| Message ID | 1360309750-5091-1-git-send-email-stefanha@redhat.com |
|---|---|
| State | New |
| Headers | show |
Applied. Thanks. Regards, Anthony Liguori
Am 08.02.2013 08:49, schrieb Stefan Hajnoczi: > There is a buffer overflow in libcurl POP3/SMTP/IMAP. The workaround is > simple: disable extra protocols so that they cannot be exploited. Full > details here: > > http://curl.haxx.se/docs/adv_20130206.html > > QEMU only cares about HTTP, HTTPS, FTP, FTPS, and TFTP. I have tested > that this fix prevents the exploit on my host with > libcurl-7.27.0-5.fc18. > > Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> > --- > The vulnerability public and is in libcurl, not QEMU. We can work around > it in order to protect users whose machines have libcurl <7.29. > > Please add to QEMU 1.4-rc2. Stefan, this seems to have broken my setup on Mac OS X. You seem to require a newer version of cURL than configure checks... Andreas > > Please add to stable. > block/curl.c | 11 +++++++++++ > 1 file changed, 11 insertions(+) > > diff --git a/block/curl.c b/block/curl.c > index 47df952..f6226b3 100644 > --- a/block/curl.c > +++ b/block/curl.c > @@ -34,6 +34,10 @@ > #define DPRINTF(fmt, ...) do { } while (0) > #endif > > +#define PROTOCOLS (CURLPROTO_HTTP | CURLPROTO_HTTPS | \ > + CURLPROTO_FTP | CURLPROTO_FTPS | \ > + CURLPROTO_TFTP) > + > #define CURL_NUM_STATES 8 > #define CURL_NUM_ACB 8 > #define SECTOR_SIZE 512 > @@ -302,6 +306,13 @@ static CURLState *curl_init_state(BDRVCURLState *s) > curl_easy_setopt(state->curl, CURLOPT_ERRORBUFFER, state->errmsg); > curl_easy_setopt(state->curl, CURLOPT_FAILONERROR, 1); > > + /* Restrict supported protocols to avoid security issues in the more > + * obscure protocols. For example, do not allow POP3/SMTP/IMAP see > + * CVE-2013-0249. > + */ > + curl_easy_setopt(state->curl, CURLOPT_PROTOCOLS, PROTOCOLS); > + curl_easy_setopt(state->curl, CURLOPT_REDIR_PROTOCOLS, PROTOCOLS); > + > #ifdef DEBUG_VERBOSE > curl_easy_setopt(state->curl, CURLOPT_VERBOSE, 1); > #endif >
On Tue, Feb 12, 2013 at 08:31:38PM +0100, Andreas Färber wrote: > Am 08.02.2013 08:49, schrieb Stefan Hajnoczi: > > There is a buffer overflow in libcurl POP3/SMTP/IMAP. The workaround is > > simple: disable extra protocols so that they cannot be exploited. Full > > details here: > > > > http://curl.haxx.se/docs/adv_20130206.html > > > > QEMU only cares about HTTP, HTTPS, FTP, FTPS, and TFTP. I have tested > > that this fix prevents the exploit on my host with > > libcurl-7.27.0-5.fc18. > > > > Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> > > --- > > The vulnerability public and is in libcurl, not QEMU. We can work around > > it in order to protect users whose machines have libcurl <7.29. > > > > Please add to QEMU 1.4-rc2. > > Stefan, this seems to have broken my setup on Mac OS X. You seem to > require a newer version of cURL than configure checks... Sending a fix. Stefan
diff --git a/block/curl.c b/block/curl.c index 47df952..f6226b3 100644 --- a/block/curl.c +++ b/block/curl.c @@ -34,6 +34,10 @@ #define DPRINTF(fmt, ...) do { } while (0) #endif +#define PROTOCOLS (CURLPROTO_HTTP | CURLPROTO_HTTPS | \ + CURLPROTO_FTP | CURLPROTO_FTPS | \ + CURLPROTO_TFTP) + #define CURL_NUM_STATES 8 #define CURL_NUM_ACB 8 #define SECTOR_SIZE 512 @@ -302,6 +306,13 @@ static CURLState *curl_init_state(BDRVCURLState *s) curl_easy_setopt(state->curl, CURLOPT_ERRORBUFFER, state->errmsg); curl_easy_setopt(state->curl, CURLOPT_FAILONERROR, 1); + /* Restrict supported protocols to avoid security issues in the more + * obscure protocols. For example, do not allow POP3/SMTP/IMAP see + * CVE-2013-0249. + */ + curl_easy_setopt(state->curl, CURLOPT_PROTOCOLS, PROTOCOLS); + curl_easy_setopt(state->curl, CURLOPT_REDIR_PROTOCOLS, PROTOCOLS); + #ifdef DEBUG_VERBOSE curl_easy_setopt(state->curl, CURLOPT_VERBOSE, 1); #endif
There is a buffer overflow in libcurl POP3/SMTP/IMAP. The workaround is simple: disable extra protocols so that they cannot be exploited. Full details here: http://curl.haxx.se/docs/adv_20130206.html QEMU only cares about HTTP, HTTPS, FTP, FTPS, and TFTP. I have tested that this fix prevents the exploit on my host with libcurl-7.27.0-5.fc18. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> --- The vulnerability public and is in libcurl, not QEMU. We can work around it in order to protect users whose machines have libcurl <7.29. Please add to QEMU 1.4-rc2. Please add to stable. block/curl.c | 11 +++++++++++ 1 file changed, 11 insertions(+)