[virt-tools-list] [virt-manager PATCH v2 0/2] unattended: Don't expose user & admin passwords

Cole Robinson crobinso at redhat.com
Wed Jul 3 17:32:59 UTC 2019


On 7/3/19 10:01 AM, Fabiano Fidêncio wrote:
> Let's not expose user & admin passwords neither by having an option to
> be used to set those passwords nor in the debug messages.
> 
> 'CVE-2019-10183' has been assigned to the virt-install --unattended
> admin-password=xxx disclosure issue.
> 
> Changes since v1:
> https://www.redhat.com/archives/virt-tools-list/2019-July/msg00013.html
> - passowrd -> password;
> - pwd.read().rstrip("\n\r") -> pwd.readline().rstrip("\n\r") + document
>   this in our manpage;
> - create a new config, with the sanitised password, and use it to print
>   the script content as a debug message;
> 
> Fabiano Fidêncio (2):
>   unattended: Read the passwords from a file
>   unattended: Don't log user & admin passwords
> 
>  man/virt-install.pod                  | 24 ++++++++----
>  tests/cli-test-xml/admin-password.txt |  1 +
>  tests/cli-test-xml/user-password.txt  |  3 ++
>  tests/clitest.py                      | 18 +++++----
>  virtinst/cli.py                       |  4 +-
>  virtinst/install/unattended.py        | 56 ++++++++++++++++++++-------
>  6 files changed, 76 insertions(+), 30 deletions(-)
>  create mode 100644 tests/cli-test-xml/admin-password.txt
>  create mode 100644 tests/cli-test-xml/user-password.txt
> 

Fixed some pylint warnings and pushed

Thanks,
Cole




More information about the virt-tools-list mailing list