oss-security January 2011 archive
Main Archive Page > Month Archives  > oss-security archives
oss-security: Re: [oss-security] CVE request: qemu-kvm: Setting

Re: [oss-security] CVE request: qemu-kvm: Setting VNC password to empty string silently disables all authentication

From: Kurt Seifried <kurt_at_nospam>
Date: Tue Jan 11 2011 - 00:42:43 GMT
To: oss-security@lists.openwall.com, Petr Matousek <pmatouse@redhat.com>

> Upstream changes have introduced a flaw by disabling all authentication when
> the password was cleared with upstream commit [1].
>
> [1]
> http://www.qemu.com/qemu.git/commit/?id=52c18be9e99dabe295321153fda7fce9f76647ac"

Confirmed vulnerable in qemu-kvm source code 0.10.6, fixed in 0.11.0

http://sourceforge.net/projects/kvm/files/qemu-kvm/

-- Kurt Seifried kurt@seifried.org skype: 1-703-879-3176