File CVE-2019-13313-pass-username-password-via-config-file.patch of Package libosinfo.33875

Subject: tools,install-script: Deprecate --config {user,admin}-password
From: Fabiano Fidêncio fidencio@redhat.com Wed Jul 3 14:59:07 2019 +0200
Date: Wed Jul 10 13:16:08 2019 +0200:
Git: 3654abee6ead9f11f8bb9ba8fc71efd6fa4dabbc

Let's deprecate user-password and admin-password options of --config and
also warn out whenever they're passed to osinfo-install-script.

CVE-2019-13313
Libosinfo: osinfo-install-script option leaks password via command line
argument. 'osinfo-install-script' is used to generate a script for
automated guest installations. It accepts user and admin passwords via
command line arguments, thus leaking them via process listing.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>

Index: libosinfo-1.2.0/tools/osinfo-install-script.c
===================================================================
--- libosinfo-1.2.0.orig/tools/osinfo-install-script.c
+++ libosinfo-1.2.0/tools/osinfo-install-script.c
@@ -84,6 +84,12 @@ static gboolean handle_config(const gcha
     val++;
     key = g_strndup(value, len);
 
+    if (g_str_equal(key, OSINFO_INSTALL_CONFIG_PROP_USER_PASSWORD) ||
+        g_str_equal(key, OSINFO_INSTALL_CONFIG_PROP_ADMIN_PASSWORD)) {
+        g_warning("When setting user or admin password, use --config-file "
+                  "instead.\n");
+    }
+
     osinfo_entity_set_param(OSINFO_ENTITY(config),
                             key,
                             val);
@@ -541,10 +547,14 @@ The local language
 =item C<admin-password>
 
 The administrator password
+This option has been deprecated, use B<--config-file>
+for setting the admin password.
 
 =item C<user-password>
 
 The user password
+This option has been deprecated, use B<--config-file>
+for setting the user password.
 
 =item C<user-login>