blob: 9c97f5bb11ca639300c022c0c8c93e26e2b14d86 (
plain) (
blame)
1
2
3
4
5
|
qemu doesn't sanitize command line options carrying plaintext passwords
A slight security problem exists with qemu's lack of sanitization of argv[], for cases where the user may have specified a plaintext password for spice/vnc authorization. (Yes, it's not great to use this facility, but it's convenient and not grotesquely unsafe, were it not for this bug.) It would be nice if those plaintext passwords were nuked from the command line, so a subsequent "ps awux" didn't show them for all to see.
See also https://bugzilla.redhat.com/show_bug.cgi?id=916279
|