* [Bug 1136477] Re: qemu doesn't sanitize command line options carrying plaintext passwords [not found] <20130228222749.31447.62008.malonedeb@chaenomeles.canonical.com> @ 2021-04-22 4:30 ` Thomas Huth 2021-06-22 4:17 ` Launchpad Bug Tracker 1 sibling, 0 replies; 2+ messages in thread From: Thomas Huth @ 2021-04-22 4:30 UTC (permalink / raw) To: qemu-devel The QEMU project is currently considering to move its bug tracking to another system. For this we need to know which bugs are still valid and which could be closed already. Thus we are setting older bugs to "Incomplete" now. If you still think this bug report here is valid, then please switch the state back to "New" within the next 60 days, otherwise this report will be marked as "Expired". Or mark it as "Fix Released" if the problem has been solved with a newer version of QEMU already. Thank you and sorry for the inconvenience. ** Changed in: qemu Status: New => Incomplete -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1136477 Title: qemu doesn't sanitize command line options carrying plaintext passwords Status in QEMU: Incomplete Bug description: A slight security problem exists with qemu's lack of sanitization of argv[], for cases where the user may have specified a plaintext password for spice/vnc authorization. (Yes, it's not great to use this facility, but it's convenient and not grotesquely unsafe, were it not for this bug.) It would be nice if those plaintext passwords were nuked from the command line, so a subsequent "ps awux" didn't show them for all to see. See also https://bugzilla.redhat.com/show_bug.cgi?id=916279 To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1136477/+subscriptions ^ permalink raw reply [flat|nested] 2+ messages in thread
* [Bug 1136477] Re: qemu doesn't sanitize command line options carrying plaintext passwords [not found] <20130228222749.31447.62008.malonedeb@chaenomeles.canonical.com> 2021-04-22 4:30 ` [Bug 1136477] Re: qemu doesn't sanitize command line options carrying plaintext passwords Thomas Huth @ 2021-06-22 4:17 ` Launchpad Bug Tracker 1 sibling, 0 replies; 2+ messages in thread From: Launchpad Bug Tracker @ 2021-06-22 4:17 UTC (permalink / raw) To: qemu-devel [Expired for QEMU because there has been no activity for 60 days.] ** Changed in: qemu Status: Incomplete => Expired -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1136477 Title: qemu doesn't sanitize command line options carrying plaintext passwords Status in QEMU: Expired Bug description: A slight security problem exists with qemu's lack of sanitization of argv[], for cases where the user may have specified a plaintext password for spice/vnc authorization. (Yes, it's not great to use this facility, but it's convenient and not grotesquely unsafe, were it not for this bug.) It would be nice if those plaintext passwords were nuked from the command line, so a subsequent "ps awux" didn't show them for all to see. See also https://bugzilla.redhat.com/show_bug.cgi?id=916279 To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1136477/+subscriptions ^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-06-22 5:14 UTC | newest] Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <20130228222749.31447.62008.malonedeb@chaenomeles.canonical.com> 2021-04-22 4:30 ` [Bug 1136477] Re: qemu doesn't sanitize command line options carrying plaintext passwords Thomas Huth 2021-06-22 4:17 ` Launchpad Bug Tracker
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).