Ubuntu Cloud Archive

Overview
Code
Bugs
Blueprints
Translations
Answers

Bug #2059809
Comment #198

Comment 198 for bug 2059809

Revision history for this message

Brian Rosmaita (brian-rosmaita) wrote on 2024-06-26: Re: Arbitrary file access through QCOW2 external data file (CVE-2024-32498)

#198

I looked at Felix's cinder-2059809-unified-master-v2.txt patch (comment #190); the added tests LGTM.

The reason I marked my patch as WIP is this section of the remotefs driver code:
https://github.com/openstack/cinder/blob/master/cinder/volume/drivers/remotefs.py#L869

With the patch, it looks like the call to image_utils.qemu_img_info() will raise an exception whenever there's a backing file (which is allowed for the qcow2 files that cinder itself creates).