Ubuntu Cloud Archive

Overview
Code
Bugs
Blueprints
Translations
Answers

Bug #2059809
Comment #173

Comment 173 for bug 2059809

Revision history for this message

Dr. Jens Harbott (j-harbott) wrote on 2024-06-25: Re: Arbitrary file access through QCOW2 external data file (CVE-2024-32498)

#173

O.k., more trouble: the patch for glance is using the output of "qemu-img info" in order to decide whether to reject the image, which I though was to be avoided? In addition, when using a file that is not world-readable as data_file, that command will simply error out with:

$ qemu-img info ~/devstack/disk.qcow2
qemu-img: Could not open '/home/ubuntu/devstack/disk.qcow2': Could not open '/etc/sudoers': Permission denied

and thus the check will not trigger and consequently will still accept the malicious image.