Re: [PATCH] qemu: Let empty default VNC password work as documented

Jiri Denemark <jdenemar@xxxxxxxxxx> · Wed, 29 Jun 2016 16:18:03 +0200

On Wed, Jun 29, 2016 at 14:47:23 +0100, Daniel P. Berrange wrote:
> On Tue, Jun 28, 2016 at 02:45:15PM +0200, Jiri Denemark wrote:
> > Setting an empty vnc_password in qemu.conf is documented as a way to
> > disable VNC access, but QEMU does not seem to behave like that. Let's
> > enforce the behavior by setting password expiration to "now".
> > 
> > Note, this has no effect on setting an empty //graphics@passwd in
> > domain XML. Users may use //graphics@passwdValidTo to enforce the same
> > behavior.
> > 
> > https://bugzilla.redhat.com/show_bug.cgi?id=1180092
> 
> Please reference newly assigned CVE-2016-5008 in the commit message
> before pushing.
> 
> > Signed-off-by: Jiri Denemark <jdenemar@xxxxxxxxxx>
> > ---
> >  src/qemu/qemu_hotplug.c | 2 ++
> >  1 file changed, 2 insertions(+)
> > 
> > diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
> > index e0b8230..91f48dc 100644
> > --- a/src/qemu/qemu_hotplug.c
> > +++ b/src/qemu/qemu_hotplug.c
> > @@ -3970,6 +3970,8 @@ qemuDomainChangeGraphicsPasswords(virQEMUDriverPtr driver,
> >              snprintf(expire_time, sizeof(expire_time), "now");
> >          else
> >              snprintf(expire_time, sizeof(expire_time), "%lu", (long unsigned)auth->validTo);
> > +    } else if (!auth->passwd && defaultPasswd && defaultPasswd[0] == '\0') {
> > +        snprintf(expire_time, sizeof(expire_time), "now");
> >      } else {
> >          snprintf(expire_time, sizeof(expire_time), "never");
> >      }
> 
> Not shown in this patch is the earlier condition if (auth->expires).
> 
> IOW, if you set the empty password, but also have an expiry time
> set we'll still be allowing access. Now admittedly setting an
> empty password and also an expiry time is fairly pointless, but
> I can easily see apps mistakenly doing this. So we should check
> the empty password as the first branch in the condition.

Well, I explicitly only fixed the issue with an empty default password
and using a //graphics/@passwdValidTo with a default password is not
supported. Libvirt will just ignore the XML element and thus
auth->expires will always be false with default passwords.

Do you think we should handle empty passwords in XML too?

Jirka

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list