Swap bind address for gvproxy to localhost-only

This resolves CVE-2021-4024, where an attacker could access the API externally and forward any port they desired to the VM from `podman machine`. [NO NEW TESTS NEEDED] gvproxy is not tested directly at this time. Signed-off-by: Matthew Heon <mheon@redhat.com>
author: Matthew Heon <mheon@redhat.com> 2021-12-03 09:16:39 -0500
committer: Matthew Heon <mheon@redhat.com> 2021-12-03 09:50:51 -0500
commit: 57c5e2246efeaf2fef820a482241f1cc43960c7a (patch)
tree: b646cb36a808b7140837b8abf428bee6e7815a5e
parent: 815f36af1a68caae85d251b7a1009cf075d55dab (diff)
download: podman-57c5e2246efeaf2fef820a482241f1cc43960c7a.tar.gz
podman-57c5e2246efeaf2fef820a482241f1cc43960c7a.tar.bz2
podman-57c5e2246efeaf2fef820a482241f1cc43960c7a.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/pkg/machine/qemu/machine.go b/pkg/machine/qemu/machine.go
index 03197fef1..ab1b6c7df 100644
--- a/pkg/machine/qemu/machine.go
+++ b/pkg/machine/qemu/machine.go
@@ -659,7 +659,7 @@ func (v *MachineVM) startHostNetworking() error {
 
 	// Listen on all at port 7777 for setting up and tearing
 	// down forwarding
-	listenSocket := "tcp://0.0.0.0:7777"
+	listenSocket := "tcp://127.0.0.1:7777"
 	qemuSocket, pidFile, err := v.getSocketandPid()
 	if err != nil {
 		return err
author	Matthew Heon <mheon@redhat.com>	2021-12-03 09:16:39 -0500
committer	Matthew Heon <mheon@redhat.com>	2021-12-03 09:50:51 -0500
commit	57c5e2246efeaf2fef820a482241f1cc43960c7a (patch)
tree	b646cb36a808b7140837b8abf428bee6e7815a5e
parent	815f36af1a68caae85d251b7a1009cf075d55dab (diff)
download	podman-57c5e2246efeaf2fef820a482241f1cc43960c7a.tar.gz podman-57c5e2246efeaf2fef820a482241f1cc43960c7a.tar.bz2 podman-57c5e2246efeaf2fef820a482241f1cc43960c7a.zip