Debian Bug report logs -
#509882
password limited to seven, not eight characters
Reported by: Thijs Kinkhorst <thijs@debian.org>
Date: Sat, 27 Dec 2008 12:33:01 UTC
Severity: important
Tags: patch, security
Found in version qemu/0.9.1-1
Fixed in versions 0.9.1+svn20081214-1, qemu/0.9.1-10
Done: Aurelien Jarno <aurel32@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>:
Bug#509882; Package qemu.
(Sat, 27 Dec 2008 12:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Thijs Kinkhorst <thijs@debian.org>:
New Bug report received and forwarded. Copy sent to Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>.
(Sat, 27 Dec 2008 12:33:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: qemu
Severity: important
Tags: security, patch
Hi,
It has been reported that the password setting routine in qemu limits the
password length to 7 instead of 8 characters as intended:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5714
It would be very desirable to fix this in lenny, because it could be regarded
to be a security issue in a way. Etch seems not affected.
Please reference the CVE id when fixing this issue.
thanks,
Thijs
[Message part 2 (application/pgp-signature, inline)]
Reply sent
to Aurelien Jarno <aurelien@aurel32.net>:
You have taken responsibility.
(Sun, 28 Dec 2008 11:48:07 GMT) (full text, mbox, link).
Notification sent
to Thijs Kinkhorst <thijs@debian.org>:
Bug acknowledged by developer.
(Sun, 28 Dec 2008 11:48:07 GMT) (full text, mbox, link).
Message #10 received at 509882-done@bugs.debian.org (full text, mbox, reply):
Version: 0.9.1+svn20081214-1
On Sat, Dec 27, 2008 at 01:30:15PM +0100, Thijs Kinkhorst wrote:
> Package: qemu
> Severity: important
> Tags: security, patch
>
> Hi,
>
> It has been reported that the password setting routine in qemu limits the
> password length to 7 instead of 8 characters as intended:
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5714
>
> It would be very desirable to fix this in lenny, because it could be regarded
> to be a security issue in a way. Etch seems not affected.
>
> Please reference the CVE id when fixing this issue.
>
To honest, while I agree it is a real problem, I found strange it is
considered as a security problem with a CVE entry. Note also this
problem does not occurs for the initial setting of the password, but
only when changing it.
Given we now have a CVE entry, I'll fix the bug in lenny/unstable. For
the experimental version, I am closing the bug for the experimental
version, as it is a SVN snapshot and the bug has already been fixed
for some days upstream.
Note that KVM is also most probably affected.
--
.''`. Aurelien Jarno | GPG: 1024D/F1BCDB73
: :' : Debian developer | Electrical Engineer
`. `' aurel32@debian.org | aurelien@aurel32.net
`- people.debian.org/~aurel32 | www.aurel32.net
Bug marked as found in version 9.1-1 and reopened.
Request was from Aurelien Jarno <aurel32@debian.org>
to control@bugs.debian.org.
(Sun, 28 Dec 2008 12:03:02 GMT) (full text, mbox, link).
Bug marked as found in version 0.9.1-1.
Request was from Aurelien Jarno <aurel32@debian.org>
to control@bugs.debian.org.
(Sun, 28 Dec 2008 12:06:06 GMT) (full text, mbox, link).
Bug no longer marked as found in version 9.1-1.
Request was from Aurelien Jarno <aurel32@debian.org>
to control@bugs.debian.org.
(Sun, 28 Dec 2008 12:06:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>:
Bug#509882; Package qemu.
(Sun, 28 Dec 2008 12:39:02 GMT) (full text, mbox, link).
Acknowledgement sent
to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>.
(Sun, 28 Dec 2008 12:39:02 GMT) (full text, mbox, link).
Message #21 received at 509882@bugs.debian.org (full text, mbox, reply):
On Sun, December 28, 2008 12:41, Aurelien Jarno wrote:
> To honest, while I agree it is a real problem, I found strange it is
> considered as a security problem with a CVE entry. Note also this problem
> does not occurs for the initial setting of the password, but only when
> changing it.
Yes, in my opinion it borders on a non-issue, but stictly speaking it's
less secure than intended so that qualifies for a CVE name. But still, if
we can fix it for lenny, we should.
> Given we now have a CVE entry, I'll fix the bug in lenny/unstable. For
> the experimental version, I am closing the bug for the experimental
> version, as it is a SVN snapshot and the bug has already been fixed for
> some days upstream.
Great, thanks.
Thijs
Reply sent
to Aurelien Jarno <aurelien@aurel32.net>:
You have taken responsibility.
(Sun, 28 Dec 2008 13:15:05 GMT) (full text, mbox, link).
Notification sent
to Thijs Kinkhorst <thijs@debian.org>:
Bug acknowledged by developer.
(Sun, 28 Dec 2008 13:15:05 GMT) (full text, mbox, link).
Message #26 received at 509882-done@bugs.debian.org (full text, mbox, reply):
Version 0.9.1-10
On Sun, Dec 28, 2008 at 01:37:52PM +0100, Thijs Kinkhorst wrote:
> On Sun, December 28, 2008 12:41, Aurelien Jarno wrote:
> > To honest, while I agree it is a real problem, I found strange it is
> > considered as a security problem with a CVE entry. Note also this problem
> > does not occurs for the initial setting of the password, but only when
> > changing it.
>
> Yes, in my opinion it borders on a non-issue, but stictly speaking it's
> less secure than intended so that qualifies for a CVE name. But still, if
> we can fix it for lenny, we should.
>
> > Given we now have a CVE entry, I'll fix the bug in lenny/unstable. For
> > the experimental version, I am closing the bug for the experimental
> > version, as it is a SVN snapshot and the bug has already been fixed for
> > some days upstream.
>
> Great, thanks.
Done, but I forget to add the bug number in the changelog. Closing the
bug manually with this mail.
--
.''`. Aurelien Jarno | GPG: 1024D/F1BCDB73
: :' : Debian developer | Electrical Engineer
`. `' aurel32@debian.org | aurelien@aurel32.net
`- people.debian.org/~aurel32 | www.aurel32.net
Bug marked as fixed in version 0.9.1-10, send any further explanations to Thijs Kinkhorst <thijs@debian.org>
Request was from Aurelien Jarno <aurel32@debian.org>
to control@bugs.debian.org.
(Sun, 28 Dec 2008 13:30:02 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 05 Feb 2009 07:30:22 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:03:35 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon