Comment 134 for bug 2059809
Revision history for this message
| Jeremy Stanley (fungi) wrote Re: Arbitrary file access through QCOW2 external data file (CVE-2024-32498) | #134 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
To summarize the comments since downstream stakeholder notification:
Pavlo notes that the Glance and Nova patches need minor adjustments for tests and style before they'll be able to pass our CI jobs.
Kurt, Luigi and Mohammed raise concerns that the supplied patches for Cinder to merely reject QCOW2 images specifying a data file are insufficient to prevent related file disclosure risks, and are offering to assist the Cinder maintainers in completing a more robust solution similar to those for Glance and Nova.
Martin recommends we notify the QEMU maintainers that we're planning to publish our advisory this week. I'll try to find out who was in communication with them last, or worst case I'll re-insert myself into the earlier E-mail discussion which they'd previously dropped me from. If anyone reading this already knows the state of those conversations, it would be better to get QEMU representatives subscribed to this bug report so I don't have to work around Gmail's dislike for independently-run mailservers.