26.01.2011 00:25, Moritz Muehlenhoff wrote: > Package: kvm > Severity: grave > Tags: security > > Please see the following entry in the Red Hat bugzilla: > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0011
Yes, I've seen this even before CVE ID were assigned. > The impact is not entirely obvious to me? Do I understand it > correctly that a malicious application accessing a KVM > instance could lock out other apps to this virtual machine? This is completely wrong understanding. First of all, only one instance is affected. Second, this is an intended behavour. Emty vnc password meant to be no authentication, not a lockdown. When you start it without specifying a password it lets everyone in. There was a bug in previous versions of qemu which is now fixed by the commit mentioned in that RH bugreport. A bug which resulted in inability to change vnc to "no auth" mode at runtime if a password has been specified. The implication is this: if there was an application that relied on the wrong behavour, "thinking" that changing VNC password at runtime to an empty string means a lockdown, that combination is now broken, since instead of a lockdown we're getting wide-open access. But I'm not aware of any application like that. > Do you think this needs to be fixed for Squeeze or in a > point update? I think this does not need to be "fixed" at all. Maybe a wishlist bug requesting a way to explicitly enable/disable vnc at runtime, or - provided an application that relies on the buggy behavour is found - a fix for that application, but definitely not like RH has put it. I think. Thanks! /mjt -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
