oss-sec mailing list archives

Re: CVE request: qemu-kvm: Setting VNC password to empty string silently disables all authentication

From: Kurt Seifried <kurt () seifried org>
Date: Mon, 10 Jan 2011 17:42:43 -0700

Upstream changes have introduced a flaw by disabling all authentication when
the password was cleared with upstream commit [1].

[1]
http://www.qemu.com/qemu.git/commit/?id=52c18be9e99dabe295321153fda7fce9f76647ac";


Confirmed vulnerable in qemu-kvm source code 0.10.6, fixed in 0.11.0

http://sourceforge.net/projects/kvm/files/qemu-kvm/

-- 
Kurt Seifried
kurt () seifried org
skype: 1-703-879-3176

Current thread:

CVE request: qemu-kvm: Setting VNC password to empty string silently disables all authentication Petr Matousek (Jan 10)
- Re: CVE request: qemu-kvm: Setting VNC password to empty string silently disables all authentication Kurt Seifried (Jan 10)
- Re: CVE request: qemu-kvm: Setting VNC password to empty string silently disables all authentication Josh Bressers (Jan 12)