[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug 1136477] Re: qemu doesn't sanitize command line options carrying pl
From: |
Thomas Huth |
Subject: |
[Bug 1136477] Re: qemu doesn't sanitize command line options carrying plaintext passwords |
Date: |
Thu, 22 Apr 2021 04:30:45 -0000 |
The QEMU project is currently considering to move its bug tracking to another
system. For this we need to know which bugs are still valid and which could be
closed already. Thus we are setting older bugs to "Incomplete" now.
If you still think this bug report here is valid, then please switch the state
back to "New" within the next 60 days, otherwise this report will be marked as
"Expired". Or mark it as "Fix Released" if the problem has been solved with a
newer version of QEMU already. Thank you and sorry for the inconvenience.
** Changed in: qemu
Status: New => Incomplete
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1136477
Title:
qemu doesn't sanitize command line options carrying plaintext
passwords
Status in QEMU:
Incomplete
Bug description:
A slight security problem exists with qemu's lack of sanitization of
argv[], for cases where the user may have specified a plaintext
password for spice/vnc authorization. (Yes, it's not great to use
this facility, but it's convenient and not grotesquely unsafe, were it
not for this bug.) It would be nice if those plaintext passwords were
nuked from the command line, so a subsequent "ps awux" didn't show
them for all to see.
See also https://bugzilla.redhat.com/show_bug.cgi?id=916279
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1136477/+subscriptions
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Bug 1136477] Re: qemu doesn't sanitize command line options carrying plaintext passwords,
Thomas Huth <=