From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([140.186.70.92]:38662) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QwCze-00008J-Gn for qemu-devel@nongnu.org; Wed, 24 Aug 2011 08:55:43 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QwCzd-0005KD-8d for qemu-devel@nongnu.org; Wed, 24 Aug 2011 08:55:42 -0400 Received: from mail-yi0-f45.google.com ([209.85.218.45]:47521) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QwCzd-0005K3-2L for qemu-devel@nongnu.org; Wed, 24 Aug 2011 08:55:41 -0400 Received: by yih10 with SMTP id 10so935266yih.4 for ; Wed, 24 Aug 2011 05:55:40 -0700 (PDT) Message-ID: <4E54F4CA.1000809@codemonkey.ws> Date: Wed, 24 Aug 2011 07:55:38 -0500 From: Anthony Liguori MIME-Version: 1.0 References: <1314183661-14483-1-git-send-email-berrange@redhat.com> <4E54F252.7020007@codemonkey.ws> <20110824125040.GG12120@redhat.com> In-Reply-To: <20110824125040.GG12120@redhat.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH STABLE-0.14/0.15/master] CVE-2011-0011: fix VNC password change to not touch authentication settings List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "Daniel P. Berrange" Cc: qemu-devel@nongnu.org On 08/24/2011 07:50 AM, Daniel P. Berrange wrote: > On Wed, Aug 24, 2011 at 07:45:06AM -0500, Anthony Liguori wrote: >> On 08/24/2011 06:01 AM, Daniel P. Berrange wrote: >>> From: "Daniel P. Berrange" >>> >>> In CVE-2011-0011 it was noted that setting an empty password >>> would disable all authentication for the VNC password. Commit >>> 1cd20f8bf0ecb9d1d1bd5e2ffab3b88835380c9b attempted to fix this >>> but it just broke it in a different way, because now instead >>> of blindly disabling all authentication, it blindly resets all >>> authentication to 'VNC'. >> >> But this is *not* a security problem. Login becomes disabled as expected. > > It *is* a security problem, because if you do > > change vnc password 123 > change vnc password "" > change vnc password 456 > > you have lost the authentication settings you requested. > > With this patch, changing the password to "" *still* disables > the login, without side effects on the auth scheme. Just because it isn't doing what you expect it to do doesn't make it a security problem. This is the current behavior and you simply cannot write a management tool without being aware of this behavior for better or worse. The password change interface should not be overloaded to deal disable login. There should be a higher level QMP command to do this. > >> We should really not overload the semantics of the change command >> like this and instead introduce a new QMP operation to disable >> login. > > This change I mention below is the one that overloaded the semantics > by making a password change, also change the auth scheme, breaking > the original behaviour. If we want apps to be able to change the > auth scheme that needs a separate monitor command. > > The current behaviour is not usable and introduces a security problem > by changing auth scheme without being asked to. I'll buy an argument about usability but not about security. We need a higher level command to disable login and a higher level command to set the vnc password. This interface should be considered deprecated. Regards, Anthony Liguori > Daniel