diff options
author | Stefan Hajnoczi <stefanha@redhat.com> | 2013-02-08 08:49:10 +0100 |
---|---|---|
committer | Anthony Liguori <aliguori@us.ibm.com> | 2013-02-08 11:14:20 -0600 |
commit | fb6d1bbd246c7a57ef53d3847ef225cd1349d602 (patch) | |
tree | 81248ebd26fd657f0c90dcd8140253f5829c0e4c /block/curl.c | |
parent | 0eb256a2173d35c64696189adcd3599be61922ef (diff) | |
download | qemu-fb6d1bbd246c7a57ef53d3847ef225cd1349d602.zip qemu-fb6d1bbd246c7a57ef53d3847ef225cd1349d602.tar.gz qemu-fb6d1bbd246c7a57ef53d3847ef225cd1349d602.tar.bz2 |
block/curl: disable extra protocols to prevent CVE-2013-0249
There is a buffer overflow in libcurl POP3/SMTP/IMAP. The workaround is
simple: disable extra protocols so that they cannot be exploited. Full
details here:
http://curl.haxx.se/docs/adv_20130206.html
QEMU only cares about HTTP, HTTPS, FTP, FTPS, and TFTP. I have tested
that this fix prevents the exploit on my host with
libcurl-7.27.0-5.fc18.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Diffstat (limited to 'block/curl.c')
-rw-r--r-- | block/curl.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/block/curl.c b/block/curl.c index 47df952..f6226b3 100644 --- a/block/curl.c +++ b/block/curl.c @@ -34,6 +34,10 @@ #define DPRINTF(fmt, ...) do { } while (0) #endif +#define PROTOCOLS (CURLPROTO_HTTP | CURLPROTO_HTTPS | \ + CURLPROTO_FTP | CURLPROTO_FTPS | \ + CURLPROTO_TFTP) + #define CURL_NUM_STATES 8 #define CURL_NUM_ACB 8 #define SECTOR_SIZE 512 @@ -302,6 +306,13 @@ static CURLState *curl_init_state(BDRVCURLState *s) curl_easy_setopt(state->curl, CURLOPT_ERRORBUFFER, state->errmsg); curl_easy_setopt(state->curl, CURLOPT_FAILONERROR, 1); + /* Restrict supported protocols to avoid security issues in the more + * obscure protocols. For example, do not allow POP3/SMTP/IMAP see + * CVE-2013-0249. + */ + curl_easy_setopt(state->curl, CURLOPT_PROTOCOLS, PROTOCOLS); + curl_easy_setopt(state->curl, CURLOPT_REDIR_PROTOCOLS, PROTOCOLS); + #ifdef DEBUG_VERBOSE curl_easy_setopt(state->curl, CURLOPT_VERBOSE, 1); #endif |