Ubuntu Cloud Archive

Overview
Code
Bugs
Blueprints
Translations
Answers

Bug #2059809
Comment #197

Comment 197 for bug 2059809

Revision history for this message

Brian Rosmaita (brian-rosmaita) wrote on 2024-06-26: Re: Arbitrary file access through QCOW2 external data file (CVE-2024-32498)

#197

For cinder, the "missing" format_specific attribute of the oslo imageutils.QemuImgInfo class that Dan mentions in comment #196 was handled by patches around the time of the VMDK issue for versions of oslo.utils < 4.1.0. Just for reference, it's these 2 patches, for example, in train:

https://review.opendev.org/c/openstack/cinder/+/870090
https://review.opendev.org/c/openstack/cinder/+/871631

see in particular lines 137-144 in the second patch:
https://review.opendev.org/c/openstack/cinder/+/871631/1/cinder/image/image_utils.py#137