[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH for-1.4 stable] block/curl: disable extra protoc
From: |
Stefan Hajnoczi |
Subject: |
Re: [Qemu-devel] [PATCH for-1.4 stable] block/curl: disable extra protocols to prevent CVE-2013-0249 |
Date: |
Wed, 13 Feb 2013 09:24:28 +0100 |
User-agent: |
Mutt/1.5.21 (2010-09-15) |
On Tue, Feb 12, 2013 at 08:31:38PM +0100, Andreas Färber wrote:
> Am 08.02.2013 08:49, schrieb Stefan Hajnoczi:
> > There is a buffer overflow in libcurl POP3/SMTP/IMAP. The workaround is
> > simple: disable extra protocols so that they cannot be exploited. Full
> > details here:
> >
> > http://curl.haxx.se/docs/adv_20130206.html
> >
> > QEMU only cares about HTTP, HTTPS, FTP, FTPS, and TFTP. I have tested
> > that this fix prevents the exploit on my host with
> > libcurl-7.27.0-5.fc18.
> >
> > Signed-off-by: Stefan Hajnoczi <address@hidden>
> > ---
> > The vulnerability public and is in libcurl, not QEMU. We can work around
> > it in order to protect users whose machines have libcurl <7.29.
> >
> > Please add to QEMU 1.4-rc2.
>
> Stefan, this seems to have broken my setup on Mac OS X. You seem to
> require a newer version of cURL than configure checks...
Sending a fix.
Stefan