From 57c5e2246efeaf2fef820a482241f1cc43960c7a Mon Sep 17 00:00:00 2001
From: Matthew Heon <mheon@redhat.com>
Date: Fri, 3 Dec 2021 09:16:39 -0500
Subject: [PATCH] Swap bind address for gvproxy to localhost-only

This resolves CVE-2021-4024, where an attacker could access the
API externally and forward any port they desired to the VM from
`podman machine`.

[NO NEW TESTS NEEDED] gvproxy is not tested directly at this
time.

Signed-off-by: Matthew Heon <mheon@redhat.com>
---
 pkg/machine/qemu/machine.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/machine/qemu/machine.go b/pkg/machine/qemu/machine.go
index 03197fef12..ab1b6c7df4 100644
--- a/pkg/machine/qemu/machine.go
+++ b/pkg/machine/qemu/machine.go
@@ -659,7 +659,7 @@ func (v *MachineVM) startHostNetworking() error {
 
 	// Listen on all at port 7777 for setting up and tearing
 	// down forwarding
-	listenSocket := "tcp://0.0.0.0:7777"
+	listenSocket := "tcp://127.0.0.1:7777"
 	qemuSocket, pidFile, err := v.getSocketandPid()
 	if err != nil {
 		return err