[1/2] package/slirp: security bump to version 4.3.1

- Use an up to date fork (spice slirp is archived and has not been
  updated since 2012)
- Add COPYRIGHT as the license file
- BSD-4-Clause has been replaced by BSD-3-Clause since
  https://gitlab.freedesktop.org/slirp/libslirp/-/commit/3bac39137a652b24b89d5b9e2a39600619fbe1d3
  https://gitlab.freedesktop.org/slirp/libslirp/-/commit/f9f6e69c4e1d9a43af30bfe791b31789ffa04954
- Add hash file
- Switch to meson-package
- Fix multiple security vulnerabilities: CVE-2014-3640, CVE-2017-11434,
  CVE-2019-6778, CVE-2019-9824, CVE-2019-14378 and CVE-2020-10756

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/slirp/Config.in  | 17 ++++++-----------
 package/slirp/slirp.hash |  3 +++
 package/slirp/slirp.mk   | 20 +++++++-------------
 3 files changed, 16 insertions(+), 24 deletions(-)
 create mode 100644 package/slirp/slirp.hash

On Sat, Nov 7, 2020 at 10:53 AM Fabrice Fontaine
<fontaine.fabrice@gmail.com> wrote:
>
> - Use an up to date fork (spice slirp is archived and has not been
>   updated since 2012)
> - Add COPYRIGHT as the license file
> - BSD-4-Clause has been replaced by BSD-3-Clause since
>   https://gitlab.freedesktop.org/slirp/libslirp/-/commit/3bac39137a652b24b89d5b9e2a39600619fbe1d3
>   https://gitlab.freedesktop.org/slirp/libslirp/-/commit/f9f6e69c4e1d9a43af30bfe791b31789ffa04954
> - Add hash file
> - Switch to meson-package
> - Fix multiple security vulnerabilities: CVE-2014-3640, CVE-2017-11434,
>   CVE-2019-6778, CVE-2019-9824, CVE-2019-14378 and CVE-2020-10756
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Reviewed-by: Alistair Francis <alistair.francis@wdc.com>

Alistair

> ---
>  package/slirp/Config.in  | 17 ++++++-----------
>  package/slirp/slirp.hash |  3 +++
>  package/slirp/slirp.mk   | 20 +++++++-------------
>  3 files changed, 16 insertions(+), 24 deletions(-)
>  create mode 100644 package/slirp/slirp.hash
>
> diff --git a/package/slirp/Config.in b/package/slirp/Config.in
> index 51dea9700f..8f57c4fa6a 100644
> --- a/package/slirp/Config.in
> +++ b/package/slirp/Config.in
> @@ -1,16 +1,10 @@
>  config BR2_PACKAGE_SLIRP
>         bool "slirp"
>         help
> -         The Spice project aims to provide a complete open source
> -         solution for interaction with virtualized desktop devices.
> -         The Spice project deals with both the virtualized devices
> -         and the front-end. Interaction between front-end and
> -         back-end is done using VD-Interfaces.
> +         libslirp is a user-mode networking library used by virtual
> +         machines, containers or various tools.
>
> -         This package implements the slirp-part for Spice. Slirp
> -         emulates a PPP or SLIP connection over a normal terminal.
> -
> -         http://www.spice-space.org/
> +         https://gitlab.freedesktop.org/slirp/libslirp/
>
>           NOTE:
>           This package has some history of a unique kind:
> @@ -21,5 +15,6 @@ config BR2_PACKAGE_SLIRP
>             - during that period, QEMU (Fabrice BELLARD) forked the code
>               and included it in QEMU
>             - and it was imported from this breed by the Spice project
> -             around May 2009
> -           - which is what we use here
> +             around May 2009 which archived it in 2012
> +           - So we switched to
> +             https://gitlab.freedesktop.org/slirp/libslirp
> diff --git a/package/slirp/slirp.hash b/package/slirp/slirp.hash
> new file mode 100644
> index 0000000000..3051179df9
> --- /dev/null
> +++ b/package/slirp/slirp.hash
> @@ -0,0 +1,3 @@
> +# Locally computed:
> +sha256  6b1641f04d41bc45f94018ac8d42d3c9f3ba0e463cbeacf5f26fe83fc050161e  libslirp-v4.3.1.tar.bz2
> +sha256  b28aecf4796a6a22054167f0a976de13d9db335669d37afd2dc7ea4c335e1e13  COPYRIGHT
> diff --git a/package/slirp/slirp.mk b/package/slirp/slirp.mk
> index 7cfead65e2..4351818952 100644
> --- a/package/slirp/slirp.mk
> +++ b/package/slirp/slirp.mk
> @@ -4,18 +4,12 @@
>  #
>  ################################################################################
>
> -# There's no tarball releases of slirp, so we use the git repo
> -# Also, there's no tag, so we use a random SHA1 (master's HEAD
> -# of today)
> -SLIRP_VERSION = 8c2da74c1385242f20799fec8c04f8378edc6550
> -SLIRP_SITE = git://anongit.freedesktop.org/spice/slirp
> -SLIRP_LICENSE = BSD-4-Clause, BSD-2-Clause
> -# Note: The license file 'COPYRIGHT' is missing from the sources,
> -# although some files refer to it.
> +SLIRP_VERSION = 4.3.1
> +SLIRP_SOURCE = libslirp-v$(SLIRP_VERSION).tar.bz2
> +SLIRP_SITE = \
> +       https://gitlab.freedesktop.org/slirp/libslirp/-/archive/v$(SLIRP_VERSION)
> +SLIRP_LICENSE = BSD-3-Clause
> +SLIRP_LICENSE_FILES = COPYRIGHT
>  SLIRP_INSTALL_STAGING = YES
>
> -# As we're using the git tree, there's no ./configure,
> -# so we need to autoreconf.
> -SLIRP_AUTORECONF = YES
> -
> -$(eval $(autotools-package))
> +$(eval $(meson-package))
> --
> 2.28.0
>
> _______________________________________________
> buildroot mailing list
> buildroot@busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > - Use an up to date fork (spice slirp is archived and has not been
 >   updated since 2012)
 > - Add COPYRIGHT as the license file
 > - BSD-4-Clause has been replaced by BSD-3-Clause since
 >   https://gitlab.freedesktop.org/slirp/libslirp/-/commit/3bac39137a652b24b89d5b9e2a39600619fbe1d3
 >   https://gitlab.freedesktop.org/slirp/libslirp/-/commit/f9f6e69c4e1d9a43af30bfe791b31789ffa04954
 > - Add hash file
 > - Switch to meson-package
 > - Fix multiple security vulnerabilities: CVE-2014-3640, CVE-2017-11434,
 >   CVE-2019-6778, CVE-2019-9824, CVE-2019-14378 and CVE-2020-10756

