[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [Bug 1136477] Re: qemu doesn't sanitize command line option
From: |
Anthony Liguori |
Subject: |
[Qemu-devel] [Bug 1136477] Re: qemu doesn't sanitize command line options carrying plaintext passwords |
Date: |
Fri, 01 Mar 2013 00:40:16 -0000 |
Hi,
Thanks for submitting this report. I've removed the security label from
the bug after reading through the comments and the referenced bug.
Modifying argv is not terribly portable and I think a reasonable person
would expect that a password specified on the command line would be
visible through a ps.
Patches would certainly be considered but I don't consider this a
security issue. Just a request for an enhancement.
** Information type changed from Private Security to Private
** Information type changed from Private to Public
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1136477
Title:
qemu doesn't sanitize command line options carrying plaintext
passwords
Status in QEMU:
New
Bug description:
A slight security problem exists with qemu's lack of sanitization of
argv[], for cases where the user may have specified a plaintext
password for spice/vnc authorization. (Yes, it's not great to use
this facility, but it's convenient and not grotesquely unsafe, were it
not for this bug.) It would be nice if those plaintext passwords were
nuked from the command line, so a subsequent "ps awux" didn't show
them for all to see.
See also https://bugzilla.redhat.com/show_bug.cgi?id=916279
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1136477/+subscriptions
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-devel] [Bug 1136477] Re: qemu doesn't sanitize command line options carrying plaintext passwords,
Anthony Liguori <=