[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt

[Neil Wilson]

** Also affects: qemu
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt virtualization API:
  Unknown
Status in QEMU:
  New
Status in qemu-kvm:
  Unknown
Status in “libvirt” package in Ubuntu:
  Invalid
Status in “qemu-kvm” package in Ubuntu:
  Confirmed

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.2)
  ProcEnviron:
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libvirt

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt

[Neil Wilson]

The solution to this problem is to reverse the commit
52c18be9e99dabe295321153fda7fce9f76647ac in the main Qemu archive.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt virtualization API:
  Unknown
Status in QEMU:
  New
Status in qemu-kvm:
  Unknown
Status in “libvirt” package in Ubuntu:
  Invalid
Status in “qemu-kvm” package in Ubuntu:
  Confirmed

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.2)
  ProcEnviron:
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libvirt

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt

[Launchpad Bug Tracker]

** Branch linked: lp:~brightbox/ubuntu/maverick/qemu-kvm/qemu-
kvm.fix-697197

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt virtualization API:
  Unknown
Status in QEMU:
  New
Status in qemu-kvm:
  Unknown
Status in “libvirt” package in Ubuntu:
  Invalid
Status in “qemu-kvm” package in Ubuntu:
  Confirmed

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.2)
  ProcEnviron:
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libvirt

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt

[Neil Wilson]

** Patch added: "qemu-kvm_0.12.5+noroms-0ubuntu7.2.debdiff"
   https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/697197/+attachment/1812796/+files/qemu-kvm_0.12.5%2Bnoroms-0ubuntu7.2.debdiff

** Tags added: patch

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt virtualization API:
  Unknown
Status in QEMU:
  New
Status in qemu-kvm:
  Unknown
Status in “libvirt” package in Ubuntu:
  Invalid
Status in “qemu-kvm” package in Ubuntu:
  Confirmed

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.2)
  ProcEnviron:
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libvirt

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt

[Neil Wilson]

Installed patched build onto Maverick server. vnc_listen set to 0.0.0.0
in /etc/libvirt/qemu.conf

Set vnc_password=""' with vnc_tls=1 in /etc/libvirt/qemu.conf and
confirmed that the lanched server now rejects authentication for any
password, whereas it turned off authentication and encryption completely
before.

Hashed out vnc_password and left vnc_tls=1 in /etc/libvirt/qemu.conf.
Confirmed that the server uses anonymous auth with TLS. Allows the user
on without a password. qemu-kvm launched with -vnc
0.0.0.0:0,tls,x509=/etc/pki/libvirt-vnc

Hashed out vnc_tls=1. Confirmed server allows direct access to VNC.
qemu-kvm launched with -vnc 0.0.0.0:0

Set vnc_password="". Confirmed server rejects authentication for any
password, with no encryption. Again previously it had just let the user
on. qemu-kvm launched with -vnc 0.0.0.0:0,password

set vnc_password="password". Confirmed server accepts authentication
with that password. qemu-kvm launched with -vnc 0.0.0.0:0,password

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt virtualization API:
  Unknown
Status in QEMU:
  New
Status in qemu-kvm:
  Unknown
Status in “libvirt” package in Ubuntu:
  Invalid
Status in “qemu-kvm” package in Ubuntu:
  Confirmed

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.2)
  ProcEnviron:
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libvirt

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt

[Neil Wilson]

Please sponsor for upload

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt virtualization API:
  Unknown
Status in QEMU:
  New
Status in qemu-kvm:
  Unknown
Status in “libvirt” package in Ubuntu:
  Invalid
Status in “qemu-kvm” package in Ubuntu:
  Confirmed

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.2)
  ProcEnviron:
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libvirt

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt

[Neil Wilson]

This fault probably affects all the current versions of qemu-kvm. It's
present in 0.11 and the current qemu master branch.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt virtualization API:
  Unknown
Status in QEMU:
  New
Status in qemu-kvm:
  Unknown
Status in “libvirt” package in Ubuntu:
  Invalid
Status in “qemu-kvm” package in Ubuntu:
  Confirmed

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.2)
  ProcEnviron:
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libvirt

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt

[Anthony Liguori]

** Changed in: qemu
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt virtualization API:
  Unknown
Status in QEMU:
  Confirmed
Status in qemu-kvm:
  Unknown
Status in “libvirt” package in Ubuntu:
  Invalid
Status in “qemu-kvm” package in Ubuntu:
  Confirmed

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.2)
  ProcEnviron:
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libvirt

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt

[Dustin Kirkland]

** Changed in: qemu-kvm (Ubuntu)
   Importance: Undecided => Medium

** Changed in: qemu-kvm (Ubuntu)
       Status: Confirmed => In Progress

** Changed in: qemu-kvm (Ubuntu)
     Assignee: (unassigned) => Dustin Kirkland (kirkland)

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt virtualization API:
  Unknown
Status in QEMU:
  Confirmed
Status in qemu-kvm:
  Unknown
Status in “libvirt” package in Ubuntu:
  Invalid
Status in “qemu-kvm” package in Ubuntu:
  In Progress
Status in “libvirt” source package in Maverick:
  New
Status in “qemu-kvm” source package in Maverick:
  New
Status in “libvirt” source package in Natty:
  Invalid
Status in “qemu-kvm” source package in Natty:
  In Progress

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.2)
  ProcEnviron:
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libvirt

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt

[Dustin Kirkland]

