From: "Daniel P. Berrange" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Subject: [Qemu-devel] [PATCH STABLE-0.14/0.15/master] CVE-2011-0011: fix VNC password change to not touch authentication settings
Date: Wed, 24 Aug 2011 12:01:01 +0100 [thread overview]
Message-ID: <1314183661-14483-1-git-send-email-berrange@redhat.com> (raw)
From: "Daniel P. Berrange" <berrange@redhat.com>
In CVE-2011-0011 it was noted that setting an empty password
would disable all authentication for the VNC password. Commit
1cd20f8bf0ecb9d1d1bd5e2ffab3b88835380c9b attempted to fix this
but it just broke it in a different way, because now instead
of blindly disabling all authentication, it blindly resets all
authentication to 'VNC'. This disables any TLS auth that might
have been enabled, which is pratically as bad as the original
problem.
eg, consider launching QEMU with TLS + password as per the
docs section 3.11.5
$ qemu [...OPTIONS...] -vnc :1,password,tls -monitor stdio
(qemu) info vnc
Server:
address: 0.0.0.0:5901
auth: vencrypt+tls+vnc
Client: none
(qemu) change vnc password "123"
(qemu) info vnc
Server:
address: 0.0.0.0:5901
auth: vnc
Client: none
After setting the password, the TLS auth has been disabled
meaning all communications are back in cleartext. The
'change vnc password' command must *never* touch the 'vs->auth'
field under any circumstances.
Similarly setting the password to "" (which causes all auth
attempts to fail) must *not* touch vs->auth, otherwise it
breaks the following sequence
$ qemu [...OPTIONS...] -vnc :1,password,tls -monitor stdio
(qemu) info vnc
Server:
address: 0.0.0.0:5901
auth: vencrypt+tls+vnc
Client: none
(qemu) change vnc password "123"
(qemu) info vnc
Server:
address: 0.0.0.0:5901
auth: vencrypt+tls+vnc
Client: none
(qemu) change vnc password ""
(qemu) info vnc
Server:
address: 0.0.0.0:5901
auth: vnc
Client: none
(qemu) change vnc password "456"
(qemu) info vnc
Server:
address: 0.0.0.0:5901
auth: vnc
Client: none
This patch puts the behaviour back to what it was before the
original mistaken commit 52c18be9e99dabe295321153fda7fce9f76647ac
* ui/vnc.c: Do not touch 'vs->auth' when changing password and
remove unneccessary 'vnc_disable_login' method
* monitor.c: Remove call to 'vnc_disable_login'
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
console.h | 1 -
monitor.c | 8 --------
ui/vnc.c | 30 +++---------------------------
3 files changed, 3 insertions(+), 36 deletions(-)
diff --git a/console.h b/console.h
index 67d1373..2eb03a1 100644
--- a/console.h
+++ b/console.h
@@ -373,7 +373,6 @@ void vnc_display_init(DisplayState *ds);
void vnc_display_close(DisplayState *ds);
int vnc_display_open(DisplayState *ds, const char *display);
void vnc_display_add_client(DisplayState *ds, int csock, int skipauth);
-int vnc_display_disable_login(DisplayState *ds);
char *vnc_display_local_addr(DisplayState *ds);
#ifdef CONFIG_VNC
int vnc_display_password(DisplayState *ds, const char *password);
diff --git a/monitor.c b/monitor.c
index 1b8ba2c..59af05a 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1023,14 +1023,6 @@ static int do_quit(Monitor *mon, const QDict *qdict, QObject **ret_data)
#ifdef CONFIG_VNC
static int change_vnc_password(const char *password)
{
- if (!password || !password[0]) {
- if (vnc_display_disable_login(NULL)) {
- qerror_report(QERR_SET_PASSWD_FAILED);
- return -1;
- }
- return 0;
- }
-
if (vnc_display_password(NULL, password) < 0) {
qerror_report(QERR_SET_PASSWD_FAILED);
return -1;
diff --git a/ui/vnc.c b/ui/vnc.c
index f1e27d9..f7fc7d2 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -2635,24 +2635,6 @@ void vnc_display_close(DisplayState *ds)
#endif
}
-int vnc_display_disable_login(DisplayState *ds)
-{
- VncDisplay *vs = ds ? (VncDisplay *)ds->opaque : vnc_display;
-
- if (!vs) {
- return -1;
- }
-
- if (vs->password) {
- qemu_free(vs->password);
- }
-
- vs->password = NULL;
- vs->auth = VNC_AUTH_VNC;
-
- return 0;
-}
-
int vnc_display_password(DisplayState *ds, const char *password)
{
int ret = 0;
@@ -2663,19 +2645,13 @@ int vnc_display_password(DisplayState *ds, const char *password)
goto out;
}
- if (!password) {
- /* This is not the intention of this interface but err on the side
- of being safe */
- ret = vnc_display_disable_login(ds);
- goto out;
- }
-
if (vs->password) {
qemu_free(vs->password);
vs->password = NULL;
}
- vs->password = qemu_strdup(password);
- vs->auth = VNC_AUTH_VNC;
+ if (password)
+ vs->password = qemu_strdup(password);
+
out:
if (ret != 0) {
qerror_report(QERR_SET_PASSWD_FAILED);
--
1.7.6
next reply other threads:[~2011-08-24 11:01 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-24 11:01 Daniel P. Berrange [this message]
2011-08-24 12:45 ` [Qemu-devel] [PATCH STABLE-0.14/0.15/master] CVE-2011-0011: fix VNC password change to not touch authentication settings Anthony Liguori
2011-08-24 12:50 ` Daniel P. Berrange
2011-08-24 12:55 ` Anthony Liguori
2011-08-24 13:02 ` Daniel P. Berrange
2011-08-24 14:52 ` Gerd Hoffmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1314183661-14483-1-git-send-email-berrange@redhat.com \
--to=berrange@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).