Patchwork [for-1.4] block/curl: only restrict protocols with libcurl>=7.19.4

login
register
mail settings
Submitter Stefan Hajnoczi
Date Feb. 13, 2013, 8:25 a.m.
Message ID <1360743934-8337-1-git-send-email-stefanha@redhat.com>
Download mbox | patch
Permalink /patch/220078/
State New
Headers show

Comments

Stefan Hajnoczi - Feb. 13, 2013, 8:25 a.m.
The curl_easy_setopt(state->curl, CURLOPT_PROTOCOLS, ...) interface was
introduced in libcurl 7.19.4.  Therefore we cannot protect against
CVE-2013-0249 when linking against an older libcurl.

This fixes the build failure introduced by
fb6d1bbd246c7a57ef53d3847ef225cd1349d602.

Reported-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 block/curl.c | 4 ++++
 1 file changed, 4 insertions(+)
Andreas Färber - Feb. 13, 2013, 1:15 p.m.
Am 13.02.2013 09:25, schrieb Stefan Hajnoczi:
> The curl_easy_setopt(state->curl, CURLOPT_PROTOCOLS, ...) interface was
> introduced in libcurl 7.19.4.  Therefore we cannot protect against
> CVE-2013-0249 when linking against an older libcurl.
> 
> This fixes the build failure introduced by
> fb6d1bbd246c7a57ef53d3847ef225cd1349d602.
> 
> Reported-by: Andreas Färber <afaerber@suse.de>
> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

Tested-by: Andreas Färber <andreas.faerber@web.de>

That fixes the build without --disable-curl on Mac OS X v10.5.8 for me
(7.16.4).

Thanks,
Andreas
Anthony Liguori - Feb. 18, 2013, 4:02 p.m.
Applied.  Thanks.

Regards,

Anthony Liguori

Patch

diff --git a/block/curl.c b/block/curl.c
index f6226b3..98947da 100644
--- a/block/curl.c
+++ b/block/curl.c
@@ -309,9 +309,13 @@  static CURLState *curl_init_state(BDRVCURLState *s)
     /* Restrict supported protocols to avoid security issues in the more
      * obscure protocols.  For example, do not allow POP3/SMTP/IMAP see
      * CVE-2013-0249.
+     *
+     * Restricting protocols is only supported from 7.19.4 upwards.
      */
+#if LIBCURL_VERSION_NUM >= 0x071304
     curl_easy_setopt(state->curl, CURLOPT_PROTOCOLS, PROTOCOLS);
     curl_easy_setopt(state->curl, CURLOPT_REDIR_PROTOCOLS, PROTOCOLS);
+#endif
 
 #ifdef DEBUG_VERBOSE
     curl_easy_setopt(state->curl, CURLOPT_VERBOSE, 1);