Comment 176 for bug 2059809
Revision history for this message
| Dan Smith (danms) wrote Re: Arbitrary file access through QCOW2 external data file (CVE-2024-32498) | #176 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
No, in upload mode (i.e. the mode everyone uses to get images into glance) there is no glance-specific attack since glance doesn't look at the image at all. In the future, I'll plan to make the format_inspector look for this and reject the upload mid-stream, but that has all kinds of error-handling issues that I don't want to address in this kind of emergency patch. So, in "image create --file foo" glance should happily accept the image and nova should refuse to do anything with it if you try.
However, glance has an "import" operation, where you upload the image to a staging directory, then "import" it into the actual store. In that mode, it is possible to enable the image_conversion plugin which causes glance to use qemu-img to transform the image from, say, qcow2 to raw, or vmdk to qcow2. That's the case where you can exploit glance here - if import is enabled and image_conversion is enabled, then you can also get glance to do bad stuff. If none of those are enabled (likely a lot of deployments) then glance itself isn't directly exploitable, it will just hold the bad stuff.
Basically in regular upload mode, you can upload anything you want to glance at all and it doesn't care if it's wildly incorrect. I suspect this event will justify a rethink of that approach :)