Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 587570 (CVE-2016-5008)

Summary: <app-emulation/libvirt-1.3.5-r1, <app-emulation/libvirt-1.2.21-r3: Setting empty VNC password allows access to unauthorized users
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: tamiko, virtualization
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1351514
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2016-06-30 09:08:03 UTC 
From ${URL} :

It was found that setting VNC password to empty string doesn't work in a way as it's documented. The documented semantics of setting the password to an 
empty string are that it disables all access to the VNC server, however in fact it allows all users access with no authentication required instead.

Product bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1180092


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Matthias Maier gentoo-dev 2016-06-30 18:05:23 UTC 
Fixed in: 1.3.5-r1
Vulnerable version left in tree: 1.3.4

commit 376e22508ab65ce5ebe3e1f1b977d013a860f84e
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Thu Jun 30 12:59:59 2016 -0500

    app-emulation/libvirt: Apply upstream patch for CVE-2016-5008, bug #587570
    
    Package-Manager: portage-2.2.28
Comment 2 Matthias Maier gentoo-dev 2016-06-30 22:01:30 UTC 
Arches, please stabilize

 =app-emulation/libvirt-1.3.5-r1
 =dev-python/libvirt-python-1.3.5

Target-Keywords: amd64 x86
Comment 3 Agostino Sarubbo gentoo-dev 2016-07-01 08:30:15 UTC 
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2016-07-01 08:31:53 UTC 
x86 stable.

Maintainer(s), please cleanup.
Comment 5 Matthias Maier gentoo-dev 2016-07-09 15:13:37 UTC 
commit ac7c68ff853c87b3fc3395dacb34b095c73cdbc3
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Sat Jul 9 09:54:41 2016 -0500

    app-emulation/libvirt: drop vulnerable 1.2.21-r2, bug #587570
    
    CVE-2016-5008
    
    Package-Manager: portage-2.2.28

commit 90c9b77c2dfebbfe13340da54d622b258bb9328a
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Sat Jul 9 09:56:39 2016 -0500

    app-emulation/libvirt: x86 stable
    
    Package-Manager: portage-2.2.28
    RepoMan-Options: --include-arches="x86"

commit 34d6a62b26a78ab6f0901de39fdb14109db2b186
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Sat Jul 9 09:53:14 2016 -0500

    app-emulation/libvirt: amd64 stable
    
    Package-Manager: portage-2.2.28
    RepoMan-Options: --include-arches="amd64"

commit 45b982e636481053a901137211441a5d8be30fc3
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Sat Jul 9 09:46:18 2016 -0500

    app-emulation/libvirt: update 1.2.21, fix CVE-2016-5008, bug #587570
    
    Package-Manager: portage-2.2.28
Comment 6 Matthias Maier gentoo-dev 2016-07-09 15:16:27 UTC 
Unaffected versions:
  >=1.2.21-r3 and <1.3.0
  >=1.3.5-r1
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2016-07-10 00:07:19 UTC 
GLSA Vote: No