[libvirt] [PATCH] qemu: Let empty default VNC password work as documented

[Daniel P. Berrange]

On Tue, Jun 28, 2016 at 10:01:19AM -0400, Cole Robinson wrote:
> On 06/28/2016 09:28 AM, Daniel P. Berrange wrote:
> > On Tue, Jun 28, 2016 at 02:45:15PM +0200, Jiri Denemark wrote:
> >> Setting an empty vnc_password in qemu.conf is documented as a way to
> >> disable VNC access, but QEMU does not seem to behave like that. Let's
> >> enforce the behavior by setting password expiration to "now".
> > 
> > Hmm, i wonder when they regressed that behaviour *again*. We've fixed
> > that in QEMU at least twice in the past. I'd like to see us explore
> > when this changed in QEMU and whehter we should fix it there instead.
> > 
> 
> I did some digging on this recently, see my findings here:
> https://bugzilla.redhat.com/show_bug.cgi?id=1180092#c5
> 
> The issue is that there's two different monitor commands at play here, and the
> set_password one we presently use has never had the semantics we advertise in
> qemu.conf, so I'm guessing something like Jiri's patch will be needed regardless

Ok, so its broken since we stopped using 'change vnc password' HMP
command. So we'll want to deal with this as a libvirt CVE, and provide
patches on historical stable branches too.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|