Bug 849666 - backend - sysprep.inf contents are visible in engine.log file (they may contain passwords)
backend - sysprep.inf contents are visible in engine.log file (they may conta...
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine (Show other bugs)
3.1.0
x86_64 Linux
unspecified Severity medium
: ---
: ---
Assigned To: Oved Ourfali
Barak Dagan
infra
: Regression
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-20 09:57 EDT by Yaniv Kaul
Modified: 2016-02-10 14:30 EST (History)
13 users (show)

See Also:
Fixed In Version: si16
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-09-28 08:40:39 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Yaniv Kaul 2012-08-20 09:57:07 EDT
Description of problem:
From https://bugzilla.redhat.com/show_bug.cgi?id=849635#c0 :

engine.log:
************
2012-08-20 09:45:15,754 INFO  [org.ovirt.engine.core.vdsbroker.VdsUpdateRunTimeInfo] (QuartzScheduler_Worker-76) Recieved a Device without an address when processing VM c
0457e58-0ffb-4c9f-bd14-e080e812e102 devices, skipping device: {shared=false, iface=fdc, index=0, specParams={vmPayload={file={sysprep.inf=O1NldHVwTWdyVGFnDQpbVW5hdHRlbmRl
ZF0NCiAgICBJbnN0YWxsRmlsZXNQYXRoPUM6XGkzODYN
CiAgICBPZW1Ta2lwRXVsYT1ZZXMNCiAgICBUYXJnZXRQYXRoPVxXSU5ET1dTDQoNCltHdWlVbmF0
dGVuZGVkXQ0KICAgIEFkbWluUGFzc3dvcmQ9MTIzNDU2DQogICAgRW5jcnlwdGVkQWRtaW5QYXNz
d29yZD1OTw0KICAgIE9FTVNraXBSZWdpb25hbD0xDQogICAgVGltZVpvbmU9ODUNCiAgICBPZW1T
a2lwV2VsY29tZT0xDQoNCltVc2VyRGF0YV0NCiAgICBQcm9kdWN0S2V5PQ0KICAgIEZ1bGxOYW1l
PSJ1c2VyIg0KICAgIE9yZ05hbWU9cmVkaGF0DQogICAgQ29tcHV0ZXJOYW1lPXNwaWNlLXNlcnZl
cg0KDQpbRGlzcGxheV0NCiAgICBCaXRzUGVyUGVsPTMyDQogICAgWHJlc29sdXRpb249ODAwDQog
ICAgWVJlc29sdXRpb249NjAwDQogICAgVnJlZnJlc2g9NzUNCg0KW1JlZ2lvbmFsU2V0dGluZ3Nd
DQogICAgTGFuZ3VhZ2VHcm91cD0xDQogICAgTGFuZ3VhZ2U9MDAwMDA0MDkNCg0KW0lkZW50aWZp
Y2F0aW9uXQ0KICAgIEpvaW5Eb21haW49DQogICAgRG9tYWluQWRtaW49DQogICAgRG9tYWluQWRt
aW5QYXNzd29yZD0NCg0KW05ldHdvcmtpbmddDQogICAgSW5zdGFsbERlZmF1bHRDb21wb25lbnRz
PVllcw0KDQpbQnJhbmRpbmddDQogICAgQnJhbmRJRVVzaW5nVW5hdHRlbmRlZD1ZZXMNCg0KW1By
b3h5XQ0KICAgIFByb3h5X0VuYWJsZT0wDQogICAgVXNlX1NhbWVfUHJveHk9MA0KDQpbR3VpUnVu
T25jZV0NCiAgICANCg0K
}}}, device=floppy, path=, type=disk, readonly=true, deviceId=d18b5606-2922-469b-b478-ecf6673ae202}.

The above is base64 encoded sysprep.inf file. I believe it should not be printed, as it may contains passwords.


Setting as regression - we did not use to print sysprep.inf contents in 3.0.

Version-Release number of selected component (if applicable):
SI14

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 4 Oved Ourfali 2012-08-27 05:08:55 EDT
Patch posted to gerrit:
http://gerrit.ovirt.org/#/c/7491
Comment 6 Barak Dagan 2012-09-02 08:12:50 EDT
How can this bug be verified ? is it byproduct of bug 849635 ?
Comment 7 Oved Ourfali 2012-09-02 08:25:31 EDT
(In reply to comment #6)
> How can this bug be verified ? is it byproduct of bug 849635 ?

Good question.
I verified it in an "ugly" way, by removing the address from the device while debugging.
Can't think of a way of doing that without debug manipulation.
Comment 8 Yaniv Kaul 2012-09-02 08:50:50 EDT
(In reply to comment #7)
> (In reply to comment #6)
> > How can this bug be verified ? is it byproduct of bug 849635 ?
> 
> Good question.
> I verified it in an "ugly" way, by removing the address from the device
> while debugging.
> Can't think of a way of doing that without debug manipulation.

So removing QA_ACK until such a way is devised.
Comment 9 Oved Ourfali 2012-09-02 08:54:29 EDT
(In reply to comment #8)
> (In reply to comment #7)
> > (In reply to comment #6)
> > > How can this bug be verified ? is it byproduct of bug 849635 ?
> > 
> > Good question.
> > I verified it in an "ugly" way, by removing the address from the device
> > while debugging.
> > Can't think of a way of doing that without debug manipulation.
> 
> So removing QA_ACK until such a way is devised.

The fix was added as a precaution.
Such a use-case, in which the floppy disk doesn't have an address shouldn't happen, and it also didn't reproduce in my environment.
However, in cases in which it will happen, the fix is good and useful.
We can go the other way and say "we won't fix it... as it shouldn't happen anyway", but we didn't go that way.

Reproducing it means there is a bug somewhere...

Are you proposing that we won't fix this issue?
Comment 15 RHEL Product and Program Management 2012-09-28 08:40:39 EDT
Quality Engineering Management has reviewed and declined this request.
You may appeal this decision by reopening this request.

Note You need to log in before you can comment on or make changes to this bug.