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed, thanks.

I believe qemu also uses an embedded copy of slirp. Could/should we
change it to use this package instead?

Hi Peter,

Le mar. 10 nov. 2020 à 10:35, Peter Korsgaard <peter@korsgaard.com> a écrit :
>
> >>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
>
>  > - Use an up to date fork (spice slirp is archived and has not been
>  >   updated since 2012)
>  > - Add COPYRIGHT as the license file
>  > - BSD-4-Clause has been replaced by BSD-3-Clause since
>  >   https://gitlab.freedesktop.org/slirp/libslirp/-/commit/3bac39137a652b24b89d5b9e2a39600619fbe1d3
>  >   https://gitlab.freedesktop.org/slirp/libslirp/-/commit/f9f6e69c4e1d9a43af30bfe791b31789ffa04954
>  > - Add hash file
>  > - Switch to meson-package
>  > - Fix multiple security vulnerabilities: CVE-2014-3640, CVE-2017-11434,
>  >   CVE-2019-6778, CVE-2019-9824, CVE-2019-14378 and CVE-2020-10756
>
>  > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
>
> Committed, thanks.
>
> I believe qemu also uses an embedded copy of slirp. Could/should we
> change it to use this package instead?
Indeed, qemu also checks and prefers a system-wide slirp.
>
> --
> Bye, Peter Korsgaard
Best Regards,

Fabrice

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > - Use an up to date fork (spice slirp is archived and has not been
 >   updated since 2012)
 > - Add COPYRIGHT as the license file
 > - BSD-4-Clause has been replaced by BSD-3-Clause since
 >   https://gitlab.freedesktop.org/slirp/libslirp/-/commit/3bac39137a652b24b89d5b9e2a39600619fbe1d3
 >   https://gitlab.freedesktop.org/slirp/libslirp/-/commit/f9f6e69c4e1d9a43af30bfe791b31789ffa04954
 > - Add hash file
 > - Switch to meson-package
 > - Fix multiple security vulnerabilities: CVE-2014-3640, CVE-2017-11434,
 >   CVE-2019-6778, CVE-2019-9824, CVE-2019-14378 and CVE-2020-10756

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2020.02.x and 2020.08.x, thanks.