[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH for-1.4 stable] block/curl: disable extra protoc
Re: [Qemu-devel] [PATCH for-1.4 stable] block/curl: disable extra protocols to prevent CVE-2013-0249
Wed, 13 Feb 2013 09:24:28 +0100
On Tue, Feb 12, 2013 at 08:31:38PM +0100, Andreas Färber wrote:
> Am 08.02.2013 08:49, schrieb Stefan Hajnoczi:
> > There is a buffer overflow in libcurl POP3/SMTP/IMAP. The workaround is
> > simple: disable extra protocols so that they cannot be exploited. Full
> > details here:
> > http://curl.haxx.se/docs/adv_20130206.html
> > QEMU only cares about HTTP, HTTPS, FTP, FTPS, and TFTP. I have tested
> > that this fix prevents the exploit on my host with
> > libcurl-7.27.0-5.fc18.
> > Signed-off-by: Stefan Hajnoczi <address@hidden>
> > ---
> > The vulnerability public and is in libcurl, not QEMU. We can work around
> > it in order to protect users whose machines have libcurl <7.29.
> > Please add to QEMU 1.4-rc2.
> Stefan, this seems to have broken my setup on Mac OS X. You seem to
> require a newer version of cURL than configure checks...
Sending a fix.