libosinfo: osinfo-install-script option leaks password via command line argument (CVE-2019-13313)
A flaw was found in libosinfo, version 1.5.0, where the script for automated guest installations, 'osinfo-install-script', accepts user and admin passwords via command line arguments. This could allow guest passwords to leak to other system users via a process listing.
References:
- https://gitlab.com/libosinfo/libosinfo/blob/master/NEWS
- https://www.openwall.com/lists/oss-security/2019/07/08/3
- https://nvd.nist.gov/vuln/detail/CVE-2019-13313
Patches:
- https://www.redhat.com/archives/libosinfo/2019-July/msg00027.html
- https://www.redhat.com/archives/libosinfo/2019-July/msg00028.html
Affected branches:
-
master -
3.10-stable