[virt-tools-list] [virt-manager PATCH v2 0/2] unattended: Don't expose user & admin passwords

Pavel Hrdina phrdina at redhat.com
Wed Jul 3 22:13:01 UTC 2019


On Wed, Jul 03, 2019 at 01:32:59PM -0400, Cole Robinson wrote:
> On 7/3/19 10:01 AM, Fabiano Fidêncio wrote:
> > Let's not expose user & admin passwords neither by having an option to
> > be used to set those passwords nor in the debug messages.
> > 
> > 'CVE-2019-10183' has been assigned to the virt-install --unattended
> > admin-password=xxx disclosure issue.
> > 
> > Changes since v1:
> > https://www.redhat.com/archives/virt-tools-list/2019-July/msg00013.html
> > - passowrd -> password;
> > - pwd.read().rstrip("\n\r") -> pwd.readline().rstrip("\n\r") + document
> >   this in our manpage;
> > - create a new config, with the sanitised password, and use it to print
> >   the script content as a debug message;
> > 
> > Fabiano Fidêncio (2):
> >   unattended: Read the passwords from a file
> >   unattended: Don't log user & admin passwords
> > 
> >  man/virt-install.pod                  | 24 ++++++++----
> >  tests/cli-test-xml/admin-password.txt |  1 +
> >  tests/cli-test-xml/user-password.txt  |  3 ++
> >  tests/clitest.py                      | 18 +++++----
> >  virtinst/cli.py                       |  4 +-
> >  virtinst/install/unattended.py        | 56 ++++++++++++++++++++-------
> >  6 files changed, 76 insertions(+), 30 deletions(-)
> >  create mode 100644 tests/cli-test-xml/admin-password.txt
> >  create mode 100644 tests/cli-test-xml/user-password.txt
> > 
> 
> Fixed some pylint warnings and pushed

Thanks for pushing it, I was about to do the same but had to leave
office.

Pavel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/virt-tools-list/attachments/20190704/13509bb0/attachment.sig>


More information about the virt-tools-list mailing list