Comment 135 for bug 2071740

Reviewed: https://review.opendev.org/c/openstack/ironic/+/927969
Committed: https://opendev.org/openstack/ironic/commit/07bb2caf3c75cda2b7a20e956836c72cdadca926
Submitter: "Zuul (22348)"
Branch: bugfix/24.0

commit 07bb2caf3c75cda2b7a20e956836c72cdadca926
Author: Julia Kreger <email address hidden>
Date: Thu Aug 8 12:42:20 2024 -0700

    CVE-2024-44982: Harden all image handling and conversion code

    It was recently learned by the OpenStack community that running qemu-img
    on un-trusted images without a format pre-specified can present a
    security risk. Furthermore, some of these specific image formats have
    inherently unsafe features. This is rooted in how qemu-img operates
    where all image drivers are loaded and attempt to evaluate the input data.
    This can result in several different vectors which this patch works to
    close.

    This change imports the qemu-img handling code from Ironic-Lib into
    Ironic, and image format inspection code, which has been developed by
    the wider community to validate general safety of images before converting
    them for use in a deployment.

    This patch contains functional changes related to the hardening of these
    calls including how images are handled, and updates documentation to
    provide context and guidance to operators.

    Closes-Bug: 2071740
    Change-Id: I7fac5c64f89aec39e9755f0930ee47ff8f7aed47
    Signed-off-by: Julia Kreger <email address hidden>