[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in lib

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in lib

From:	Bug Watch Updater
Subject:	[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt
Date:	Fri, 27 Oct 2017 16:28:39 -0000

Launchpad has imported 5 comments from the remote bug at
https://bugzilla.redhat.com/show_bug.cgi?id=668589.

If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.

------------------------------------------------------------------------
On 2011-01-10T20:45:01+00:00 Petr wrote:

Description of problem:
The semantics of the ',password' option to -vnc are that it enables the VNC 
auth scheme. If the VNC server password is unset or empty string, all attempts 
to authenticate with the server will be explicitly blocked.

This allows applications to enable and selectively allow access for a
period of time, before clearing the password again to prevent further
access.

Upstream changes have introduced a flaw by disabling all authentication
when the password was cleared with upstream commit [1].

[1]
http://www.qemu.com/qemu.git/commit/?id=52c18be9e99dabe295321153fda7fce9f76647ac

Reply at:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/697197/comments/9

------------------------------------------------------------------------
On 2011-01-28T18:02:42+00:00 Neil wrote:

Created attachment 475841
Fix to vnc password semantics

This patch corrects the flaw in qemu-kvm

Please see http://launchpad.net/bugs/697197 for testing performed.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/697197/comments/15

------------------------------------------------------------------------
On 2011-02-28T11:09:05+00:00 Petr wrote:

Created qemu tracking bugs for this issue

Affects: fedora-all [bug 680886]

Reply at:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/697197/comments/31

------------------------------------------------------------------------
On 2011-03-10T20:11:32+00:00 errata-xmlrpc wrote:

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0345 https://rhn.redhat.com/errata/RHSA-2011-0345.html

Reply at:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/697197/comments/32

------------------------------------------------------------------------
On 2012-03-30T17:33:58+00:00 Petr wrote:

Statement:

This issue does not affect versions of kvm package as shipped with Red
Hat Enterprise Linux 5.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/697197/comments/33

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt:
  Invalid
Status in QEMU:
  Fix Released
Status in qemu-kvm:
  Fix Released
Status in libvirt package in Ubuntu:
  Invalid
Status in qemu-kvm package in Ubuntu:
  Fix Released
Status in libvirt source package in Lucid:
  Invalid
Status in qemu-kvm source package in Lucid:
  Fix Released
Status in libvirt source package in Maverick:
  Invalid
Status in qemu-kvm source package in Maverick:
  Fix Released
Status in libvirt source package in Natty:
  Invalid
Status in qemu-kvm source package in Natty:
  Fix Released
Status in libvirt source package in Karmic:
  Invalid
Status in qemu-kvm source package in Karmic:
  Fix Released
Status in qemu-kvm package in Debian:
  Fix Released

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 
(20100816.2)
  ProcEnviron:
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libvirt

To manage notifications about this bug go to:
https://bugs.launchpad.net/libvirt/+bug/697197/+subscriptions

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt, Bug Watch Updater, 2017/10/27
- [Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt, Bug Watch Updater <=

Prev by Date: [Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt
Next by Date: [Qemu-devel] [PATCH v2] target/ppc: Use tcg_gen_lookup_and_goto_ptr
Previous by thread: [Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt
Next by thread: [Qemu-devel] [PATCH v2] target/ppc: Use tcg_gen_lookup_and_goto_ptr
Index(es):
- Date
- Thread