** Also affects: libvirt (Ubuntu Maverick)
   Importance: Undecided
       Status: New

** Also affects: qemu-kvm (Ubuntu Maverick)
   Importance: Undecided
       Status: New

** Also affects: libvirt (Ubuntu Natty)
   Importance: High
     Assignee: Serge Hallyn (serge-hallyn)
       Status: Invalid

** Also affects: qemu-kvm (Ubuntu Natty)
   Importance: Medium
     Assignee: Dustin Kirkland (kirkland)
       Status: In Progress

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt virtualization API:
  Unknown
Status in QEMU:
  Confirmed
Status in qemu-kvm:
  Unknown
Status in “libvirt” package in Ubuntu:
  Invalid
Status in “qemu-kvm” package in Ubuntu:
  In Progress
Status in “libvirt” source package in Maverick:
  New
Status in “qemu-kvm” source package in Maverick:
  In Progress
Status in “libvirt” source package in Natty:
  Invalid
Status in “qemu-kvm” source package in Natty:
  In Progress

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.2)
  ProcEnviron:
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libvirt

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt

[Dustin Kirkland]

Looks good, thanks for doing this, Neil.

I'm going to update it just slightly, as this debdiff will need to go
through the security queue, since there's an associated CVE.  I'll prep
that upload and the security team will sponsor it into maverick-
security.

I'll get it uploaded to natty now.

The last thing I need you to do is to email your patch to the qemu-devel
mailing list.  The maintainers do not accept patches solely attached to
bugs in Launchpad.  Their processes require that you email the patch to
the mailing list.  Sorry for the run-around.  Cheers!

** Changed in: qemu-kvm (Ubuntu Maverick)
   Importance: Undecided => Medium

** Changed in: qemu-kvm (Ubuntu Maverick)
       Status: New => In Progress

** Changed in: qemu-kvm (Ubuntu Maverick)
    Milestone: None => maverick-updates

** Changed in: qemu-kvm (Ubuntu Maverick)
     Assignee: (unassigned) => Dustin Kirkland (kirkland)

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt virtualization API:
  Unknown
Status in QEMU:
  Confirmed
Status in qemu-kvm:
  Unknown
Status in “libvirt” package in Ubuntu:
  Invalid
Status in “qemu-kvm” package in Ubuntu:
  In Progress
Status in “libvirt” source package in Maverick:
  Invalid
Status in “qemu-kvm” source package in Maverick:
  In Progress
Status in “libvirt” source package in Natty:
  Invalid
Status in “qemu-kvm” source package in Natty:
  In Progress

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.2)
  ProcEnviron:
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libvirt

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt

[Dustin Kirkland]

@security team,

Could you please sponsor this to the maverick-security queue?  Thanks!

** Patch added: "697197.debdiff"
   https://bugs.launchpad.net/ubuntu/maverick/+source/qemu-kvm/+bug/697197/+attachment/1843528/+files/697197.debdiff

** Changed in: qemu-kvm (Ubuntu Maverick)
     Assignee: Dustin Kirkland (kirkland) => Ubuntu Security Team (ubuntu-security)

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt virtualization API:
  Unknown
Status in QEMU:
  Confirmed
Status in qemu-kvm:
  Unknown
Status in “libvirt” package in Ubuntu:
  Invalid
Status in “qemu-kvm” package in Ubuntu:
  In Progress
Status in “libvirt” source package in Maverick:
  Invalid
Status in “qemu-kvm” source package in Maverick:
  In Progress
Status in “libvirt” source package in Natty:
  Invalid
Status in “qemu-kvm” source package in Natty:
  In Progress

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.2)
  ProcEnviron:
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libvirt

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt

[Dustin Kirkland]

** Changed in: libvirt (Ubuntu Maverick)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt virtualization API:
  Unknown
Status in QEMU:
  Confirmed
Status in qemu-kvm:
  Unknown
Status in “libvirt” package in Ubuntu:
  Invalid
Status in “qemu-kvm” package in Ubuntu:
  Fix Released
Status in “libvirt” source package in Lucid:
  New
Status in “qemu-kvm” source package in Lucid:
  In Progress
Status in “libvirt” source package in Maverick:
  Invalid
Status in “qemu-kvm” source package in Maverick:
  In Progress
Status in “libvirt” source package in Natty:
  Invalid
Status in “qemu-kvm” source package in Natty:
  Fix Released

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.2)
  ProcEnviron:
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libvirt

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt

[Neil Wilson]

The patch needs to go into Lucid as well.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt virtualization API:
  Unknown
Status in QEMU:
  Confirmed
Status in qemu-kvm:
  Unknown
Status in “libvirt” package in Ubuntu:
  Invalid
Status in “qemu-kvm” package in Ubuntu:
  Fix Released
Status in “libvirt” source package in Lucid:
  New
Status in “qemu-kvm” source package in Lucid:
  In Progress
Status in “libvirt” source package in Maverick:
  Invalid
Status in “qemu-kvm” source package in Maverick:
  In Progress
Status in “libvirt” source package in Natty:
  Invalid
Status in “qemu-kvm” source package in Natty:
  Fix Released

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.2)
  ProcEnviron:
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libvirt

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt

[Dustin Kirkland]

Marking the libvirt tasks "invalid", as upstream libvirt has correctly pointed out that this bug is in qemu, and not libvirt:
 * https://bugzilla.redhat.com/show_bug.cgi?id=667097

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt virtualization API:
  Unknown
Status in QEMU:
  Confirmed
Status in qemu-kvm:
  Unknown
Status in “libvirt” package in Ubuntu:
  Invalid
Status in “qemu-kvm” package in Ubuntu:
  Fix Released
Status in “libvirt” source package in Lucid:
  New
Status in “qemu-kvm” source package in Lucid:
  In Progress
Status in “libvirt” source package in Maverick:
  Invalid
Status in “qemu-kvm” source package in Maverick:
  In Progress
Status in “libvirt” source package in Natty:
  Invalid
Status in “qemu-kvm” source package in Natty:
  Fix Released

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.2)
  ProcEnviron:
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libvirt

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt

[Dustin Kirkland]

Uploading to Natty now...

