Patchwork [for-1.4,stable] block/curl: disable extra protocols to prevent CVE-2013-0249

login
register
mail settings
Submitter Stefan Hajnoczi
Date Feb. 8, 2013, 7:49 a.m.
Message ID <1360309750-5091-1-git-send-email-stefanha@redhat.com>
Download mbox | patch
Permalink /patch/219056/
State New
Headers show

Comments

Stefan Hajnoczi - Feb. 8, 2013, 7:49 a.m.
There is a buffer overflow in libcurl POP3/SMTP/IMAP.  The workaround is
simple: disable extra protocols so that they cannot be exploited.  Full
details here:

  http://curl.haxx.se/docs/adv_20130206.html

QEMU only cares about HTTP, HTTPS, FTP, FTPS, and TFTP.  I have tested
that this fix prevents the exploit on my host with
libcurl-7.27.0-5.fc18.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
The vulnerability public and is in libcurl, not QEMU.  We can work around
it in order to protect users whose machines have libcurl <7.29.

Please add to QEMU 1.4-rc2.

Please add to stable.

 block/curl.c | 11 +++++++++++
 1 file changed, 11 insertions(+)
Anthony Liguori - Feb. 8, 2013, 6:57 p.m.
Applied.  Thanks.

Regards,

Anthony Liguori
Andreas Färber - Feb. 12, 2013, 7:31 p.m.
Am 08.02.2013 08:49, schrieb Stefan Hajnoczi:
> There is a buffer overflow in libcurl POP3/SMTP/IMAP.  The workaround is
> simple: disable extra protocols so that they cannot be exploited.  Full
> details here:
> 
>   http://curl.haxx.se/docs/adv_20130206.html
> 
> QEMU only cares about HTTP, HTTPS, FTP, FTPS, and TFTP.  I have tested
> that this fix prevents the exploit on my host with
> libcurl-7.27.0-5.fc18.
> 
> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
> ---
> The vulnerability public and is in libcurl, not QEMU.  We can work around
> it in order to protect users whose machines have libcurl <7.29.
> 
> Please add to QEMU 1.4-rc2.

Stefan, this seems to have broken my setup on Mac OS X. You seem to
require a newer version of cURL than configure checks...

Andreas

> 
> Please add to stable.
>  block/curl.c | 11 +++++++++++
>  1 file changed, 11 insertions(+)
> 
> diff --git a/block/curl.c b/block/curl.c
> index 47df952..f6226b3 100644
> --- a/block/curl.c
> +++ b/block/curl.c
> @@ -34,6 +34,10 @@
>  #define DPRINTF(fmt, ...) do { } while (0)
>  #endif
>  
> +#define PROTOCOLS (CURLPROTO_HTTP | CURLPROTO_HTTPS | \
> +                   CURLPROTO_FTP | CURLPROTO_FTPS | \
> +                   CURLPROTO_TFTP)
> +
>  #define CURL_NUM_STATES 8
>  #define CURL_NUM_ACB    8
>  #define SECTOR_SIZE     512
> @@ -302,6 +306,13 @@ static CURLState *curl_init_state(BDRVCURLState *s)
>      curl_easy_setopt(state->curl, CURLOPT_ERRORBUFFER, state->errmsg);
>      curl_easy_setopt(state->curl, CURLOPT_FAILONERROR, 1);
>  
> +    /* Restrict supported protocols to avoid security issues in the more
> +     * obscure protocols.  For example, do not allow POP3/SMTP/IMAP see
> +     * CVE-2013-0249.
> +     */
> +    curl_easy_setopt(state->curl, CURLOPT_PROTOCOLS, PROTOCOLS);
> +    curl_easy_setopt(state->curl, CURLOPT_REDIR_PROTOCOLS, PROTOCOLS);
> +
>  #ifdef DEBUG_VERBOSE
>      curl_easy_setopt(state->curl, CURLOPT_VERBOSE, 1);
>  #endif
>
Stefan Hajnoczi - Feb. 13, 2013, 8:24 a.m.
On Tue, Feb 12, 2013 at 08:31:38PM +0100, Andreas Färber wrote:
> Am 08.02.2013 08:49, schrieb Stefan Hajnoczi:
> > There is a buffer overflow in libcurl POP3/SMTP/IMAP.  The workaround is
> > simple: disable extra protocols so that they cannot be exploited.  Full
> > details here:
> > 
> >   http://curl.haxx.se/docs/adv_20130206.html
> > 
> > QEMU only cares about HTTP, HTTPS, FTP, FTPS, and TFTP.  I have tested
> > that this fix prevents the exploit on my host with
> > libcurl-7.27.0-5.fc18.
> > 
> > Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
> > ---
> > The vulnerability public and is in libcurl, not QEMU.  We can work around
> > it in order to protect users whose machines have libcurl <7.29.
> > 
> > Please add to QEMU 1.4-rc2.
> 
> Stefan, this seems to have broken my setup on Mac OS X. You seem to
> require a newer version of cURL than configure checks...

Sending a fix.

Stefan

Patch

diff --git a/block/curl.c b/block/curl.c
index 47df952..f6226b3 100644
--- a/block/curl.c
+++ b/block/curl.c
@@ -34,6 +34,10 @@ 
 #define DPRINTF(fmt, ...) do { } while (0)
 #endif
 
+#define PROTOCOLS (CURLPROTO_HTTP | CURLPROTO_HTTPS | \
+                   CURLPROTO_FTP | CURLPROTO_FTPS | \
+                   CURLPROTO_TFTP)
+
 #define CURL_NUM_STATES 8
 #define CURL_NUM_ACB    8
 #define SECTOR_SIZE     512
@@ -302,6 +306,13 @@  static CURLState *curl_init_state(BDRVCURLState *s)
     curl_easy_setopt(state->curl, CURLOPT_ERRORBUFFER, state->errmsg);
     curl_easy_setopt(state->curl, CURLOPT_FAILONERROR, 1);
 
+    /* Restrict supported protocols to avoid security issues in the more
+     * obscure protocols.  For example, do not allow POP3/SMTP/IMAP see
+     * CVE-2013-0249.
+     */
+    curl_easy_setopt(state->curl, CURLOPT_PROTOCOLS, PROTOCOLS);
+    curl_easy_setopt(state->curl, CURLOPT_REDIR_PROTOCOLS, PROTOCOLS);
+
 #ifdef DEBUG_VERBOSE
     curl_easy_setopt(state->curl, CURLOPT_VERBOSE, 1);
 #endif