Comment 17 for bug 1415087
Revision history for this message
| Andrew Laski (alaski) wrote Re: Format-guessing and file disclosure in image convert | #17 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
As Tony said, Nova is vulnerable in the snapshot case. I'm not an expert in the libvirt driver and the complexity of the image handling code makes it hard to say with certainty that the vulnerability exists during instance creation, but it does appear to me that it uses the unprotected 'qemu-img create' with an LVM image type. I can't say at this point whether or not there are safeguards in place that means that is ok.