7:45 a.m.
Setting an empty vnc_password in qemu.conf is documented as a way to
disable VNC access, but QEMU does not seem to behave like that. Let's
enforce the behavior by setting password expiration to "now".
Note, this has no effect on setting an empty //graphics@passwd in
domain XML. Users may use //graphics@passwdValidTo to enforce the same
behavior.
https://bugzilla.redhat.com/show_bug.cgi?id=1180092
Signed-off-by: Jiri Denemark <jdenemar(a)redhat.com>
---
src/qemu/qemu_hotplug.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
index e0b8230..91f48dc 100644
--- a/src/qemu/qemu_hotplug.c
+++ b/src/qemu/qemu_hotplug.c
@@ -3970,6 +3970,8 @@ qemuDomainChangeGraphicsPasswords(virQEMUDriverPtr driver,
snprintf(expire_time, sizeof(expire_time), "now");
else
snprintf(expire_time, sizeof(expire_time), "%lu", (long
unsigned)auth->validTo);
+ } else if (!auth->passwd && defaultPasswd && defaultPasswd[0] ==
'\0') {
+ snprintf(expire_time, sizeof(expire_time), "now");
} else {
snprintf(expire_time, sizeof(expire_time), "never");
}
--
2.9.0
8:28 a.m.
On Tue, Jun 28, 2016 at 02:45:15PM +0200, Jiri Denemark wrote:
Setting an empty vnc_password in qemu.conf is documented as a way to
disable VNC access, but QEMU does not seem to behave like that. Let's
enforce the behavior by setting password expiration to "now".
Hmm, i wonder when they regressed that behaviour *again*. We've fixed
that in QEMU at least twice in the past. I'd like to see us explore
when this changed in QEMU and whehter we should fix it there instead.
Also, this is probably classified as needing a CVE, since previous
regressions in this area were recorded security issues IIRC. Which
again means we need to investigate just when this behavioural change
happened.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
9:01 a.m.
On 06/28/2016 09:28 AM, Daniel P. Berrange wrote:
On Tue, Jun 28, 2016 at 02:45:15PM +0200, Jiri Denemark wrote:
> Setting an empty vnc_password in qemu.conf is documented as a way to
> disable VNC access, but QEMU does not seem to behave like that. Let's
> enforce the behavior by setting password expiration to "now".
Hmm, i wonder when they regressed that behaviour *again*. We've fixed
that in QEMU at least twice in the past. I'd like to see us explore
when this changed in QEMU and whehter we should fix it there instead.
I did some digging on this recently, see my findings here:
https://bugzilla.redhat.com/show_bug.cgi?id=1180092#c5
The issue is that there's two different monitor commands at play here, and the
set_password one we presently use has never had the semantics we advertise in
qemu.conf, so I'm guessing something like Jiri's patch will be needed regardless
- Cole
9:12 a.m.
On Tue, Jun 28, 2016 at 10:01:19AM -0400, Cole Robinson wrote:
On 06/28/2016 09:28 AM, Daniel P. Berrange wrote:
> On Tue, Jun 28, 2016 at 02:45:15PM +0200, Jiri Denemark wrote:
>> Setting an empty vnc_password in qemu.conf is documented as a way to
>> disable VNC access, but QEMU does not seem to behave like that. Let's
>> enforce the behavior by setting password expiration to "now".
>
> Hmm, i wonder when they regressed that behaviour *again*. We've fixed
> that in QEMU at least twice in the past. I'd like to see us explore
> when this changed in QEMU and whehter we should fix it there instead.
>
I did some digging on this recently, see my findings here:
https://bugzilla.redhat.com/show_bug.cgi?id=1180092#c5
The issue is that there's two different monitor commands at play here, and the
set_password one we presently use has never had the semantics we advertise in
qemu.conf, so I'm guessing something like Jiri's patch will be needed regardless
Ok, so its broken since we stopped using 'change vnc password' HMP
command. So we'll want to deal with this as a libvirt CVE, and provide
patches on historical stable branches too.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
8:47 a.m.
On Tue, Jun 28, 2016 at 02:45:15PM +0200, Jiri Denemark wrote:
Setting an empty vnc_password in qemu.conf is documented as a way to
disable VNC access, but QEMU does not seem to behave like that. Let's
enforce the behavior by setting password expiration to "now".
Note, this has no effect on setting an empty //graphics@passwd in
domain XML. Users may use //graphics@passwdValidTo to enforce the same
behavior.
https://bugzilla.redhat.com/show_bug.cgi?id=1180092
Please reference newly assigned CVE-2016-5008 in the commit message
before pushing.
Signed-off-by: Jiri Denemark <jdenemar(a)redhat.com>
---
src/qemu/qemu_hotplug.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
index e0b8230..91f48dc 100644
--- a/src/qemu/qemu_hotplug.c
+++ b/src/qemu/qemu_hotplug.c
@@ -3970,6 +3970,8 @@ qemuDomainChangeGraphicsPasswords(virQEMUDriverPtr driver,
snprintf(expire_time, sizeof(expire_time), "now");
else
snprintf(expire_time, sizeof(expire_time), "%lu", (long
unsigned)auth->validTo);
+ } else if (!auth->passwd && defaultPasswd && defaultPasswd[0] ==
'\0') {
+ snprintf(expire_time, sizeof(expire_time), "now");
} else {
snprintf(expire_time, sizeof(expire_time), "never");
}
Not shown in this patch is the earlier condition if (auth->expires).
