qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH for-1.4 stable] block/curl: disable extra protoc


From: Andreas Färber
Subject: Re: [Qemu-devel] [PATCH for-1.4 stable] block/curl: disable extra protocols to prevent CVE-2013-0249
Date: Tue, 12 Feb 2013 20:31:38 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130105 Thunderbird/17.0.2

Am 08.02.2013 08:49, schrieb Stefan Hajnoczi:
> There is a buffer overflow in libcurl POP3/SMTP/IMAP.  The workaround is
> simple: disable extra protocols so that they cannot be exploited.  Full
> details here:
> 
>   http://curl.haxx.se/docs/adv_20130206.html
> 
> QEMU only cares about HTTP, HTTPS, FTP, FTPS, and TFTP.  I have tested
> that this fix prevents the exploit on my host with
> libcurl-7.27.0-5.fc18.
> 
> Signed-off-by: Stefan Hajnoczi <address@hidden>
> ---
> The vulnerability public and is in libcurl, not QEMU.  We can work around
> it in order to protect users whose machines have libcurl <7.29.
> 
> Please add to QEMU 1.4-rc2.

Stefan, this seems to have broken my setup on Mac OS X. You seem to
require a newer version of cURL than configure checks...

Andreas

> 
> Please add to stable.
>  block/curl.c | 11 +++++++++++
>  1 file changed, 11 insertions(+)
> 
> diff --git a/block/curl.c b/block/curl.c
> index 47df952..f6226b3 100644
> --- a/block/curl.c
> +++ b/block/curl.c
> @@ -34,6 +34,10 @@
>  #define DPRINTF(fmt, ...) do { } while (0)
>  #endif
>  
> +#define PROTOCOLS (CURLPROTO_HTTP | CURLPROTO_HTTPS | \
> +                   CURLPROTO_FTP | CURLPROTO_FTPS | \
> +                   CURLPROTO_TFTP)
> +
>  #define CURL_NUM_STATES 8
>  #define CURL_NUM_ACB    8
>  #define SECTOR_SIZE     512
> @@ -302,6 +306,13 @@ static CURLState *curl_init_state(BDRVCURLState *s)
>      curl_easy_setopt(state->curl, CURLOPT_ERRORBUFFER, state->errmsg);
>      curl_easy_setopt(state->curl, CURLOPT_FAILONERROR, 1);
>  
> +    /* Restrict supported protocols to avoid security issues in the more
> +     * obscure protocols.  For example, do not allow POP3/SMTP/IMAP see
> +     * CVE-2013-0249.
> +     */
> +    curl_easy_setopt(state->curl, CURLOPT_PROTOCOLS, PROTOCOLS);
> +    curl_easy_setopt(state->curl, CURLOPT_REDIR_PROTOCOLS, PROTOCOLS);
> +
>  #ifdef DEBUG_VERBOSE
>      curl_easy_setopt(state->curl, CURLOPT_VERBOSE, 1);
>  #endif
> 


-- 
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer; HRB 16746 AG Nürnberg



reply via email to

[Prev in Thread] Current Thread [Next in Thread]