Comment 177 for bug 2059809
Revision history for this message
| Kurt Garloff (kgarloff) wrote Re: Arbitrary file access through QCOW2 external data file (CVE-2024-32498) | #177 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
Jens (re #175): Indeed, the protection happens when images are used, not when they are registered.
That's why we have to patch glance (image *conversion*, not registration), cinder (turning images into volumes) and nova (converting images before booting from them). It would be easier to throttle this at ingestion (image registration) time. But then we'd also need to plug the snapshot hole that Felix reported, so it might not reduce complexity a lot. Maybe we'd want both layers of protections for a defense-in-depth approach anyhow.
(#176) And I agree with Dan that adding functionality to really analyze images at registration time would be more intrusive, so not such a good choice for an emergency patch that needs to be heavily backported.
(#168) Jeremy: I think it's good to delay here, as sufficient time for backporting and testing is a requirement.
(#155) As for the rollout:
* This bug has the potential to turn trusted clouds into clouds where all credentials need to be exchanged. I wonder whether disabling image registrations and snapshots (sigh!) will need to done by providers if patching all hosts takes them too long.
* With the information in this bug report, it takes less than 10minutes to exploit, I fear. (8 minutes reading and understanding and then 1min for qemu-img, openstack image create, openstack volume create --image.)
* I would very much love to have a few hours where I can -- under NDA -- hand the fixed code (fixed kolla images in our case) to our providers (without a lot of detail, so they'd need to reverse engineer) for them to deploy before all details get public and we have to expect exploitation within minutes ... This would help not just us, but all organizations that have personal relationships with their providers such that the trust to uphold an NDA for a few hours is a safe bet. I understand this would diverge from how this is normally done.
* If that is not possible, I guess I would love to see some delay between the embargo lift and the publication of the details that make exploitation rather trivial. (This gives us an hour or so, as people will need to analyze the patches and work out what the fixed problem really was and how to exploit it.)
* If none of this is possible, we will have strong requests from our providers to be invited here. I could actually support this for the individuals that I would also take under NDA, but it may become hard to draw the line as this will become a more common request and this may then not make us all safer ...