diff -u qemu-kvm-0.12.3+noroms/debian/changelog qemu-kvm-0.12.3+noroms/debian/changelog --- qemu-kvm-0.12.3+noroms/debian/changelog +++ qemu-kvm-0.12.3+noroms/debian/changelog @@ -1,3 +1,14 @@ +qemu-kvm (0.12.3+noroms-0ubuntu9.4) lucid-security; urgency=low + + [ Neil Wilson ] + * SECURITY UPDATE: Setting VNC password to empty string silently + disables all authentication (LP: #697197) + - debian/patches/697197-fix-vnc-password-semantics.patch: Reverses the + change introduced in Qemu by git commit 52c18be9 + - CVE: 2011-0011 + + -- Dustin Kirkland Fri, 11 Feb 2011 09:57:30 -0600 + qemu-kvm (0.12.3+noroms-0ubuntu9.3) lucid-proposed; urgency=low * Fix segfault when using scsi with writeback (LP: #595438) diff -u qemu-kvm-0.12.3+noroms/debian/patches/series qemu-kvm-0.12.3+noroms/debian/patches/series --- qemu-kvm-0.12.3+noroms/debian/patches/series +++ qemu-kvm-0.12.3+noroms/debian/patches/series @@ -9,6 +9,7 @@ arm-higher-initrd-load-address.patch larger_default_ram_size.patch SDL-wrong-behaviour-of-caps-lock.patch +697197-fix-vnc-password-semantics.patch block-Fix-multiwrite-memory-leak-in-error-case.patch block-Free-iovec-arrays-allocated-by-multiwrite_merge.patch scsi-Dequeue-requests-before-invoking-completion-callback.patch only in patch2: unchanged: --- qemu-kvm-0.12.3+noroms.orig/debian/patches/697197-fix-vnc-password-semantics.patch +++ qemu-kvm-0.12.3+noroms/debian/patches/697197-fix-vnc-password-semantics.patch @@ -0,0 +1,17 @@ +## Description: Stop 'change password' switching off VNC authentication +## Origin/Author: Neil Wilson +## Bug: http://launchpad.net/bugs/697197 +--- a/vnc.c ++++ b/vnc.c +@@ -2461,11 +2461,6 @@ + if (password && password[0]) { + if (!(vs->password = qemu_strdup(password))) + return -1; +- if (vs->auth == VNC_AUTH_NONE) { +- vs->auth = VNC_AUTH_VNC; +- } +- } else { +- vs->auth = VNC_AUTH_NONE; + } + + return 0;