** Also affects: libvirt (Ubuntu Lucid)
   Importance: Undecided
       Status: New

** Also affects: qemu-kvm (Ubuntu Lucid)
   Importance: Undecided
       Status: New

** Changed in: qemu-kvm (Ubuntu Lucid)
   Importance: Undecided => Medium

** Changed in: qemu-kvm (Ubuntu Lucid)
       Status: New => In Progress

** Changed in: qemu-kvm (Ubuntu Lucid)
     Assignee: (unassigned) => Dustin Kirkland (kirkland)

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt virtualization API:
  Unknown
Status in QEMU:
  Confirmed
Status in qemu-kvm:
  Unknown
Status in “libvirt” package in Ubuntu:
  Invalid
Status in “qemu-kvm” package in Ubuntu:
  Fix Released
Status in “libvirt” source package in Lucid:
  New
Status in “qemu-kvm” source package in Lucid:
  In Progress
Status in “libvirt” source package in Maverick:
  Invalid
Status in “qemu-kvm” source package in Maverick:
  In Progress
Status in “libvirt” source package in Natty:
  Invalid
Status in “qemu-kvm” source package in Natty:
  Fix Released

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.2)
  ProcEnviron:
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libvirt

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt

[Dustin Kirkland]

Confirmed that the affected code is also in Lucid.  Adding a task for
that, and attaching a debdiff for lucid-security too.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt virtualization API:
  Unknown
Status in QEMU:
  Confirmed
Status in qemu-kvm:
  Unknown
Status in “libvirt” package in Ubuntu:
  Invalid
Status in “qemu-kvm” package in Ubuntu:
  Fix Released
Status in “libvirt” source package in Lucid:
  New
Status in “qemu-kvm” source package in Lucid:
  In Progress
Status in “libvirt” source package in Maverick:
  Invalid
Status in “qemu-kvm” source package in Maverick:
  In Progress
Status in “libvirt” source package in Natty:
  Invalid
Status in “qemu-kvm” source package in Natty:
  Fix Released

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.2)
  ProcEnviron:
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libvirt

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt

[Launchpad Bug Tracker]

This bug was fixed in the package qemu-kvm - 0.13.0+noroms-0ubuntu13

---------------
qemu-kvm (0.13.0+noroms-0ubuntu13) natty; urgency=low

  [ Neil Wilson <neil@aldur.co.uk> ]
  * SECURITY UPDATE: Setting VNC password to empty string silently
    disables all authentication (LP: #697197)
    - debian/patches/697197-fix-vnc-password-semantics.patch: Reverses the
      change introduced in Qemu by git commit 52c18be9
    - CVE: 2011-0011

  [ Dustin Kirkland ]
  * Updated patch to reflect the move of vnc.c to ui/vnc.c
 -- Dustin Kirkland <kirkland@ubuntu.com>   Fri, 11 Feb 2011 09:53:19 -0600

** Changed in: qemu-kvm (Ubuntu Natty)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt virtualization API:
  Unknown
Status in QEMU:
  Confirmed
Status in qemu-kvm:
  Unknown
Status in “libvirt” package in Ubuntu:
  Invalid
Status in “qemu-kvm” package in Ubuntu:
  Fix Released
Status in “libvirt” source package in Lucid:
  New
Status in “qemu-kvm” source package in Lucid:
  In Progress
Status in “libvirt” source package in Maverick:
  Invalid
Status in “qemu-kvm” source package in Maverick:
  In Progress
Status in “libvirt” source package in Natty:
  Invalid
Status in “qemu-kvm” source package in Natty:
  Fix Released

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.2)
  ProcEnviron:
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libvirt

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt

[Dustin Kirkland]

Attaching Lucid debdiff.

** Patch added: "697197.lucid.debdiff"
   https://bugs.launchpad.net/ubuntu/lucid/+source/qemu-kvm/+bug/697197/+attachment/1843553/+files/697197.lucid.debdiff

** Changed in: qemu-kvm (Ubuntu Lucid)
     Assignee: Dustin Kirkland (kirkland) => Ubuntu Security Team (ubuntu-security)

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt virtualization API:
  Unknown
Status in QEMU:
  Confirmed
Status in qemu-kvm:
  Unknown
Status in “libvirt” package in Ubuntu:
  Invalid
Status in “qemu-kvm” package in Ubuntu:
  Fix Released
Status in “libvirt” source package in Lucid:
  New
Status in “qemu-kvm” source package in Lucid:
  In Progress
Status in “libvirt” source package in Maverick:
  Invalid
Status in “qemu-kvm” source package in Maverick:
  In Progress
Status in “libvirt” source package in Natty:
  Invalid
Status in “qemu-kvm” source package in Natty:
  Fix Released

