Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 252595 (CVE-2008-5714)

Summary: app-emulation/qemu-0.11.1: off-by-one bug limiting VNC passwords to 7 char (CVE-2008-5714)
Product: Gentoo Security Reporter: Bruno Buss <bruno.buss>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED OBSOLETE    
Severity: minor CC: lu_zero
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://lists.gnu.org/archive/html/qemu-devel/2008-11/msg01224.html
Whiteboard: C3 [glsa]
Package list:
Runtime testing required: ---

Description Bruno Buss 2008-12-26 12:50:21 UTC
Description:
"Fix off-by-one bug limiting VNC passwords to 7 characters instead of 8

monitor_readline expects buf_size to include the terminating \0, but
do_change_vnc in monitor.c calls it as though it doesn't. The other site
where monitor_readline reads a password (in vl.c) passes the buffer length
correctly."

CVE-2008-5714 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5714):
"Off-by-one error in monitor.c in Qemu 0.9.1 might make it easier for remote attackers to guess the VNC password, which is limited to seven characters where eight was intended."

Fix in SVN:
http://svn.savannah.gnu.org/viewvc/trunk/monitor.c?root=qemu&r1=5966&r2=5965&pathrev=5966
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-12-27 18:58:57 UTC
CVE-2008-5714 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5714):
  Off-by-one error in monitor.c in Qemu 0.9.1 might make it easier for
  remote attackers to guess the VNC password, which is limited to seven
  characters where eight was intended.

Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2009-12-10 20:57:03 UTC
Hi, can't we just remove the older, vulnerable versions?
Comment 3 Martini peres 2012-03-05 12:08:38 UTC
This comment has been removed because it contained spam. -- idl0r
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2012-03-09 18:00:58 UTC
GLSA vote: yes.
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2012-03-11 06:50:19 UTC
GLSA Vote: no.
Comment 6 Tobias Heinlein (RETIRED) gentoo-dev 2012-08-14 15:57:51 UTC
There already is a request for qemu for several bugs, so we might as well include this one. I vote YES.

.. and added to the request.
Comment 7 Doug Goldstein (RETIRED) gentoo-dev 2013-08-28 01:22:39 UTC
@security: 1 year follow up ping.