oss-sec mailing list archives

CVE-2019-10183 virt-install: unattended option leaks password via command line argument

From: P J P <ppandit () redhat com>
Date: Wed, 3 Jul 2019 12:23:21 +0530 (IST)

  Hello,

Virt-install(1) utility used to provision new virtual machines has introducedan option '--unattended' to create VMs without user interaction. This optionaccepts guest VM passwords as command line arguments. Thus leaking them toothers users on the system via process listing.


  -> https://virt-manager.org/download/

It was introduced recently in the virt-manager v2.2.0 release.

Upstream patch:
---------------
  -> https://www.redhat.com/archives/virt-tools-list/2019-July/msg00014.html


Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Current thread:

CVE-2019-10183 virt-install: unattended option leaks password via command line argument P J P (Jul 02)