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.2)
  ProcEnviron:
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libvirt

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt

[Launchpad Bug Tracker]

** Branch linked: lp:~kirkland/ubuntu/natty/qemu-kvm/fix-build

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt virtualization API:
  Unknown
Status in QEMU:
  Confirmed
Status in qemu-kvm:
  Unknown
Status in “libvirt” package in Ubuntu:
  Invalid
Status in “qemu-kvm” package in Ubuntu:
  Fix Released
Status in “libvirt” source package in Lucid:
  New
Status in “qemu-kvm” source package in Lucid:
  In Progress
Status in “libvirt” source package in Maverick:
  Invalid
Status in “qemu-kvm” source package in Maverick:
  In Progress
Status in “libvirt” source package in Natty:
  Invalid
Status in “qemu-kvm” source package in Natty:
  Fix Released

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.2)
  ProcEnviron:
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libvirt

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt

[Launchpad Bug Tracker]

** Branch linked: lp:ubuntu/qemu-kvm

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt virtualization API:
  Unknown
Status in QEMU:
  Confirmed
Status in qemu-kvm:
  Unknown
Status in “libvirt” package in Ubuntu:
  Invalid
Status in “qemu-kvm” package in Ubuntu:
  Fix Released
Status in “libvirt” source package in Lucid:
  New
Status in “qemu-kvm” source package in Lucid:
  In Progress
Status in “libvirt” source package in Maverick:
  Invalid
Status in “qemu-kvm” source package in Maverick:
  In Progress
Status in “libvirt” source package in Natty:
  Invalid
Status in “qemu-kvm” source package in Natty:
  Fix Released

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.2)
  ProcEnviron:
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libvirt

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt

[Kees Cook]

** Changed in: libvirt (Ubuntu Natty)
   Importance: High => Undecided

** Changed in: libvirt (Ubuntu Natty)
     Assignee: Serge Hallyn (serge-hallyn) => (unassigned)

** Changed in: qemu-kvm (Ubuntu Maverick)
    Milestone: maverick-updates => None

** Changed in: libvirt (Ubuntu Lucid)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt virtualization API:
  Unknown
Status in QEMU:
  Confirmed
Status in qemu-kvm:
  Unknown
Status in “libvirt” package in Ubuntu:
  Invalid
Status in “qemu-kvm” package in Ubuntu:
  Fix Released
Status in “libvirt” source package in Lucid:
  Invalid
Status in “qemu-kvm” source package in Lucid:
  In Progress
Status in “libvirt” source package in Maverick:
  Invalid
Status in “qemu-kvm” source package in Maverick:
  In Progress
Status in “libvirt” source package in Natty:
  Invalid
Status in “qemu-kvm” source package in Natty:
  Fix Released
Status in “libvirt” source package in Karmic:
  Invalid
Status in “qemu-kvm” source package in Karmic:
  New

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.2)
  ProcEnviron:
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libvirt

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt

[Kees Cook]

Thanks for preparing the debdiffs! It looks like karmic is vulnerable
too, so we'll need that as well. I'll update the debdiffs to use proper
DEP-3 and fix up the formatting of the changelogs a bit ("CVE-" vs "CVE:
"), and get these building.

** Also affects: libvirt (Ubuntu Karmic)
   Importance: Undecided
       Status: New

** Also affects: qemu-kvm (Ubuntu Karmic)
   Importance: Undecided
       Status: New

** Changed in: libvirt (Ubuntu Karmic)
       Status: New => Invalid

** Changed in: qemu-kvm (Ubuntu Karmic)
       Status: New => In Progress

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt virtualization API:
  Unknown
Status in QEMU:
  Confirmed
Status in qemu-kvm:
  Unknown
Status in “libvirt” package in Ubuntu:
  Invalid
Status in “qemu-kvm” package in Ubuntu:
  Fix Released
Status in “libvirt” source package in Lucid:
  Invalid
Status in “qemu-kvm” source package in Lucid:
  In Progress
Status in “libvirt” source package in Maverick:
  Invalid
Status in “qemu-kvm” source package in Maverick:
  In Progress
Status in “libvirt” source package in Natty:
  Invalid
Status in “qemu-kvm” source package in Natty:
  Fix Released
Status in “libvirt” source package in Karmic:
  Invalid
Status in “qemu-kvm” source package in Karmic:
  In Progress

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.2)
  ProcEnviron:
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libvirt

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt

[Dustin Kirkland]

Attaching debdiff for karmic.

** Patch added: "697197.karmic.debdiff"
   https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/697197/+attachment/1844267/+files/697197.karmic.debdiff

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt virtualization API:
  Unknown
Status in QEMU:
  Confirmed
Status in qemu-kvm:
  Unknown
Status in “libvirt” package in Ubuntu:
  Invalid
Status in “qemu-kvm” package in Ubuntu:
  Fix Released
Status in “libvirt” source package in Lucid:
  Invalid
Status in “qemu-kvm” source package in Lucid:
  In Progress
Status in “libvirt” source package in Maverick:
  Invalid
Status in “qemu-kvm” source package in Maverick:
  In Progress
Status in “libvirt” source package in Natty:
  Invalid
Status in “qemu-kvm” source package in Natty:
  Fix Released
Status in “libvirt” source package in Karmic:
  Invalid
Status in “qemu-kvm” source package in Karmic:
  In Progress

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.2)
  ProcEnviron:
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libvirt

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt

[Kees Cook]

