Comment 80 for bug 1996188

If we have consensus on the fixes and backport patches (at least as far back as stable/xena) for all three of Cinder, Glance and Nova, then we can schedule an advisory for approximately a week out and send advance copies of these patches to downstream stakeholders along with the date and time we've chosen for publication. Just to double-check, we have the following patches for distribution:

 - Cinder (master and zed through wallaby) in comments #52-56
 - Glance (master and zed through train) in comments #64-71
 - Nova (master) in comment #17

What are the plans for nova backports? Or is it assumed that the provided patch applies cleanly at least as far back as stable/xena (in which case I'll just provide multiple copies named for each branch)?

Also, Sébastien Mériot has sent a follow-up E-mail requesting a change to list the reporters of this bug as Guillaume Espanel, Pierre Libeau, Arnaud Morin and Damien Rannou. Here's the updated impact description which will be used in the advance downstream notice and subsequent advisory publication...

Title: Arbitrary file access through custom VMDK flat descriptor
Reporter: Guillaume Espanel, Pierre Libeau, Arnaud Morin and Damien Rannou (OVH)
Products: Cinder, Glance, Nova
Affects: Cinder <19.1.2, >=20.0.0 <20.0.2, ==21.0.0; Glance <23.0.1, >=24.0.0 <24.1.1, ==25.0.0; Nova <24.1.2, >=25.0.0 <25.0.2, ==26.0.0

Description:
Guillaume Espanel, Pierre Libeau, Arnaud Morin and Damien Rannou (OVH) reported a vulnerability in VMDK image processing for Cinder, Glance and Nova.
By supplying a specially created VMDK flat image which references a specific backing file path, an authenticated user may convince systems to return a copy of that file's contents from the server resulting in unauthorized access to potentially sensitive data.
All Cinder deployments are affected; only Glance deployments with image conversion enabled are affected; all Nova deployments are affected.