Bug 1664310
Summary: | [RHEL 7.6 LP] openstack output leaks passwords | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Tomáš Golembiovský <tgolembi> |
Component: | libguestfs | Assignee: | Richard W.M. Jones <rjones> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Virtualization Bugs <virt-bugs> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.6 | CC: | juzhou, mxie, mzhan, ptoscano, tzheng, xiaodwan, zili |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | V2V | ||
Fixed In Version: | libguestfs-1.38.2-12.28.lp.el7_6 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-10-17 11:07:01 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1651426 |
Description
Tomáš Golembiovský
2019-01-08 12:09:32 UTC
Note this is only in the LP branch, so the bug may only affect layered products, not actual RHEL. However it is a security issue. Final patch upstream in: https://github.com/libguestfs/libguestfs/commit/fc028bf57a3ff128d21b904583f9ea02f672ed5b This is fixed in the libguestfs-1.38.2-12.28.lp.el7_6 package. There's a scratch build here: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=19702636 Verify bug with builds: virt-v2v-1.40.2-8.el7.x86_64 libguestfs-1.40.2-8.el7.x86_64 nbdkit-1.8.0-2.el7.x86_64 Steps: 1.Use virt-v2v to convert a guest to openstack and use option --os-password #virt-v2v -ic vpx://root.73.141/data/10.73.75.219/?no_verify=1 -it vddk -io vddk-libdir=/home/vmware-vix-disklib-distrib -io vddk-thumbprint=1F:97:34:5F:B6:C2:BA:66:46:CB:1A:71:76:7D:6B:50:1E:03:00:EA -n default esx6.7-rhel7.7-x86_64 --password-file /tmp/passwd -o openstack -oo server-id=rhel7.6-v2v-conversion-server -oo os-username=admin -oo os-password=redhat -v -x |& tee >op.log 2.Check if the passwords disclosed in the log # cat op.log |grep openstack openstack [...] token issue [ 181.3] Initializing the target -o openstack openstack [...] volume create -f json --size 7 --description virt-v2v temporary volume for esx6.7-rhel7.7-x86_64 --non-bootable --read-write esx6.7-rhel7.7-x86_64-sda openstack: JSON parsed as: { openstack [...] volume show -f json d37127be-f085-4d3d-ada8-8415cdc1f2c5 openstack: JSON parsed as: { openstack [...] server add volume rhel7.6-v2v-conversion-server d37127be-f085-4d3d-ada8-8415cdc1f2c5 openstack [...] server remove volume rhel7.6-v2v-conversion-server d37127be-f085-4d3d-ada8-8415cdc1f2c5 openstack [...] volume delete d37127be-f085-4d3d-ada8-8415cdc1f2c5 Result: The virt-v2v will not disclose the password when convert a guest to openstack. |