oss-security January 2011 archive
Main Archive Page > Month Archives  > oss-security archives
oss-security: Re: [oss-security] CVE request: qemu-kvm: Setting

Re: [oss-security] CVE request: qemu-kvm: Setting VNC password to empty string silently disables all authentication

From: Josh Bressers <bressers_at_nospam>
Date: Wed Jan 12 2011 - 14:17:00 GMT
To: oss-security@lists.openwall.com, Petr Matousek <pmatouse@redhat.com>

Please use CVE-2011-0011

Thanks.

-- JB ----- Original Message ----- > "The semantics of the ',password' option to -vnc are that it enables > the VNC > auth scheme. If the VNC server password is unset or empty string, all > attempts > to authenticate with the server will be explicitly blocked. > > This allows applications to enable and selectively allow access for a > period of > time, before clearing the password again to prevent further access. > > Upstream changes have introduced a flaw by disabling all > authentication when > the password was cleared with upstream commit [1]. > > [1] > http://www.qemu.com/qemu.git/commit/?id=52c18be9e99dabe295321153fda7fce9f76647ac" > > Reference: > https://bugzilla.redhat.com/show_bug.cgi?id=668589 > > Thanks, > -- > Petr Matousek / Red Hat Security Response Team