Comment 78 for bug 2059809
Revision history for this message
| Brian Rosmaita (brian-rosmaita) wrote Re: Arbitrary file access through QCOW2 external data file | #78 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
From the cinder point of view, keeping in mind the subject of this particular CVE, I think the current patch that uses 'qemu-img info' to detect the presence of the data file is sufficient.
The issue of using 'qemu-img info' at all is a different CVE, and will take more time to address, perhaps with Dan's format inspector approach, or maybe at the qemu-img level (because it's really hard to believe that the 'info' call can't be used safely).