On Wed, Jan 26, 2011 at 08:56:06AM +0300, Michael Tokarev wrote: > 26.01.2011 00:25, Moritz Muehlenhoff wrote: > > Package: kvm > > Severity: grave > > Tags: security > > > > Please see the following entry in the Red Hat bugzilla: > > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0011 > > Yes, I've seen this even before CVE ID were assigned. > > > The impact is not entirely obvious to me? Do I understand it > > correctly that a malicious application accessing a KVM > > instance could lock out other apps to this virtual machine? > > This is completely wrong understanding. > > First of all, only one instance is affected. > > Second, this is an intended behavour. Emty vnc password > meant to be no authentication, not a lockdown. When you > start it without specifying a password it lets everyone > in. > > There was a bug in previous versions of qemu which is now > fixed by the commit mentioned in that RH bugreport. A bug > which resulted in inability to change vnc to "no auth" mode > at runtime if a password has been specified. > > The implication is this: if there was an application that > relied on the wrong behavour, "thinking" that changing VNC > password at runtime to an empty string means a lockdown, > that combination is now broken, since instead of a lockdown > we're getting wide-open access. But I'm not aware of any > application like that.
Thanks for the verbose explanation. I've updated the Debian Security Tracker. While we're at it; could you please also look into http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0435 ? Is this something that still needs to be fixed for Squeeze? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
