Bug 1664310

Summary: [RHEL 7.6 LP] openstack output leaks passwords
Product: Red Hat Enterprise Linux 7 Reporter: Tomáš Golembiovský <tgolembi>
Component: libguestfsAssignee: Richard W.M. Jones <rjones>
Status: CLOSED CURRENTRELEASE QA Contact: Virtualization Bugs <virt-bugs>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.6CC: juzhou, mxie, mzhan, ptoscano, tzheng, xiaodwan, zili
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: V2V
Fixed In Version: libguestfs-1.38.2-12.28.lp.el7_6 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-10-17 11:07:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1651426    

Description Tomáš Golembiovský 2019-01-08 12:09:32 UTC 
When password arguments are passed with --os-* option to -o openstack (e.g. --os-password=somesecret), such arguments are then presented in virt-v2v debug output in clear text.

Passwords should not be disclosed this way and should be masked in virt-v2v output.
Comment 2 Richard W.M. Jones 2019-01-08 13:48:19 UTC 
Note this is only in the LP branch, so the bug may only affect layered products, not actual RHEL.
However it is a security issue.
Comment 3 Richard W.M. Jones 2019-01-08 14:21:05 UTC 
Patch posted:
https://www.redhat.com/archives/libguestfs/2019-January/msg00086.html
Comment 4 Richard W.M. Jones 2019-01-08 14:57:05 UTC 
Final patch upstream in:
https://github.com/libguestfs/libguestfs/commit/fc028bf57a3ff128d21b904583f9ea02f672ed5b
Comment 5 Richard W.M. Jones 2019-01-08 15:38:09 UTC 
This is fixed in the libguestfs-1.38.2-12.28.lp.el7_6 package.  There's a scratch build here:

https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=19702636
Comment 6 liuzi 2019-10-17 11:07:01 UTC 
Verify bug with builds:
virt-v2v-1.40.2-8.el7.x86_64
libguestfs-1.40.2-8.el7.x86_64
nbdkit-1.8.0-2.el7.x86_64

Steps:
1.Use virt-v2v to convert a guest to openstack and use option --os-password 
#virt-v2v -ic vpx://root.73.141/data/10.73.75.219/?no_verify=1 -it vddk -io vddk-libdir=/home/vmware-vix-disklib-distrib -io  vddk-thumbprint=1F:97:34:5F:B6:C2:BA:66:46:CB:1A:71:76:7D:6B:50:1E:03:00:EA -n default esx6.7-rhel7.7-x86_64 --password-file /tmp/passwd -o openstack -oo server-id=rhel7.6-v2v-conversion-server -oo os-username=admin -oo os-password=redhat -v -x |& tee >op.log

2.Check if the passwords disclosed in the log
# cat op.log |grep openstack
openstack [...] token issue
[ 181.3] Initializing the target -o openstack
openstack [...] volume create -f json --size 7 --description virt-v2v temporary volume for esx6.7-rhel7.7-x86_64 --non-bootable --read-write esx6.7-rhel7.7-x86_64-sda
openstack: JSON parsed as: {
openstack [...] volume show -f json d37127be-f085-4d3d-ada8-8415cdc1f2c5
openstack: JSON parsed as: {
openstack [...] server add volume rhel7.6-v2v-conversion-server d37127be-f085-4d3d-ada8-8415cdc1f2c5
openstack [...] server remove volume rhel7.6-v2v-conversion-server d37127be-f085-4d3d-ada8-8415cdc1f2c5
openstack [...] volume delete d37127be-f085-4d3d-ada8-8415cdc1f2c5


Result:
The virt-v2v will not disclose the password when convert a guest to openstack.