[libvirt] [PATCH] qemu: Let empty default VNC password work as documented

Wed Jun 29 14:20:00 UTC 2016

On Wed, Jun 29, 2016 at 04:18:03PM +0200, Jiri Denemark wrote:
> On Wed, Jun 29, 2016 at 14:47:23 +0100, Daniel P. Berrange wrote:
> > On Tue, Jun 28, 2016 at 02:45:15PM +0200, Jiri Denemark wrote:
> > > Setting an empty vnc_password in qemu.conf is documented as a way to
> > > disable VNC access, but QEMU does not seem to behave like that. Let's
> > > enforce the behavior by setting password expiration to "now".
> > > 
> > > Note, this has no effect on setting an empty //graphics at passwd in
> > > domain XML. Users may use //graphics at passwdValidTo to enforce the same
> > > behavior.
> > > 
> > > https://bugzilla.redhat.com/show_bug.cgi?id=1180092
> > 
> > Please reference newly assigned CVE-2016-5008 in the commit message
> > before pushing.
> > 
> > > Signed-off-by: Jiri Denemark <jdenemar at redhat.com>
> > > ---
> > >  src/qemu/qemu_hotplug.c | 2 ++
> > >  1 file changed, 2 insertions(+)
> > > 
> > > diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
> > > index e0b8230..91f48dc 100644
> > > --- a/src/qemu/qemu_hotplug.c
> > > +++ b/src/qemu/qemu_hotplug.c
> > > @@ -3970,6 +3970,8 @@ qemuDomainChangeGraphicsPasswords(virQEMUDriverPtr driver,
> > >              snprintf(expire_time, sizeof(expire_time), "now");
> > >          else
> > >              snprintf(expire_time, sizeof(expire_time), "%lu", (long unsigned)auth->validTo);
> > > +    } else if (!auth->passwd && defaultPasswd && defaultPasswd[0] == '\0') {
> > > +        snprintf(expire_time, sizeof(expire_time), "now");
> > >      } else {
> > >          snprintf(expire_time, sizeof(expire_time), "never");
> > >      }
> > 
> > Not shown in this patch is the earlier condition if (auth->expires).
> > 
> > IOW, if you set the empty password, but also have an expiry time
> > set we'll still be allowing access. Now admittedly setting an
> > empty password and also an expiry time is fairly pointless, but
> > I can easily see apps mistakenly doing this. So we should check
> > the empty password as the first branch in the condition.
> 
> Well, I explicitly only fixed the issue with an empty default password
> and using a //graphics/@passwdValidTo with a default password is not
> supported. Libvirt will just ignore the XML element and thus
> auth->expires will always be false with default passwords.
> 
> Do you think we should handle empty passwords in XML too?

Yep, any empty password should disable access to the VNC server,
regardless of whether it comes from the global config file or
from the XML

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|