[Bug 1136477] Re: qemu doesn't sanitize command line options carrying pl

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug 1136477] Re: qemu doesn't sanitize command line options carrying pl

From:	Launchpad Bug Tracker
Subject:	[Bug 1136477] Re: qemu doesn't sanitize command line options carrying plaintext passwords
Date:	Tue, 22 Jun 2021 04:17:23 -0000

[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
       Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1136477

Title:
  qemu doesn't sanitize command line options carrying plaintext
  passwords

Status in QEMU:
  Expired

Bug description:
  A slight security problem exists with qemu's lack of sanitization of
  argv[], for cases where the user may have specified a plaintext
  password for spice/vnc authorization.  (Yes, it's not great to use
  this facility, but it's convenient and not grotesquely unsafe, were it
  not for this bug.)  It would be nice if those plaintext passwords were
  nuked from the command line, so a subsequent "ps awux" didn't show
  them for all to see.

  See also https://bugzilla.redhat.com/show_bug.cgi?id=916279

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1136477/+subscriptions

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug 1136477] Re: qemu doesn't sanitize command line options carrying plaintext passwords, Launchpad Bug Tracker <=

Prev by Date: [Bug 690776] Re: Overwrite argv to set process title, eliminating 16-character prctl() limit.
Next by Date: [Bug 1191326] Re: QNX 4 doesn't boot on qemu >= 1.3
Previous by thread: [Bug 690776] Re: Overwrite argv to set process title, eliminating 16-character prctl() limit.
Next by thread: [Bug 1191326] Re: QNX 4 doesn't boot on qemu >= 1.3
Index(es):
- Date
- Thread