Comment 147 for bug 2059809
Revision history for this message
| Dan Smith (danms) wrote Re: Arbitrary file access through QCOW2 external data file (CVE-2024-32498) | #147 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
Indeed, the long-ago backing-file attack CVE was incomplete and didn't account for this situation where we have a qcow2 masquerading as a raw. If it escapes our initial download check due to the format difference, we will do a format-less detection of its format and information and hook up an ephemeral disk to it as a result invite the same problem. The same situation arises with the data-file check.
I'm attaching an additional patch for nova that plugs this whole class of issue by also running the safety check on the base image each time we go to use it, which will catch this case even for deployments where such an image has already infiltrated the local node's image cache. To do this (without massive changes in nova) it brings over another piece of proposed code from glance's format_inspector that provides a safe format detection routine.
I'll work on the backports next, but I'm putting this here so it can get earlier testing and approval. Felix and others, please do test this comprehensively as it's now very fresh.
I'm keeping this separate for the moment because some distros that have already backported the earlier patches want to just apply additional changes without redoing their backports.
(edited for additional fix)