Glance

Bug #2059809
Comment #148

Comment 148 for bug 2059809

Revision history for this message

Thomas Goirand (thomas-goirand) wrote on 2024-06-25: Re: Arbitrary file access through QCOW2 external data file (CVE-2024-32498)

#148

add-missing-stuff.tar.gz Edit (1.1 KiB, application/x-tar)

Hi,

At this point, I would suggest to postpone the disclosure date. Indeed, it's even unclear to me what the patchsets are. Once I figure it out, I'll have to backport up to Victoria. It was a real pain to do so for Glance as it needed extra patches from the project history to be able to apply the CVE patch (but it went fine for Nova and Cinder).

FYI, for Glance/Victoria, here's the list of patches that were needed to backport so that the CVE patch could apply, applied in this order:
Id613cfd61760c383c7c3cc6aea3f37eecb5ed4d9: Make action wrapper support arbitrary properties
I8f1d03275e6ec51a802cc4b4107f3ab648f535a1: Add missing fail case tests for image_conversion
I575dbc45781aaed521aeb5ef085322ad2018f378: Make image_conversion use action wrapper
I299a222eeef81431143db3ba7fc08365c924326b: Utilize newly added tasks database fields
I3ec5a33df20e1cfb6673f4ff1c7c91aacd065532: Limit CaptureRegion sizes in format_inspector for VMDK and VHDX
VMDK
I7d63951ff080dc699b8d11babc0a5998d90621e4: Support Stream Optimized VMDKs

After these 6 patches applied, the cve-2024-32498-glance-stable-2023.1.patch needs to be applied by hand (it wouldn't apply without a manual rebase), and then some more patches are needed that I'm attaching here.

Note that it took me 2 full working days to reach that point and get no unit test failures. If we were to add more patches, please make them on top. I'm currently trying to run functional tests, and it's going to take some time to run them as well. It already took me 1 full day of work to get my CI back to working for Victoria ... :(

For Nova and Cinder, I'm fine with revised patches, though please allow enough time for backporting to earlier releases. Upstream OpenStack limitation to Antelope as the last supported release is far from enough for our users, I do intend to fix Glance, Nova and Cinder in both Bullseye (Debian 11) and Bookworm (Debian 12), meaning Victoria and Zed for the official releases, but also all intermediate releases between them. That's 8 releases that I'll have to work on, for 3 projects: that's a total of 24 patch-sets. 2 days to get that work seems unreasonable to me, especially if I'm not even sure what's the final patch-sets.

BTW, can someone summarize what I need to do, compared to the original pre-OSSA?

Cheers,

Thomas Goirand (zigo)

Hi,

FYI, for Glance/Victoria, here's the list of patches that were needed to backport so that the CVE patch could apply, applied in this order:
Id613cfd61760c383c7c3cc6aea3f37eecb5ed4d9: Make action wrapper support arbitrary properties
I8f1d03275e6ec51a802cc4b4107f3ab648f535a1: Add missing fail case tests for image_conversion
I575dbc45781aaed521aeb5ef085322ad2018f378: Make image_conversion use action wrapper
I299a222eeef81431143db3ba7fc08365c924326b: Utilize newly added tasks database fields
I3ec5a33df20e1cfb6673f4ff1c7c91aacd065532: Limit CaptureRegion sizes in format_inspector for VMDK and VHDX
 VMDK
I7d63951ff080dc699b8d11babc0a5998d90621e4: Support Stream Optimized VMDKs

BTW, can someone summarize what I need to do, compared to the original pre-OSSA?

Cheers,

Thomas Goirand (zigo)