** Changed in: qemu-kvm (Ubuntu Maverick)
     Assignee: Ubuntu Security Team (ubuntu-security) => Kees Cook (kees)

** Changed in: qemu-kvm (Ubuntu Lucid)
     Assignee: Ubuntu Security Team (ubuntu-security) => Kees Cook (kees)

** Changed in: qemu-kvm (Ubuntu Karmic)
   Importance: Undecided => Medium

** Changed in: qemu-kvm (Ubuntu Karmic)
     Assignee: (unassigned) => Kees Cook (kees)

** Changed in: qemu-kvm (Ubuntu Lucid)
       Status: In Progress => Fix Committed

** Changed in: qemu-kvm (Ubuntu Maverick)
       Status: In Progress => Fix Committed

** Changed in: qemu-kvm (Ubuntu Karmic)
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt virtualization API:
  Unknown
Status in QEMU:
  Confirmed
Status in qemu-kvm:
  Unknown
Status in “libvirt” package in Ubuntu:
  Invalid
Status in “qemu-kvm” package in Ubuntu:
  Fix Released
Status in “libvirt” source package in Lucid:
  Invalid
Status in “qemu-kvm” source package in Lucid:
  Fix Committed
Status in “libvirt” source package in Maverick:
  Invalid
Status in “qemu-kvm” source package in Maverick:
  Fix Committed
Status in “libvirt” source package in Natty:
  Invalid
Status in “qemu-kvm” source package in Natty:
  Fix Released
Status in “libvirt” source package in Karmic:
  Invalid
Status in “qemu-kvm” source package in Karmic:
  Fix Committed

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.2)
  ProcEnviron:
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libvirt

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt

[Launchpad Bug Tracker]

This bug was fixed in the package qemu-kvm - 0.12.5+noroms-0ubuntu7.2

---------------
qemu-kvm (0.12.5+noroms-0ubuntu7.2) maverick-security; urgency=low

  [ Dustin Kirkland ]
  * SECURITY UPDATE: Setting VNC password to empty string silently
    disables all authentication (LP: #697197).
    - debian/patches/697197-fix-vnc-password-semantics.patch: Reverses the
      change introduced in Qemu by git commit 52c18be9, thanks to Neil Wilson.
    - CVE-2011-0011

  [ Kees Cook ]
  * debian/rules: disable parallel build; fix FTBFS.
 -- Kees Cook <kees@ubuntu.com>   Fri, 11 Feb 2011 15:52:12 -0800

** Changed in: qemu-kvm (Ubuntu Maverick)
       Status: Fix Committed => Fix Released

** Changed in: qemu-kvm (Ubuntu Lucid)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt virtualization API:
  Unknown
Status in QEMU:
  Confirmed
Status in qemu-kvm:
  Unknown
Status in “libvirt” package in Ubuntu:
  Invalid
Status in “qemu-kvm” package in Ubuntu:
  Fix Released
Status in “libvirt” source package in Lucid:
  Invalid
Status in “qemu-kvm” source package in Lucid:
  Fix Released
Status in “libvirt” source package in Maverick:
  Invalid
Status in “qemu-kvm” source package in Maverick:
  Fix Released
Status in “libvirt” source package in Natty:
  Invalid
Status in “qemu-kvm” source package in Natty:
  Fix Released
Status in “libvirt” source package in Karmic:
  Invalid
Status in “qemu-kvm” source package in Karmic:
  Fix Released

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.2)
  ProcEnviron:
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libvirt

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt

[Launchpad Bug Tracker]

This bug was fixed in the package qemu-kvm - 0.12.3+noroms-0ubuntu9.4

---------------
qemu-kvm (0.12.3+noroms-0ubuntu9.4) lucid-security; urgency=low

  * SECURITY UPDATE: Setting VNC password to empty string silently
    disables all authentication (LP: #697197)
    - debian/patches/697197-fix-vnc-password-semantics.patch: Reverses the
      change introduced in Qemu by git commit 52c18be9, thanks to Neil Wilson.
    - CVE-2011-0011
 -- Dustin Kirkland <kirkland@ubuntu.com>   Fri, 11 Feb 2011 09:57:30 -0600

** Changed in: qemu-kvm (Ubuntu Karmic)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt virtualization API:
  Unknown
Status in QEMU:
  Confirmed
Status in qemu-kvm:
  Unknown
Status in “libvirt” package in Ubuntu:
  Invalid
Status in “qemu-kvm” package in Ubuntu:
  Fix Released
Status in “libvirt” source package in Lucid:
  Invalid
Status in “qemu-kvm” source package in Lucid:
  Fix Released
Status in “libvirt” source package in Maverick:
  Invalid
Status in “qemu-kvm” source package in Maverick:
  Fix Released
Status in “libvirt” source package in Natty:
  Invalid
Status in “qemu-kvm” source package in Natty:
  Fix Released
Status in “libvirt” source package in Karmic:
  Invalid
Status in “qemu-kvm” source package in Karmic:
  Fix Released

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.2)
  ProcEnviron:
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libvirt

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt

[Launchpad Bug Tracker]

This bug was fixed in the package qemu-kvm - 0.11.0-0ubuntu6.4

---------------
qemu-kvm (0.11.0-0ubuntu6.4) karmic-security; urgency=low

  * SECURITY UPDATE: Setting VNC password to empty string silently
    disables all authentication (LP: #697197)
    - debian/patches/697197-fix-vnc-password-semantics.patch: Reverses the
      change introduced in Qemu by git commit 52c18be9, thanks to Neil Wilson.
    - CVE-2011-0011
 -- Dustin Kirkland <kirkland@ubuntu.com>   Fri, 11 Feb 2011 17:46:26 -0600

