Comment 124 for bug 2059809

Martin: From the QEMU maintainer communications on which I was copied and subsequent discussion with them, I was led to understand that they do not consider it a vulnerability in qemu-img since they never intended the info subcommand to be used on untrusted image files, and that they were simply refraining from mentioning that fact publicly out of courtesy to OpenStack until we release our advisory and patches.

Mohammed: Correct, the Glance and Nova patches attempt to avoid passing untrusted image files to `qemu-img info` calls, so should shield those services from any related risks posed by that tool. There is still some outstanding work to be done in Cinder in order to make it similarly paranoid, but the current patches should sufficiently address the subject of this specific bug report, and we collectively wanted to avoid dragging the embargo out past our 90-day promise. Any related bug fixes released by the QEMU maintainers are still strongly recommended from a belt-and-braces/defense-in-depth perspective, but coordinating simultaneous patching between the two communities was deemed nontrivial and they strongly encouraged OpenStack to solve this class of problems itself by no longer relying on QEMU to be robust against untrusted image files.