From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from [140.186.70.92] (port=58245 helo=eggs.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1Pnvig-0001Ub-4D
	for qemu-devel@nongnu.org; Fri, 11 Feb 2011 11:19:43 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <bounces@canonical.com>) id 1Pnvie-0000yf-Oq
	for qemu-devel@nongnu.org; Fri, 11 Feb 2011 11:19:41 -0500
Received: from adelie.canonical.com ([91.189.90.139]:48684)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bounces@canonical.com>) id 1PnvHa-0008Fr-FM
	for qemu-devel@nongnu.org; Fri, 11 Feb 2011 10:51:42 -0500
Received: from loganberry.canonical.com ([91.189.90.37])
	by adelie.canonical.com with esmtp (Exim 4.71 #1 (Debian))
	id 1PnvHY-0002AE-UH
	for <qemu-devel@nongnu.org>; Fri, 11 Feb 2011 15:51:41 +0000
Received: from loganberry.canonical.com (localhost [127.0.0.1])
	by loganberry.canonical.com (Postfix) with ESMTP id 1644C2E814B
	for <qemu-devel@nongnu.org>; Fri, 11 Feb 2011 15:51:38 +0000 (UTC)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Date: Fri, 11 Feb 2011 15:42:39 -0000
From: Dustin Kirkland <dustin.kirkland@gmail.com>
Sender: bounces@canonical.com
References: <20110104122142.23014.63077.malonedeb@gandwana.canonical.com>
Message-Id: <20110211154239.2762.60522.malone@wampee.canonical.com>
Errors-To: bounces@canonical.com
Subject: [Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC
	in libvirt
Reply-To: Bug 697197 <697197@bugs.launchpad.net>
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org

@security team,

Could you please sponsor this to the maverick-security queue?  Thanks!

** Patch added: "697197.debdiff"
   https://bugs.launchpad.net/ubuntu/maverick/+source/qemu-kvm/+bug/697197/=
+attachment/1843528/+files/697197.debdiff

** Changed in: qemu-kvm (Ubuntu Maverick)
     Assignee: Dustin Kirkland (kirkland) =3D> Ubuntu Security Team (ubuntu=
-security)

-- =

You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt virtualization API:
  Unknown
Status in QEMU:
  Confirmed
Status in qemu-kvm:
  Unknown
Status in =E2=80=9Clibvirt=E2=80=9D package in Ubuntu:
  Invalid
Status in =E2=80=9Cqemu-kvm=E2=80=9D package in Ubuntu:
  In Progress
Status in =E2=80=9Clibvirt=E2=80=9D source package in Maverick:
  Invalid
Status in =E2=80=9Cqemu-kvm=E2=80=9D source package in Maverick:
  In Progress
Status in =E2=80=9Clibvirt=E2=80=9D source package in Natty:
  Invalid
Status in =E2=80=9Cqemu-kvm=E2=80=9D source package in Natty:
  In Progress

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=3D""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64=
 (20100816.2)
  ProcEnviron:
   LANG=3Den_GB.UTF-8
   SHELL=3D/bin/bash
  SourcePackage: libvirt