Swap bind address for gvproxy to localhost-only

This resolves CVE-2021-4024, where an attacker could access the API externally and forward any port they desired to the VM from `podman machine`. [NO NEW TESTS NEEDED] gvproxy is not tested directly at this time. Signed-off-by: Matthew Heon <[email protected]>
Luap99 · Dec 3, 2021 · 57c5e22 · 57c5e22
1 parent 815f36a
commit 57c5e22
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/pkg/machine/qemu/machine.go b/pkg/machine/qemu/machine.go
@@ -659,7 +659,7 @@ func (v *MachineVM) startHostNetworking() error {
 
 	// Listen on all at port 7777 for setting up and tearing
 	// down forwarding
-	listenSocket := "tcp://0.0.0.0:7777"
+	listenSocket := "tcp://127.0.0.1:7777"
 	qemuSocket, pidFile, err := v.getSocketandPid()
 	if err != nil {
 		return err