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt virtualization API:
  Unknown
Status in QEMU:
  Confirmed
Status in qemu-kvm:
  Unknown
Status in “libvirt” package in Ubuntu:
  Invalid
Status in “qemu-kvm” package in Ubuntu:
  Fix Released
Status in “libvirt” source package in Lucid:
  Invalid
Status in “qemu-kvm” source package in Lucid:
  Fix Released
Status in “libvirt” source package in Maverick:
  Invalid
Status in “qemu-kvm” source package in Maverick:
  Fix Released
Status in “libvirt” source package in Natty:
  Invalid
Status in “qemu-kvm” source package in Natty:
  Fix Released
Status in “libvirt” source package in Karmic:
  Invalid
Status in “qemu-kvm” source package in Karmic:
  Fix Released

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.2)
  ProcEnviron:
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libvirt

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt

[Marc Deslauriers]

Nothing left to do, unsubscribing ubuntu-security-sponsors.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt virtualization API:
  Unknown
Status in QEMU:
  Confirmed
Status in qemu-kvm:
  Unknown
Status in “libvirt” package in Ubuntu:
  Invalid
Status in “qemu-kvm” package in Ubuntu:
  Fix Released
Status in “libvirt” source package in Lucid:
  Invalid
Status in “qemu-kvm” source package in Lucid:
  Fix Released
Status in “libvirt” source package in Maverick:
  Invalid
Status in “qemu-kvm” source package in Maverick:
  Fix Released
Status in “libvirt” source package in Natty:
  Invalid
Status in “qemu-kvm” source package in Natty:
  Fix Released
Status in “libvirt” source package in Karmic:
  Invalid
Status in “qemu-kvm” source package in Karmic:
  Fix Released

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.2)
  ProcEnviron:
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libvirt

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt

[Launchpad Bug Tracker]

** Branch linked: lp:ubuntu/maverick-updates/qemu-kvm

** Branch linked: lp:ubuntu/lucid-updates/qemu-kvm

** Branch linked: lp:ubuntu/karmic-security/qemu-kvm

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt virtualization API:
  Unknown
Status in QEMU:
  Confirmed
Status in qemu-kvm:
  Unknown
Status in “libvirt” package in Ubuntu:
  Invalid
Status in “qemu-kvm” package in Ubuntu:
  Fix Released
Status in “libvirt” source package in Lucid:
  Invalid
Status in “qemu-kvm” source package in Lucid:
  Fix Released
Status in “libvirt” source package in Maverick:
  Invalid
Status in “qemu-kvm” source package in Maverick:
  Fix Released
Status in “libvirt” source package in Natty:
  Invalid
Status in “qemu-kvm” source package in Natty:
  Fix Released
Status in “libvirt” source package in Karmic:
  Invalid
Status in “qemu-kvm” source package in Karmic:
  Fix Released

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.2)
  ProcEnviron:
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libvirt

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt

[Launchpad Bug Tracker]

** Branch linked: lp:ubuntu/lucid-proposed/qemu-kvm

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt virtualization API:
  Unknown
Status in QEMU:
  Confirmed
Status in qemu-kvm:
  Unknown
Status in “libvirt” package in Ubuntu:
  Invalid
Status in “qemu-kvm” package in Ubuntu:
  Fix Released
Status in “libvirt” source package in Lucid:
  Invalid
Status in “qemu-kvm” source package in Lucid:
  Fix Released
Status in “libvirt” source package in Maverick:
  Invalid
Status in “qemu-kvm” source package in Maverick:
  Fix Released
Status in “libvirt” source package in Natty:
  Invalid
Status in “qemu-kvm” source package in Natty:
  Fix Released
Status in “libvirt” source package in Karmic:
  Invalid
Status in “qemu-kvm” source package in Karmic:
  Fix Released

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.2)
  ProcEnviron:
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libvirt

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt

[Michael Tokarev]

** Bug watch added: Debian Bug tracker #611134
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611134

** Also affects: qemu-kvm (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611134
   Importance: Unknown
       Status: Unknown

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt virtualization API:
  Unknown
Status in QEMU:
  Confirmed
Status in qemu-kvm:
  Unknown
Status in “libvirt” package in Ubuntu:
  Invalid
Status in “qemu-kvm” package in Ubuntu:
  Fix Released
Status in “libvirt” source package in Lucid:
  Invalid
Status in “qemu-kvm” source package in Lucid:
  Fix Released
Status in “libvirt” source package in Maverick:
  Invalid
Status in “qemu-kvm” source package in Maverick:
  Fix Released
Status in “libvirt” source package in Natty:
  Invalid
Status in “qemu-kvm” source package in Natty:
  Fix Released
Status in “libvirt” source package in Karmic:
  Invalid
Status in “qemu-kvm” source package in Karmic:
  Fix Released
Status in “qemu-kvm” package in Debian:
  Unknown

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.2)
  ProcEnviron:
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libvirt

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt

[Bug Watch Updater]

