[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt

Launchpad Bug Tracker Fri, 11 Feb 2011 09:18:42 -0800

This bug was fixed in the package qemu-kvm - 0.13.0+noroms-0ubuntu13

---------------
qemu-kvm (0.13.0+noroms-0ubuntu13) natty; urgency=low


  [ Neil Wilson <n...@aldur.co.uk> ]
  * SECURITY UPDATE: Setting VNC password to empty string silently
    disables all authentication (LP: #697197)
    - debian/patches/697197-fix-vnc-password-semantics.patch: Reverses the
      change introduced in Qemu by git commit 52c18be9
    - CVE: 2011-0011

  [ Dustin Kirkland ]
  * Updated patch to reflect the move of vnc.c to ui/vnc.c
 -- Dustin Kirkland <kirkl...@ubuntu.com>   Fri, 11 Feb 2011 09:53:19 -0600

** Changed in: qemu-kvm (Ubuntu Natty)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt virtualization API:
  Unknown
Status in QEMU:
  Confirmed
Status in qemu-kvm:
  Unknown
Status in “libvirt” package in Ubuntu:
  Invalid
Status in “qemu-kvm” package in Ubuntu:
  Fix Released
Status in “libvirt” source package in Lucid:
  New
Status in “qemu-kvm” source package in Lucid:
  In Progress
Status in “libvirt” source package in Maverick:
  Invalid
Status in “qemu-kvm” source package in Maverick:
  In Progress
Status in “libvirt” source package in Natty:
  Invalid
Status in “qemu-kvm” source package in Natty:
  Fix Released

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 
(20100816.2)
  ProcEnviron:
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libvirt

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt

Reply via email to