From fb6d1bbd246c7a57ef53d3847ef225cd1349d602 Mon Sep 17 00:00:00 2001 From: Stefan Hajnoczi Date: Fri, 8 Feb 2013 08:49:10 +0100 Subject: block/curl: disable extra protocols to prevent CVE-2013-0249 There is a buffer overflow in libcurl POP3/SMTP/IMAP. The workaround is simple: disable extra protocols so that they cannot be exploited. Full details here: http://curl.haxx.se/docs/adv_20130206.html QEMU only cares about HTTP, HTTPS, FTP, FTPS, and TFTP. I have tested that this fix prevents the exploit on my host with libcurl-7.27.0-5.fc18. Signed-off-by: Stefan Hajnoczi Signed-off-by: Anthony Liguori --- block/curl.c | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'block/curl.c') diff --git a/block/curl.c b/block/curl.c index 47df952..f6226b3 100644 --- a/block/curl.c +++ b/block/curl.c @@ -34,6 +34,10 @@ #define DPRINTF(fmt, ...) do { } while (0) #endif +#define PROTOCOLS (CURLPROTO_HTTP | CURLPROTO_HTTPS | \ + CURLPROTO_FTP | CURLPROTO_FTPS | \ + CURLPROTO_TFTP) + #define CURL_NUM_STATES 8 #define CURL_NUM_ACB 8 #define SECTOR_SIZE 512 @@ -302,6 +306,13 @@ static CURLState *curl_init_state(BDRVCURLState *s) curl_easy_setopt(state->curl, CURLOPT_ERRORBUFFER, state->errmsg); curl_easy_setopt(state->curl, CURLOPT_FAILONERROR, 1); + /* Restrict supported protocols to avoid security issues in the more + * obscure protocols. For example, do not allow POP3/SMTP/IMAP see + * CVE-2013-0249. + */ + curl_easy_setopt(state->curl, CURLOPT_PROTOCOLS, PROTOCOLS); + curl_easy_setopt(state->curl, CURLOPT_REDIR_PROTOCOLS, PROTOCOLS); + #ifdef DEBUG_VERBOSE curl_easy_setopt(state->curl, CURLOPT_VERBOSE, 1); #endif -- cgit v1.1