mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-22 05:35:25 +00:00
qemu: Let empty default VNC password work as documented
CVE-2016-5008
Setting an empty graphics password is documented as a way to disable
VNC/SPICE access, but QEMU does not always behaves like that. VNC would
happily accept the empty password. Let's enforce the behavior by setting
password expiration to "now".
https://bugzilla.redhat.com/show_bug.cgi?id=1180092
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
(cherry picked from commit bb848feec0
)
This commit is contained in:
parent
6410a22743
commit
ea59deeeea
@ -3959,6 +3959,7 @@ qemuDomainChangeGraphicsPasswords(virQEMUDriverPtr driver,
|
||||
time_t now = time(NULL);
|
||||
char expire_time [64];
|
||||
const char *connected = NULL;
|
||||
const char *password;
|
||||
int ret = -1;
|
||||
virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver);
|
||||
|
||||
@ -3966,16 +3967,14 @@ qemuDomainChangeGraphicsPasswords(virQEMUDriverPtr driver,
|
||||
ret = 0;
|
||||
goto cleanup;
|
||||
}
|
||||
password = auth->passwd ? auth->passwd : defaultPasswd;
|
||||
|
||||
if (auth->connected)
|
||||
connected = virDomainGraphicsAuthConnectedTypeToString(auth->connected);
|
||||
|
||||
if (qemuDomainObjEnterMonitorAsync(driver, vm, asyncJob) < 0)
|
||||
goto cleanup;
|
||||
ret = qemuMonitorSetPassword(priv->mon,
|
||||
type,
|
||||
auth->passwd ? auth->passwd : defaultPasswd,
|
||||
connected);
|
||||
ret = qemuMonitorSetPassword(priv->mon, type, password, connected);
|
||||
|
||||
if (ret == -2) {
|
||||
if (type != VIR_DOMAIN_GRAPHICS_TYPE_VNC) {
|
||||
@ -3983,14 +3982,15 @@ qemuDomainChangeGraphicsPasswords(virQEMUDriverPtr driver,
|
||||
_("Graphics password only supported for VNC"));
|
||||
ret = -1;
|
||||
} else {
|
||||
ret = qemuMonitorSetVNCPassword(priv->mon,
|
||||
auth->passwd ? auth->passwd : defaultPasswd);
|
||||
ret = qemuMonitorSetVNCPassword(priv->mon, password);
|
||||
}
|
||||
}
|
||||
if (ret != 0)
|
||||
goto end_job;
|
||||
|
||||
if (auth->expires) {
|
||||
if (password[0] == '\0') {
|
||||
snprintf(expire_time, sizeof(expire_time), "now");
|
||||
} else if (auth->expires) {
|
||||
time_t lifetime = auth->validTo - now;
|
||||
if (lifetime <= 0)
|
||||
snprintf(expire_time, sizeof(expire_time), "now");
|
||||
|
Loading…
Reference in New Issue
Block a user