[Libosinfo] [libosinfo PATCH v2 0/2] Do not expose user & admin password in the command line

Fabiano Fidêncio fidencio at redhat.com
Tue Jul 9 09:24:48 UTC 2019


Those two patches introduce a fix for a low impact CVE where both user
& admin password would be passed to the osinfo-install-script via
command line.

In order to avoid doing so, let's introduce a --config-file and warn out
whenever a password is passed via --config.

Changes since v1:
https://www.redhat.com/archives/libosinfo/2019-July/msg00026.html
- Added a note that --config-file is strongly recommended if the user or
  admin passwords need to be set;
- Added a note in the manpage that --config is deprecated and
  --config-file should be used instead;
- Changed the error to warning when --config is used to set user or admin
  passwords;

Changes not done after v1 review:
- Add a new API to OsinfoInstallConfig:
  Adding a new API would force us to, instead of easily backporting the
  change, force distros to use a new release of libosinfo;
- Fix Daniel's name:
  Better be consistent all over the place. :-)
  (Jokes apart, I can just fix this before pushing)

Fabiano Fidêncio (2):
  tools,install-script: Add --config-file (-f) option
  tools,install-script: Deprecate --config

 tools/osinfo-install-script.c | 110 +++++++++++++++++++++++++++++++++-
 1 file changed, 109 insertions(+), 1 deletion(-)

-- 
2.21.0




More information about the Libosinfo mailing list