File CVE-2019-13313-pass-username-password-via-config-file.patch of Package libosinfo.12099
As passing user & admin password via command line is a low impact CVE,
let's error out when it's done and advertise the users to use
--config-file instead.
Signed-off-by: Fabiano FidĂȘncio <fidencio redhat com>
---
tools/osinfo-install-script.c | 11 +++++++++++
1 file changed, 11 insertions(+)
Index: libosinfo-0.2.12/tools/osinfo-install-script.c
===================================================================
--- libosinfo-0.2.12.orig/tools/osinfo-install-script.c
+++ libosinfo-0.2.12/tools/osinfo-install-script.c
@@ -84,6 +84,15 @@ static gboolean handle_config(const gcha
val++;
key = g_strndup(value, len);
+ if (g_str_equal(key, OSINFO_INSTALL_CONFIG_PROP_USER_PASSWORD) ||
+ g_str_equal(key, OSINFO_INSTALL_CONFIG_PROP_ADMIN_PASSWORD)) {
+ g_set_error(error, 0, 0,
+ _("When setting user or admin password, use "
+ "--config-file instead.\n"));
+ g_free(key);
+ return FALSE;
+ }
+
osinfo_entity_set_param(OSINFO_ENTITY(config),
key,
val);
@@ -506,6 +515,8 @@ can also be C<desktop>, or a site specif
Set the configuration parameter C<key> to C<value>.
+Note: this option has been deprecated, use B<--config-file=> instead.
+
=item B<--config-file=config-file>
Set the configurations parameters according to the config-file passed.
