Ubuntu Cloud Archive

  1. Bug #2059809
  2. Comment #188

Comment 188 for bug 2059809

Revision history for this message
Dan Smith (danms) wrote : Re: Arbitrary file access through QCOW2 external data file (CVE-2024-32498)

Just to clarify the glance situation, I'm putting instructions for reproducing the issue here for posterity.

1. Configure glance to support import (with at least glance-direct allowed) by defining the staging and tasks data stores in /etc/glance/glance-api.conf:

[DEFAULT]
enabled_import_methods=["glance-direct"]
[os_glance_staging_store]
filesystem_store_datadir=/opt/stack/data/glance/os_glance_staging_store/
[os_glance_tasks_store]
filesystem_store_datadir=/opt/stack/data/glance/os_glance_tasks_store/

2. Make sure those directories exist on the filesystem (i.e. mkdir them)

3. Configure glance to do image conversion during import in /etc/glance/glance-image-import.conf:

[image_import_opts]
image_import_plugins = ['image_conversion']
[image_conversion]
output_format=raw

4. Restart glance (if you changed the above)

5. Upload an image using import:

$ openstack image create --disk-format qcow2 --container-format bare --import --file test-with-datafile.qcow test-import-df

6. The image should not go to active and you should be able to confirm that the badness was identified by seeing this in the log:

Jun 26 14:58:32 jammy <email address hidden>[332798]: ERROR glance.async_.taskflow_executor RuntimeError: Image has disallowed configuration

7. You can test that trying to masquerade the image as a different type (i.e. call it a vmdk but it's actually a qcow2) is also caught:

$ openstack image create --disk-format vmdk --container-format bare --import --file test-with-datafile.qcow test-import-df-masquerade

the logs should show:

Jun 26 15:10:20 jammy <email address hidden>[334406]: ERROR glance.async_.taskflow_executor RuntimeError: Image format detection failed

And just for completeness, if you don't have the patches installed, this is what the failure looks like when qemu tries to open the bogus data file if glance doesn't prevent it first:

Jun 26 15:11:14 jammy <email address hidden>[334580]: Stderr: "qemu-img: Could not open '/opt/stack/data/glance/os_glance_staging_store/b753c2b4-8d9a-4981-a8df-2ace90f5cf66': Could not open 'abcdefghigh': No such file or directory\n": RuntimeError: Unexpected error while running command.

Note that as mentioned before, this is only triggered with --import as the upload method, and only if glance is configured to use image conversion during import. If you have import enabled (i.e. by default) and don't want it, then just disabling it with an empty list of enabled_import_methods will close this hole without any patches. However, note that glance will still allow regular uploads (i.e. without --import) of bad files since in that scenario it (currently) does no inspection of the image content, so nova and cinder patches are still required.