** Changed in: qemu-kvm (Debian)
       Status: Unknown => New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt virtualization API:
  Unknown
Status in QEMU:
  Confirmed
Status in qemu-kvm:
  Unknown
Status in “libvirt” package in Ubuntu:
  Invalid
Status in “qemu-kvm” package in Ubuntu:
  Fix Released
Status in “libvirt” source package in Lucid:
  Invalid
Status in “qemu-kvm” source package in Lucid:
  Fix Released
Status in “libvirt” source package in Maverick:
  Invalid
Status in “qemu-kvm” source package in Maverick:
  Fix Released
Status in “libvirt” source package in Natty:
  Invalid
Status in “qemu-kvm” source package in Natty:
  Fix Released
Status in “libvirt” source package in Karmic:
  Invalid
Status in “qemu-kvm” source package in Karmic:
  Fix Released
Status in “qemu-kvm” package in Debian:
  New

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.2)
  ProcEnviron:
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libvirt

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt

[Bug Watch Updater]

** Changed in: qemu-kvm (Debian)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt virtualization API:
  Unknown
Status in QEMU:
  Confirmed
Status in qemu-kvm:
  Unknown
Status in “libvirt” package in Ubuntu:
  Invalid
Status in “qemu-kvm” package in Ubuntu:
  Fix Released
Status in “libvirt” source package in Lucid:
  Invalid
Status in “qemu-kvm” source package in Lucid:
  Fix Released
Status in “libvirt” source package in Maverick:
  Invalid
Status in “qemu-kvm” source package in Maverick:
  Fix Released
Status in “libvirt” source package in Natty:
  Invalid
Status in “qemu-kvm” source package in Natty:
  Fix Released
Status in “libvirt” source package in Karmic:
  Invalid
Status in “qemu-kvm” source package in Karmic:
  Fix Released
Status in “qemu-kvm” package in Debian:
  Fix Released

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.2)
  ProcEnviron:
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libvirt

To manage notifications about this bug go to:
https://bugs.launchpad.net/libvirt/+bug/697197/+subscriptions

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt

[Stephan S.]

Ubuntu 12.04 is also affected

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt virtualization API:
  Unknown
Status in QEMU:
  Confirmed
Status in qemu-kvm:
  Unknown
Status in “libvirt” package in Ubuntu:
  Invalid
Status in “qemu-kvm” package in Ubuntu:
  Fix Released
Status in “libvirt” source package in Lucid:
  Invalid
Status in “qemu-kvm” source package in Lucid:
  Fix Released
Status in “libvirt” source package in Maverick:
  Invalid
Status in “qemu-kvm” source package in Maverick:
  Fix Released
Status in “libvirt” source package in Natty:
  Invalid
Status in “qemu-kvm” source package in Natty:
  Fix Released
Status in “libvirt” source package in Karmic:
  Invalid
Status in “qemu-kvm” source package in Karmic:
  Fix Released
Status in “qemu-kvm” package in Debian:
  Fix Released

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.2)
  ProcEnviron:
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libvirt

To manage notifications about this bug go to:
https://bugs.launchpad.net/libvirt/+bug/697197/+subscriptions

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt

[Stephan S.]

** Branch linked: lp:ubuntu/precise/qemu-kvm

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt virtualization API:
  Unknown
Status in QEMU:
  Confirmed
Status in qemu-kvm:
  Unknown
Status in “libvirt” package in Ubuntu:
  Invalid
Status in “qemu-kvm” package in Ubuntu:
  Fix Released
Status in “libvirt” source package in Lucid:
  Invalid
Status in “qemu-kvm” source package in Lucid:
  Fix Released
Status in “libvirt” source package in Maverick:
  Invalid
Status in “qemu-kvm” source package in Maverick:
  Fix Released
Status in “libvirt” source package in Natty:
  Invalid
Status in “qemu-kvm” source package in Natty:
  Fix Released
Status in “libvirt” source package in Karmic:
  Invalid
Status in “qemu-kvm” source package in Karmic:
  Fix Released
Status in “qemu-kvm” package in Debian:
  Fix Released

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.2)
  ProcEnviron:
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libvirt

To manage notifications about this bug go to:
https://bugs.launchpad.net/libvirt/+bug/697197/+subscriptions

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt

[pranith]

** Changed in: qemu
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt:
  Unknown
Status in QEMU:
  Fix Released
Status in qemu-kvm:
  Unknown
Status in libvirt package in Ubuntu:
  Invalid
Status in qemu-kvm package in Ubuntu:
  Fix Released
Status in libvirt source package in Lucid:
  Invalid
Status in qemu-kvm source package in Lucid:
  Fix Released
Status in libvirt source package in Maverick:
  Invalid
Status in qemu-kvm source package in Maverick:
  Fix Released
Status in libvirt source package in Natty:
  Invalid
Status in qemu-kvm source package in Natty:
  Fix Released
Status in libvirt source package in Karmic:
  Invalid
Status in qemu-kvm source package in Karmic:
  Fix Released
Status in qemu-kvm package in Debian:
  Fix Released

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.2)
  ProcEnviron:
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libvirt

To manage notifications about this bug go to:
https://bugs.launchpad.net/libvirt/+bug/697197/+subscriptions

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt

[Bug Watch Updater]

Launchpad has imported 3 comments from the remote bug at
https://bugzilla.redhat.com/show_bug.cgi?id=667097.

If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.

------------------------------------------------------------------------
On 2011-01-04T12:30:55+00:00 Neil wrote:

Description of problem:

The help for 'vnc_password' in qemu.conf states "An empty string will
still enable passwords, but be rejected by QEMU effectively preventing
any use of VNC.".

