[libvirt] [PATCH] qemu: Let empty default VNC password work as documented
Daniel P. Berrange
berrange at redhat.com
Tue Jun 28 14:12:37 UTC 2016
On Tue, Jun 28, 2016 at 10:01:19AM -0400, Cole Robinson wrote:
> On 06/28/2016 09:28 AM, Daniel P. Berrange wrote:
> > On Tue, Jun 28, 2016 at 02:45:15PM +0200, Jiri Denemark wrote:
> >> Setting an empty vnc_password in qemu.conf is documented as a way to
> >> disable VNC access, but QEMU does not seem to behave like that. Let's
> >> enforce the behavior by setting password expiration to "now".
> >
> > Hmm, i wonder when they regressed that behaviour *again*. We've fixed
> > that in QEMU at least twice in the past. I'd like to see us explore
> > when this changed in QEMU and whehter we should fix it there instead.
> >
>
> I did some digging on this recently, see my findings here:
> https://bugzilla.redhat.com/show_bug.cgi?id=1180092#c5
>
> The issue is that there's two different monitor commands at play here, and the
> set_password one we presently use has never had the semantics we advertise in
> qemu.conf, so I'm guessing something like Jiri's patch will be needed regardless
Ok, so its broken since we stopped using 'change vnc password' HMP
command. So we'll want to deal with this as a libvirt CVE, and provide
patches on historical stable branches too.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list