Ubuntu Cloud Archive

Bug #2059809
Comment #364

Comment 364 for bug 2059809

Revision history for this message

James Page (james-page) wrote on 2024-07-08:

#364

This bug was fixed in the package glance - 2:26.0.0-0ubuntu1.2~cloud0
---------------

glance (2:26.0.0-0ubuntu1.2~cloud0) jammy; urgency=medium
.
   [ James Page ]
   * SECURITY UPDATE: Arbitrary file access via custom QCOW2 external data
     (LP: #2059809)
     - debian/patches/CVE-2024-32498-pre1.patch: support Stream Optimized
       VMDKs in glance/common/format_inspector.py,
       glance/tests/unit/common/test_format_inspector.py.
     - debian/patches/CVE-2024-32498-1.patch: reject qcow files with
       data-file attributes.
     - debian/patches/CVE-2024-32498-2.patch: extend format_inspector for
       QCOW safety.
     - debian/patches/CVE-2024-32498-3.patch: add VMDK safety check.
     - debian/patches/CVE-2024-32498-4.patch: reject unsafe qcow and vmdk
       files.
     - debian/patches/CVE-2024-32498-5.patch: add QED format detection to
       format_inspector.
     - debian/patches/CVE-2024-32498-6.patch: add file format detection to
       format_inspector.
     - debian/patches/CVE-2024-32498-7.patch: add safety check and detection
       support to FI tool.
     - CVE-2024-32498
.
   [ Corey Bryant ]
   * d/gbp.conf: Create stable/2023.1 branch.