Yet if you set vnc_password="" then you can access the VNC console
without any password prompt at all - just as you can if the entry is
hashed out.

Version-Release number of selected component (if applicable):

libvirtd (libvirt) 0.8.3


How reproducible:

Every time by configuration

Steps to Reproduce:
1. Create a VNC console without a password.
2. Set vnc_password="" in /etc/libvirt/qemu.conf
3. Start up a guest and access the VNC console with a client. 
  
Actual results:

You get straight into the console with no prompts.


Expected results:

Should have come up with a prompt and rejected the access. Or the
instructions in the qemu.conf file need changing to take account of the
current behaviour.

Additional info:

Reply at:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/697197/comments/2

------------------------------------------------------------------------
On 2011-01-04T12:48:32+00:00 Neil wrote:

Similarly if you set the passwd attribute to '' in the vnc graphics XML
stanza.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/697197/comments/3

------------------------------------------------------------------------
On 2011-01-07T14:45:34+00:00 Daniel wrote:

This is not a libvirt bug. This is caused by a flaw in particular QEMU
version you are using, which silently disables auth when the password is
set to "". This bug was introduced in QEMU in this bogus commit

commit 52c18be9e99dabe295321153fda7fce9f76647ac
Author: Zachary Amsden <zamsden@redhat.com>
Date:   Thu Jul 30 00:15:01 2009 -1000

    When using stdio monitor and VNC display, one can set or clear a VNC
password; this should set or turn off VNC authentication as well.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/697197/comments/5


** Changed in: libvirt
       Status: Unknown => Invalid

** Changed in: libvirt
   Importance: Unknown => Medium

** Changed in: qemu-kvm
       Status: Unknown => Fix Released

** Changed in: qemu-kvm
   Importance: Unknown => Medium

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt:
  Invalid
Status in QEMU:
  Fix Released
Status in qemu-kvm:
  Fix Released
Status in libvirt package in Ubuntu:
  Invalid
Status in qemu-kvm package in Ubuntu:
  Fix Released
Status in libvirt source package in Lucid:
  Invalid
Status in qemu-kvm source package in Lucid:
  Fix Released
Status in libvirt source package in Maverick:
  Invalid
Status in qemu-kvm source package in Maverick:
  Fix Released
Status in libvirt source package in Natty:
  Invalid
Status in qemu-kvm source package in Natty:
  Fix Released
Status in libvirt source package in Karmic:
  Invalid
Status in qemu-kvm source package in Karmic:
  Fix Released
Status in qemu-kvm package in Debian:
  Fix Released

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.2)
  ProcEnviron:
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libvirt

To manage notifications about this bug go to:
https://bugs.launchpad.net/libvirt/+bug/697197/+subscriptions

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt

[Bug Watch Updater]

Launchpad has imported 5 comments from the remote bug at
https://bugzilla.redhat.com/show_bug.cgi?id=668589.

If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.

------------------------------------------------------------------------
On 2011-01-10T20:45:01+00:00 Petr wrote:

Description of problem:
The semantics of the ',password' option to -vnc are that it enables the VNC auth scheme. If the VNC server password is unset or empty string, all attempts to authenticate with the server will be explicitly blocked.

This allows applications to enable and selectively allow access for a
period of time, before clearing the password again to prevent further
access.

Upstream changes have introduced a flaw by disabling all authentication
when the password was cleared with upstream commit [1].

[1]
http://www.qemu.com/qemu.git/commit/?id=52c18be9e99dabe295321153fda7fce9f76647ac

Reply at:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/697197/comments/9

------------------------------------------------------------------------
On 2011-01-28T18:02:42+00:00 Neil wrote:

Created attachment 475841
Fix to vnc password semantics

This patch corrects the flaw in qemu-kvm

Please see http://launchpad.net/bugs/697197 for testing performed.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/697197/comments/15

------------------------------------------------------------------------
On 2011-02-28T11:09:05+00:00 Petr wrote:

Created qemu tracking bugs for this issue

Affects: fedora-all [bug 680886]

Reply at:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/697197/comments/31

------------------------------------------------------------------------
On 2011-03-10T20:11:32+00:00 errata-xmlrpc wrote:

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0345 https://rhn.redhat.com/errata/RHSA-2011-0345.html

Reply at:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/697197/comments/32

------------------------------------------------------------------------
On 2012-03-30T17:33:58+00:00 Petr wrote:

Statement:

This issue does not affect versions of kvm package as shipped with Red
Hat Enterprise Linux 5.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/697197/comments/33

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt:
  Invalid
Status in QEMU:
  Fix Released
Status in qemu-kvm:
  Fix Released
Status in libvirt package in Ubuntu:
  Invalid
Status in qemu-kvm package in Ubuntu:
  Fix Released
Status in libvirt source package in Lucid:
  Invalid
Status in qemu-kvm source package in Lucid:
  Fix Released
Status in libvirt source package in Maverick:
  Invalid
Status in qemu-kvm source package in Maverick:
  Fix Released
Status in libvirt source package in Natty:
  Invalid
Status in qemu-kvm source package in Natty:
  Fix Released
Status in libvirt source package in Karmic:
  Invalid
Status in qemu-kvm source package in Karmic:
  Fix Released
Status in qemu-kvm package in Debian:
  Fix Released

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.2)
  ProcEnviron:
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libvirt

To manage notifications about this bug go to:
https://bugs.launchpad.net/libvirt/+bug/697197/+subscriptions