Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 587570 (CVE-2016-5008) - <app-emulation/libvirt-1.3.5-r1, <app-emulation/libvirt-1.2.21-r3: Setting empty VNC password allows access to unauthorized users
Summary: <app-emulation/libvirt-1.3.5-r1, <app-emulation/libvirt-1.2.21-r3: Setting em...
Alias: CVE-2016-5008
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa]
Depends on:
Reported: 2016-06-30 09:08 UTC by Agostino Sarubbo
Modified: 2016-07-10 00:07 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-06-30 09:08:03 UTC
From ${URL} :

It was found that setting VNC password to empty string doesn't work in a way as it's documented. The documented semantics of setting the password to an 
empty string are that it disables all access to the VNC server, however in fact it allows all users access with no authentication required instead.

Product bug:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Matthias Maier gentoo-dev 2016-06-30 18:05:23 UTC
Fixed in: 1.3.5-r1
Vulnerable version left in tree: 1.3.4

commit 376e22508ab65ce5ebe3e1f1b977d013a860f84e
Author: Matthias Maier <>
Date:   Thu Jun 30 12:59:59 2016 -0500

    app-emulation/libvirt: Apply upstream patch for CVE-2016-5008, bug #587570
    Package-Manager: portage-2.2.28
Comment 2 Matthias Maier gentoo-dev 2016-06-30 22:01:30 UTC
Arches, please stabilize


Target-Keywords: amd64 x86
Comment 3 Agostino Sarubbo gentoo-dev 2016-07-01 08:30:15 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2016-07-01 08:31:53 UTC
x86 stable.

Maintainer(s), please cleanup.
Comment 5 Matthias Maier gentoo-dev 2016-07-09 15:13:37 UTC
commit ac7c68ff853c87b3fc3395dacb34b095c73cdbc3
Author: Matthias Maier <>
Date:   Sat Jul 9 09:54:41 2016 -0500

    app-emulation/libvirt: drop vulnerable 1.2.21-r2, bug #587570
    Package-Manager: portage-2.2.28

commit 90c9b77c2dfebbfe13340da54d622b258bb9328a
Author: Matthias Maier <>
Date:   Sat Jul 9 09:56:39 2016 -0500

    app-emulation/libvirt: x86 stable
    Package-Manager: portage-2.2.28
    RepoMan-Options: --include-arches="x86"

commit 34d6a62b26a78ab6f0901de39fdb14109db2b186
Author: Matthias Maier <>
Date:   Sat Jul 9 09:53:14 2016 -0500

    app-emulation/libvirt: amd64 stable
    Package-Manager: portage-2.2.28
    RepoMan-Options: --include-arches="amd64"

commit 45b982e636481053a901137211441a5d8be30fc3
Author: Matthias Maier <>
Date:   Sat Jul 9 09:46:18 2016 -0500

    app-emulation/libvirt: update 1.2.21, fix CVE-2016-5008, bug #587570
    Package-Manager: portage-2.2.28
Comment 6 Matthias Maier gentoo-dev 2016-07-09 15:16:27 UTC
Unaffected versions:
  >=1.2.21-r3 and <1.3.0
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2016-07-10 00:07:19 UTC
GLSA Vote: No