Comment 64 for bug 2059809
Revision history for this message
| Jeremy Stanley (fungi) wrote Re: Arbitrary file access through QCOW2 external data file | #64 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
A few hours ago I got looped into a related private discussion between Martin Kaesberger and the QEMU security folks, and the upshot is that we should generally avoid calling `qemu-img info` on any image files without first confirming that it's safe to do so. The QEMU maintainers do not consider that tool/subcommand safe to run on untrusted inputs, and hardening it to make that possible is probably out of scope from their point of view, so relying on it as our first line of defense merely opens us up to additional risks.
Finding another way to check suspect images for the presence of unsafe parameters like backing file and data file references without passing them off to dangerous QEMU driver code is going to be a more robust solution in the long term, at least until such time as QEMU maintainers might develop a separate tool for safely inspecting image files, which we could then consider leveraging instead.