From 984271bde32afa5367d7522a37574504fc7e8628 Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Fri, 27 Nov 2020 16:45:35 +0100
Subject: [PATCH 1/2] libslirp: fix CVE-2020-29129, CVE-2020-29130

Fixes out-of-bounds access while processing ARP/NCSI packets.

Fixes: CVE-2020-29129, CVE-2020-29130
---
 pkgs/development/libraries/libslirp/default.nix | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/pkgs/development/libraries/libslirp/default.nix b/pkgs/development/libraries/libslirp/default.nix
index 0413d8a8abc4..2f3abbaff50e 100644
--- a/pkgs/development/libraries/libslirp/default.nix
+++ b/pkgs/development/libraries/libslirp/default.nix
@@ -1,5 +1,6 @@
 { stdenv
 , fetchFromGitLab
+, fetchpatch
 , meson
 , ninja
 , pkg-config
@@ -18,6 +19,15 @@ stdenv.mkDerivation rec {
     sha256 = "0pzgjj2x2vrjshrzrl2x39xp5lgwg4b4y9vs8xvadh1ycl10v3fv";
   };
 
+  patches = [
+    # remove >4.3.1
+    (fetchpatch {
+      name = "CVE-2020-29129_CVE-2020-29130.patch";
+      url = "https://gitlab.freedesktop.org/slirp/libslirp/-/commit/2e1dcbc0c2af64fcb17009eaf2ceedd81be2b27f.patch";
+      sha256 = "01vbjqgnc0kp881l5p6b31cyyirhwhavm6x36hlgkymswvl3wh9w";
+    })
+  ];
+
   nativeBuildInputs = [ meson ninja pkg-config ];
 
   buildInputs = [ glib ];

From bd3ce46719031d84d9f01fc4e023c90dabf3edd9 Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Sat, 28 Nov 2020 02:43:13 +0100
Subject: [PATCH 2/2] qemu: fix CVE-2020-29129, CVE-2020-29130 in vendored
 libslirp

Fixes out-of-bounds access in libslirp while processing ARP/NCSI packets.

Fixes: CVE-2020-29129, CVE-2020-29130
---
 pkgs/applications/virtualization/qemu/default.nix | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/pkgs/applications/virtualization/qemu/default.nix b/pkgs/applications/virtualization/qemu/default.nix
index 2bace4f258d7..163a87d7072f 100644
--- a/pkgs/applications/virtualization/qemu/default.nix
+++ b/pkgs/applications/virtualization/qemu/default.nix
@@ -100,6 +100,15 @@ stdenv.mkDerivation rec {
     })
   ];
 
+  # Remove CVE-2020-{29129,29130} for QEMU >5.1.0
+  postPatch = ''
+    (cd slirp && patch -p1 < ${fetchpatch {
+      name = "CVE-2020-29129_CVE-2020-29130.patch";
+      url = "https://gitlab.freedesktop.org/slirp/libslirp/-/commit/2e1dcbc0c2af64fcb17009eaf2ceedd81be2b27f.patch";
+      sha256 = "01vbjqgnc0kp881l5p6b31cyyirhwhavm6x36hlgkymswvl3wh9w";
+    }})
+  '';
+
   hardeningDisable = [ "stackprotector" ];
 
   preConfigure = ''