qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [Bug 1136477] Re: qemu doesn't sanitize command line option


From: Anthony Liguori
Subject: [Qemu-devel] [Bug 1136477] Re: qemu doesn't sanitize command line options carrying plaintext passwords
Date: Fri, 01 Mar 2013 00:40:16 -0000

Hi,

Thanks for submitting this report.  I've removed the security label from
the bug after reading through the comments and the referenced bug.
Modifying argv is not terribly portable and I think a reasonable person
would expect that a password specified on the command line would be
visible through a ps.

Patches would certainly be considered but I don't consider this a
security issue.  Just a request for an enhancement.

** Information type changed from Private Security to Private

** Information type changed from Private to Public

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1136477

Title:
  qemu doesn't sanitize command line options carrying plaintext
  passwords

Status in QEMU:
  New

Bug description:
  A slight security problem exists with qemu's lack of sanitization of
  argv[], for cases where the user may have specified a plaintext
  password for spice/vnc authorization.  (Yes, it's not great to use
  this facility, but it's convenient and not grotesquely unsafe, were it
  not for this bug.)  It would be nice if those plaintext passwords were
  nuked from the command line, so a subsequent "ps awux" didn't show
  them for all to see.

  See also https://bugzilla.redhat.com/show_bug.cgi?id=916279

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1136477/+subscriptions



reply via email to

[Prev in Thread] Current Thread [Next in Thread]