aboutsummaryrefslogtreecommitdiff
path: root/block
diff options
context:
space:
mode:
authorStefan Hajnoczi <stefanha@redhat.com>2013-02-08 08:49:10 +0100
committerAnthony Liguori <aliguori@us.ibm.com>2013-02-08 11:14:20 -0600
commitfb6d1bbd246c7a57ef53d3847ef225cd1349d602 (patch)
tree81248ebd26fd657f0c90dcd8140253f5829c0e4c /block
parent0eb256a2173d35c64696189adcd3599be61922ef (diff)
downloadqemu-fb6d1bbd246c7a57ef53d3847ef225cd1349d602.zip
qemu-fb6d1bbd246c7a57ef53d3847ef225cd1349d602.tar.gz
qemu-fb6d1bbd246c7a57ef53d3847ef225cd1349d602.tar.bz2
block/curl: disable extra protocols to prevent CVE-2013-0249
There is a buffer overflow in libcurl POP3/SMTP/IMAP. The workaround is simple: disable extra protocols so that they cannot be exploited. Full details here: http://curl.haxx.se/docs/adv_20130206.html QEMU only cares about HTTP, HTTPS, FTP, FTPS, and TFTP. I have tested that this fix prevents the exploit on my host with libcurl-7.27.0-5.fc18. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Diffstat (limited to 'block')
-rw-r--r--block/curl.c11
1 files changed, 11 insertions, 0 deletions
diff --git a/block/curl.c b/block/curl.c
index 47df952..f6226b3 100644
--- a/block/curl.c
+++ b/block/curl.c
@@ -34,6 +34,10 @@
#define DPRINTF(fmt, ...) do { } while (0)
#endif
+#define PROTOCOLS (CURLPROTO_HTTP | CURLPROTO_HTTPS | \
+ CURLPROTO_FTP | CURLPROTO_FTPS | \
+ CURLPROTO_TFTP)
+
#define CURL_NUM_STATES 8
#define CURL_NUM_ACB 8
#define SECTOR_SIZE 512
@@ -302,6 +306,13 @@ static CURLState *curl_init_state(BDRVCURLState *s)
curl_easy_setopt(state->curl, CURLOPT_ERRORBUFFER, state->errmsg);
curl_easy_setopt(state->curl, CURLOPT_FAILONERROR, 1);
+ /* Restrict supported protocols to avoid security issues in the more
+ * obscure protocols. For example, do not allow POP3/SMTP/IMAP see
+ * CVE-2013-0249.
+ */
+ curl_easy_setopt(state->curl, CURLOPT_PROTOCOLS, PROTOCOLS);
+ curl_easy_setopt(state->curl, CURLOPT_REDIR_PROTOCOLS, PROTOCOLS);
+
#ifdef DEBUG_VERBOSE
curl_easy_setopt(state->curl, CURLOPT_VERBOSE, 1);
#endif