Comment 154 for bug 2059809
Revision history for this message
| Felix Huettner (felix.huettner) wrote Re: Arbitrary file access through QCOW2 external data file (CVE-2024-32498) | #154 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
Attached is the fix for the previous two comments. I am aware that it fails some unittests (due to mocking) but it solves the issue for us.
I am not sure if this might break some other functionality, since we basically now disallow backing files for everything that "qemu-img info" is used on.
I will not patch it further until i have some feedback on this.
It is basically what @danms built for nova just adapted to run before qemu-img info.
However this does (probably) not prevent the general mounting issue as qcow2. So you can still create a volume, fill it with a qcow2 header and on re-attaching it will be attached as qcow2 instead of raw. Potentially you can use this to create a volume with a larger size than what cinder thinks the size is. I assume this can lead to billing issues.