Just for clarity the problematic line for RBD is
https://github.com/openstack/nova/blob/b5890b3c36613919338f83c4f59225f424c99cb1/nova/virt/libvirt/imagebackend.py#L818
if you look at convert_image method it calls:
https://github.com/openstack/nova/blob/b5890b3c36613919338f83c4f59225f424c99cb1/nova/virt/images.py#L71
the call to qemu-image convert never gets passed an input file format (-f) which means it tries to guess it from the image.
Other formats Matt mentions call the same method and are exploitable for the same reason.
Just for clarity the problematic line for RBD is
https:/ /github. com/openstack/ nova/blob/ b5890b3c3661391 9338f83c4f59225 f424c99cb1/ nova/virt/ libvirt/ imagebackend. py#L818
if you look at convert_image method it calls:
https:/ /github. com/openstack/ nova/blob/ b5890b3c3661391 9338f83c4f59225 f424c99cb1/ nova/virt/ images. py#L71
the call to qemu-image convert never gets passed an input file format (-f) which means it tries to guess it from the image.
Other formats Matt mentions call the same method and are exploitable for the same reason.