From: "Daniel P. Berrange" <berrange@redhat.com>
To: Anthony Liguori <anthony@codemonkey.ws>
Cc: qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH STABLE-0.14/0.15/master] CVE-2011-0011: fix VNC password change to not touch authentication settings
Date: Wed, 24 Aug 2011 13:50:40 +0100 [thread overview]
Message-ID: <20110824125040.GG12120@redhat.com> (raw)
In-Reply-To: <4E54F252.7020007@codemonkey.ws>
On Wed, Aug 24, 2011 at 07:45:06AM -0500, Anthony Liguori wrote:
> On 08/24/2011 06:01 AM, Daniel P. Berrange wrote:
> >From: "Daniel P. Berrange"<berrange@redhat.com>
> >
> >In CVE-2011-0011 it was noted that setting an empty password
> >would disable all authentication for the VNC password. Commit
> >1cd20f8bf0ecb9d1d1bd5e2ffab3b88835380c9b attempted to fix this
> >but it just broke it in a different way, because now instead
> >of blindly disabling all authentication, it blindly resets all
> >authentication to 'VNC'.
>
> But this is *not* a security problem. Login becomes disabled as expected.
It *is* a security problem, because if you do
change vnc password 123
change vnc password ""
change vnc password 456
you have lost the authentication settings you requested.
With this patch, changing the password to "" *still* disables
the login, without side effects on the auth scheme.
> We should really not overload the semantics of the change command
> like this and instead introduce a new QMP operation to disable
> login.
This change I mention below is the one that overloaded the semantics
by making a password change, also change the auth scheme, breaking
the original behaviour. If we want apps to be able to change the
auth scheme that needs a separate monitor command.
The current behaviour is not usable and introduces a security problem
by changing auth scheme without being asked to.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
next prev parent reply other threads:[~2011-08-24 12:50 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-24 11:01 [Qemu-devel] [PATCH STABLE-0.14/0.15/master] CVE-2011-0011: fix VNC password change to not touch authentication settings Daniel P. Berrange
2011-08-24 12:45 ` Anthony Liguori
2011-08-24 12:50 ` Daniel P. Berrange [this message]
2011-08-24 12:55 ` Anthony Liguori
2011-08-24 13:02 ` Daniel P. Berrange
2011-08-24 14:52 ` Gerd Hoffmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110824125040.GG12120@redhat.com \
--to=berrange@redhat.com \
--cc=anthony@codemonkey.ws \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.