Ubuntu Cloud Archive

  1. Bug #2059809
  2. Comment #14

Comment 14 for bug 2059809

Revision history for this message
Sylvain Bauza (sylvain-bauza) wrote : Re: Arbitrary file access through QCOW2 external data file

Nova's patch proposed by Dan relies on the same mitigation provided in https://security.openstack.org/ossa/OSSA-2023-002.html where we rely on a metadata that was added in osloutils's imageutils.py module by https://github.com/openstack/oslo.utils/commit/2180db82b605cf84902ee379fffc0b34e17e92c7

This sounds to me the correct approach as we can backport it down to the last Maintained releases but any distro can also backport it further down to Ussuri if they want (exactly like OSSA-2023-002)

+1 on nova-2059809.patch but I'll test it on a dev environment.