463cbeacf5f26fe83fc050161e libslirp-v4.3.1.tar.bz2 +sha256 b28aecf4796a6a22054167f0a976de13d9db335669d37afd2dc7ea4c335e1e13 COPYRIGHT diff --git a/package/slirp/slirp.mk b/package/slirp/slirp.mk index 7cfead65e2..4351818952 100644 --- a/package/slirp/slirp.mk +++ b/package/slirp/slirp.mk @@ -4,18 +4,12 @@ # ################################################################################ -# There's no tarball releases of slirp, so we use the git repo -# Also, there's no tag, so we use a random SHA1 (master's HEAD -# of today) -SLIRP_VERSION = 8c2da74c1385242f20799fec8c04f8378edc6550 -SLIRP_SITE = git://anongit.freedesktop.org/spice/slirp -SLIRP_LICENSE = BSD-4-Clause, BSD-2-Clause -# Note: The license file 'COPYRIGHT' is missing from the sources, -# although some files refer to it. +SLIRP_VERSION = 4.3.1 +SLIRP_SOURCE = libslirp-v$(SLIRP_VERSION).tar.bz2 +SLIRP_SITE = \ + https://gitlab.freedesktop.org/slirp/libslirp/-/archive/v$(SLIRP_VERSION) +SLIRP_LICENSE = BSD-3-Clause +SLIRP_LICENSE_FILES = COPYRIGHT SLIRP_INSTALL_STAGING = YES -# As we're using the git tree, there's no ./configure, -# so we need to autoreconf. -SLIRP_AUTORECONF = YES - -$(eval $(autotools-package)) +$(eval $(meson-package))
- Use an up to date fork (spice slirp is archived and has not been updated since 2012) - Add COPYRIGHT as the license file - BSD-4-Clause has been replaced by BSD-3-Clause since https://gitlab.freedesktop.org/slirp/libslirp/-/commit/3bac39137a652b24b89d5b9e2a39600619fbe1d3 https://gitlab.freedesktop.org/slirp/libslirp/-/commit/f9f6e69c4e1d9a43af30bfe791b31789ffa04954 - Add hash file - Switch to meson-package - Fix multiple security vulnerabilities: CVE-2014-3640, CVE-2017-11434, CVE-2019-6778, CVE-2019-9824, CVE-2019-14378 and CVE-2020-10756 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> --- package/slirp/Config.in | 17 ++++++----------- package/slirp/slirp.hash | 3 +++ package/slirp/slirp.mk | 20 +++++++------------- 3 files changed, 16 insertions(+), 24 deletions(-) create mode 100644 package/slirp/slirp.hash