Off-by-one error in monitor.c in Qemu 0.9.1 might make it easier for remote attackers to guess the VNC password, which is limited to seven characters where eight was intended.
More information on setting VNC passwords for Qemu/KVM guests can be found here:
Looking at various version of Qemu, KVM and Xen shipped, following seem to be affected:
- Qemu - All versions shipped in stable Fedora versions are currently based on upstream version 0.9.1 that contains this flaw.
- KVM - Current versions in stable Fedora versions (65-15.fc9 and 74-10.fc10) contain this problem as well. Issue was fixed in KVM upstream git report via:
and the fix is included in version 82 and later.
- Xen - Version of Xen as shipped in Red Hat Enterprise Linux 5 (3.0.3-80.el5) and Fedora 9 (3.2.0-15.fc9) are not affected by this flaw (longer (256) buffer used, full buffer size passed to monitor_readline()). The flaw exists in Fedora 10 and Rawhide Xen versions (3.3.0-1.fc10 and 3.3.1-2.fc11, ioemu-qemu-xen).
Is there any way to run Qemu / KVM with monitor enabled when used with libvirt? From the search through the XML format spec, there does not seem to be any option to enable it. Is there a way to enable monitor in qemu-dm used by Xen?
Oh god, will those CVEs on vnc ever stop?