qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH for-1.4 stable] block/curl: disable extra protoc

From: Stefan Hajnoczi
Subject: Re: [Qemu-devel] [PATCH for-1.4 stable] block/curl: disable extra protocols to prevent CVE-2013-0249
Date: Wed, 13 Feb 2013 09:24:28 +0100
User-agent: Mutt/1.5.21 (2010-09-15) 
On Tue, Feb 12, 2013 at 08:31:38PM +0100, Andreas Färber wrote:
> Am 08.02.2013 08:49, schrieb Stefan Hajnoczi:
> > There is a buffer overflow in libcurl POP3/SMTP/IMAP.  The workaround is
> > simple: disable extra protocols so that they cannot be exploited.  Full
> > details here:
> > 
> >   http://curl.haxx.se/docs/adv_20130206.html
> > 
> > QEMU only cares about HTTP, HTTPS, FTP, FTPS, and TFTP.  I have tested
> > that this fix prevents the exploit on my host with
> > libcurl-7.27.0-5.fc18.
> > 
> > Signed-off-by: Stefan Hajnoczi <address@hidden>
> > ---
> > The vulnerability public and is in libcurl, not QEMU.  We can work around
> > it in order to protect users whose machines have libcurl <7.29.
> > 
> > Please add to QEMU 1.4-rc2.
> 
> Stefan, this seems to have broken my setup on Mac OS X. You seem to
> require a newer version of cURL than configure checks...

Sending a fix.

Stefan
reply via email to
[Prev in Thread] Current Thread [Next in Thread]