[libvirt PATCH] qemu: validate VNC password length

Pavel Hrdina phrdina at redhat.com
Thu Dec 16 11:08:50 UTC 2021


On Thu, Dec 16, 2021 at 10:48:53AM +0000, Daniel P. Berrangé wrote:
> The VNC password authentication scheme is quite horrendous in that it
> takes the user password and directly uses it as a DES case. DES is a
> byte 8 keyed cipher, so the VNC password can never be more than 8
> characters long. Anything over that length will be silently dropped.
> 
> We should validate this length restriction when accepting user XML
> configs and report an error. For the global VNC password we don't
> really want to break daemon startup by reporting an error, but
> logging a warning is worthwhile.
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1506689
> Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
> ---
>  src/qemu/qemu_conf.c     | 6 ++++++
>  src/qemu/qemu_validate.c | 8 ++++++++
>  2 files changed, 14 insertions(+)

Reviewed-by: Pavel Hrdina <phrdina at redhat.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20211216/0f79f2c5/attachment-0001.sig>


More information about the libvir-list mailing list