Re: [oss-security] CVE request: qemu-kvm: Setting VNC password to empty string silently disables all authentication

From: Josh Bressers <bressers_at_nospam>
Date: Wed Jan 12 2011 - 14:17:00 GMT
To: oss-security@lists.openwall.com, Petr Matousek <pmatouse@redhat.com>

Please use CVE-2011-0011

Thanks.

-- JB ----- Original Message ----- > "The semantics of the ',password' option to -vnc are that it enables > the VNC > auth scheme. If the VNC server password is unset or empty string, all > attempts > to authenticate with the server will be explicitly blocked. > > This allows applications to enable and selectively allow access for a > period of > time, before clearing the password again to prevent further access. > > Upstream changes have introduced a flaw by disabling all > authentication when > the password was cleared with upstream commit [1]. > > [1] > http://www.qemu.com/qemu.git/commit/?id=52c18be9e99dabe295321153fda7fce9f76647ac" > > Reference: > https://bugzilla.redhat.com/show_bug.cgi?id=668589 > > Thanks, > -- > Petr Matousek / Red Hat Security Response Team

This message: [ Message body ]
Next message: Todd C. Miller: "Re: [oss-security] CVE request: sudo does not ask for password on GID changes"
Previous message: Josh Bressers: "Re: [oss-security] CVE request: sudo does not ask for password on GID changes"
In reply to: Petr Matousek: "[oss-security] CVE request: qemu-kvm: Setting VNC password to empty string silently disables all authentication"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]