Searched hist:fb6d1bbd246c7a57ef53d3847ef225cd1349d602 (Results 1 – 1 of 1) sorted by relevance
| /openbmc/qemu/block/ |
| H A D | curl.c | diff 8a8f5840082eb65d140ccfe7b128c92390cce1c3 Wed Feb 13 02:25:34 CST 2013 Stefan Hajnoczi <stefanha@redhat.com> block/curl: only restrict protocols with libcurl>=7.19.4
The curl_easy_setopt(state->curl, CURLOPT_PROTOCOLS, ...) interface was
introduced in libcurl 7.19.4. Therefore we cannot protect against
CVE-2013-0249 when linking against an older libcurl.
This fixes the build failure introduced by
fb6d1bbd246c7a57ef53d3847ef225cd1349d602.
Reported-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Tested-by: Andreas Färber <andreas.faeber@web.de>
Message-id: 1360743934-8337-1-git-send-email-stefanha@redhat.com
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
diff fb6d1bbd246c7a57ef53d3847ef225cd1349d602 Fri Feb 08 01:49:10 CST 2013 Stefan Hajnoczi <stefanha@redhat.com> block/curl: disable extra protocols to prevent CVE-2013-0249
There is a buffer overflow in libcurl POP3/SMTP/IMAP. The workaround is
simple: disable extra protocols so that they cannot be exploited. Full
details here:
http://curl.haxx.se/docs/adv_20130206.html
QEMU only cares about HTTP, HTTPS, FTP, FTPS, and TFTP. I have tested
that this fix prevents the exploit on my host with
libcurl-7.27.0-5.fc18.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
|