IOW, if you set the empty password, but also have an expiry time
set we'll still be allowing access. Now admittedly setting an
empty password and also an expiry time is fairly pointless, but
I can easily see apps mistakenly doing this. So we should check
the empty password as the first branch in the condition.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
9:18 a.m.
On Wed, Jun 29, 2016 at 14:47:23 +0100, Daniel P. Berrange wrote:
On Tue, Jun 28, 2016 at 02:45:15PM +0200, Jiri Denemark wrote:
> Setting an empty vnc_password in qemu.conf is documented as a way to
> disable VNC access, but QEMU does not seem to behave like that. Let's
> enforce the behavior by setting password expiration to "now".
>
> Note, this has no effect on setting an empty //graphics@passwd in
> domain XML. Users may use //graphics@passwdValidTo to enforce the same
> behavior.
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1180092
Please reference newly assigned CVE-2016-5008 in the commit message
before pushing.
> Signed-off-by: Jiri Denemark <jdenemar(a)redhat.com>
> ---
> src/qemu/qemu_hotplug.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
> index e0b8230..91f48dc 100644
> --- a/src/qemu/qemu_hotplug.c
> +++ b/src/qemu/qemu_hotplug.c
> @@ -3970,6 +3970,8 @@ qemuDomainChangeGraphicsPasswords(virQEMUDriverPtr driver,
> snprintf(expire_time, sizeof(expire_time), "now");
> else
> snprintf(expire_time, sizeof(expire_time), "%lu", (long
unsigned)auth->validTo);
> + } else if (!auth->passwd && defaultPasswd &&
defaultPasswd[0] == '\0') {
> + snprintf(expire_time, sizeof(expire_time), "now");
> } else {
> snprintf(expire_time, sizeof(expire_time), "never");
> }
Not shown in this patch is the earlier condition if (auth->expires).
IOW, if you set the empty password, but also have an expiry time
set we'll still be allowing access. Now admittedly setting an
empty password and also an expiry time is fairly pointless, but
I can easily see apps mistakenly doing this. So we should check
the empty password as the first branch in the condition.
Well, I explicitly only fixed the issue with an empty default password
and using a //graphics/@passwdValidTo with a default password is not
supported. Libvirt will just ignore the XML element and thus
auth->expires will always be false with default passwords.
Do you think we should handle empty passwords in XML too?
Jirka
9:20 a.m.
On Wed, Jun 29, 2016 at 04:18:03PM +0200, Jiri Denemark wrote:
On Wed, Jun 29, 2016 at 14:47:23 +0100, Daniel P. Berrange wrote:
> On Tue, Jun 28, 2016 at 02:45:15PM +0200, Jiri Denemark wrote:
> > Setting an empty vnc_password in qemu.conf is documented as a way to
> > disable VNC access, but QEMU does not seem to behave like that. Let's
> > enforce the behavior by setting password expiration to "now".
> >
> > Note, this has no effect on setting an empty //graphics@passwd in
> > domain XML. Users may use //graphics@passwdValidTo to enforce the same
> > behavior.
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=1180092
>
> Please reference newly assigned CVE-2016-5008 in the commit message
> before pushing.
>
> > Signed-off-by: Jiri Denemark <jdenemar(a)redhat.com>
> > ---
> > src/qemu/qemu_hotplug.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
> > index e0b8230..91f48dc 100644
> > --- a/src/qemu/qemu_hotplug.c
> > +++ b/src/qemu/qemu_hotplug.c
> > @@ -3970,6 +3970,8 @@ qemuDomainChangeGraphicsPasswords(virQEMUDriverPtr
driver,
> > snprintf(expire_time, sizeof(expire_time), "now");
> > else
> > snprintf(expire_time, sizeof(expire_time), "%lu", (long
unsigned)auth->validTo);
> > + } else if (!auth->passwd && defaultPasswd &&
defaultPasswd[0] == '\0') {
> > + snprintf(expire_time, sizeof(expire_time), "now");
> > } else {
> > snprintf(expire_time, sizeof(expire_time), "never");
> > }
>
> Not shown in this patch is the earlier condition if (auth->expires).
>
> IOW, if you set the empty password, but also have an expiry time
> set we'll still be allowing access. Now admittedly setting an
> empty password and also an expiry time is fairly pointless, but
> I can easily see apps mistakenly doing this. So we should check
> the empty password as the first branch in the condition.
Well, I explicitly only fixed the issue with an empty default password
and using a //graphics/@passwdValidTo with a default password is not
supported. Libvirt will just ignore the XML element and thus
auth->expires will always be false with default passwords.
Do you think we should handle empty passwords in XML too?
Yep, any empty password should disable access to the VNC server,
regardless of whether it comes from the global config file or
from the XML
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
3102
days inactive
3103
days old
6 comments
3 participants
participants (3)
-
Cole Robinson -
Daniel P. Berrange -
Jiri Denemark