Comment 202 for bug 2059809
Revision history for this message
| Felix Huettner (felix.huettner) wrote Re: Arbitrary file access through QCOW2 external data file (CVE-2024-32498) | #202 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
@zigo (#200) i attached the patchfile of the additional tests
@bryan (#198) i agree that if there are indeed backing files being used in cinder natively that this will cause issues.
The only way i can think of fixing this would be by having some kind of allowlist of backing files which are ok?
However then a user uploading a qcow2 could still use a backing file, it would just need to match the allowlist. Probably it could then still be used to read snapshots or so of other users.
Alternatively do we have some way of knowing which qcow2 file should have a backing file? in this case we could skip the check just for these.