Am 08.02.2013 08:49, schrieb Stefan Hajnoczi:
> There is a buffer overflow in libcurl POP3/SMTP/IMAP. The workaround is
> simple: disable extra protocols so that they cannot be exploited. Full
> details here:
>
> http://curl.haxx.se/docs/adv_20130206.html
>
> QEMU only cares about HTTP, HTTPS, FTP, FTPS, and TFTP. I have tested
> that this fix prevents the exploit on my host with
> libcurl-7.27.0-5.fc18.
>
> Signed-off-by: Stefan Hajnoczi <stefa...@redhat.com>
> ---
> The vulnerability public and is in libcurl, not QEMU. We can work around
> it in order to protect users whose machines have libcurl <7.29.
>
> Please add to QEMU 1.4-rc2.
Stefan, this seems to have broken my setup on Mac OS X. You seem to
require a newer version of cURL than configure checks...
Andreas
>
> Please add to stable.
> block/curl.c | 11 +++++++++++
> 1 file changed, 11 insertions(+)
>
> diff --git a/block/curl.c b/block/curl.c
> index 47df952..f6226b3 100644
> --- a/block/curl.c
> +++ b/block/curl.c
> @@ -34,6 +34,10 @@
> #define DPRINTF(fmt, ...) do { } while (0)
> #endif
>
> +#define PROTOCOLS (CURLPROTO_HTTP | CURLPROTO_HTTPS | \
> + CURLPROTO_FTP | CURLPROTO_FTPS | \
> + CURLPROTO_TFTP)
> +
> #define CURL_NUM_STATES 8
> #define CURL_NUM_ACB 8
> #define SECTOR_SIZE 512
> @@ -302,6 +306,13 @@ static CURLState *curl_init_state(BDRVCURLState *s)
> curl_easy_setopt(state->curl, CURLOPT_ERRORBUFFER, state->errmsg);
> curl_easy_setopt(state->curl, CURLOPT_FAILONERROR, 1);
>
> + /* Restrict supported protocols to avoid security issues in the more
> + * obscure protocols. For example, do not allow POP3/SMTP/IMAP see
> + * CVE-2013-0249.
> + */
> + curl_easy_setopt(state->curl, CURLOPT_PROTOCOLS, PROTOCOLS);
> + curl_easy_setopt(state->curl, CURLOPT_REDIR_PROTOCOLS, PROTOCOLS);
> +
> #ifdef DEBUG_VERBOSE
> curl_easy_setopt(state->curl, CURLOPT_VERBOSE, 1);
> #endif
>
--
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer; HRB 16746 AG Nürnberg
