From 24505953605d401b14f6df5e6f7b8a8ae86c0cdc Mon Sep 17 00:00:00 2001
From: Zachary Amsden <zamsden@redhat.com>
Date: Thu, 3 Feb 2011 15:46:49 -0200
Subject: [PATCH 27/28] Fix CVE-2011-0011 qemu-kvm: Setting VNC password to empty string silently disables all authentication

RH-Author: Zachary Amsden <zamsden@redhat.com>
Message-id: <4D4ACDE9.20300@redhat.com>
Patchwork-id: 17636
O-Subject: Re: [virt-devel] [RHEL 6.1 qemu PATCH] Fix CVE-2011-0011 qemu-kvm:
	Setting VNC password to empty string silently disables
	all	authentication
Bugzilla: 667976
CVE: CVE-2011-0011
RH-Acked-by: Alex Williamson <alex.williamson@redhat.com>
RH-Acked-by: Petr Matousek <pmatouse@redhat.com>
RH-Acked-by: Daniel P. Berrange <berrange@redhat.com>

From ab677787bfc5b5c169f573564f6dc1cfaf631bbe Mon Sep 17 00:00:00 2001
From: Zachary Amsden <zamsden@redhat.com>
Date: Thu, 3 Feb 2011 10:15:35 -0500
Subject: [PATCH] VNC authentication error

VNC authentication should not be disabled by clearing the password;
if configured, it should remain enabled.

Signed-off-by: Zachary Amsden <zamsden@redhat.com>
---
 vnc.c |    5 -----
 1 files changed, 0 insertions(+), 5 deletions(-)

Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
---
 vnc.c |    5 -----
 1 files changed, 0 insertions(+), 5 deletions(-)

diff --git a/vnc.c b/vnc.c
index eae12ce..0f19af3 100644
--- a/vnc.c
+++ b/vnc.c
@@ -2528,11 +2528,6 @@ int vnc_display_password(DisplayState *ds, const char *password)
     if (password && password[0]) {
         if (!(vs->password = qemu_strdup(password)))
             return -1;
-        if (vs->auth == VNC_AUTH_NONE) {
-            vs->auth = VNC_AUTH_VNC;
-        }
-    } else {
-        vs->auth = VNC_AUTH_NONE;
     }
 
     return 0;
-- 
1.7.4.rc1.16.gd2f15e