db98dc2070
Adds code to image_utils to check for a qcow2 external data file, a recent feature of qemu which we do not support and which can be used maliciously. Advice from the qemu-img community is that it is dangerous to call qemu-img info on untrusted files, so we copy over the format_inspector module from Glance. This performs basic analysis on the image data file so we can detect problematic images before we call qemu-img info to get all the image attributes. It is expected that this code will eventually be added to oslo so it can be consumed by Glance, Cinder, and Nova. Because cinder itself may create qcow2 format images with a backing file in nfs-based backends, the glance format_inspector has been modified to optionally allow such files. Since we are monkeying with the format_inspector code, we also copy over its unit tests to prevent regressions and to add tests for the changed code. Includes an additional fix to prevent an issue where a user could mount a raw volume and write a qcow2 header with a larger virtual size on it. On reattaching the volume it would have the new larger virtual size avaialable without actually changing the size value in cinder. While we cannot prevent this we can prevent the user from using this volume again, which makes this exploit pointless. Co-authored-by: Dan Smith <dansmith@redhat.com> Co-authored-by: Felix Huettner <felix.huettner@mail.schwarz> Change-Id: I65857288b797cde573e7443ac6e7e6f57fedde01 Closes-bug: #2059809 (cherry picked from commit b207be3278f3dab6cfe945bd3d307db168f6f6c7)
20 lines
941 B
YAML
20 lines
941 B
YAML
---
|
|
security:
|
|
- |
|
|
Images in the qcow2 format with an external data file are now
|
|
rejected with an ``ImageUnacceptable`` error because such images
|
|
could be used in an exploit to expose host information. Given
|
|
that qcow2 external data files were never supported by Cinder,
|
|
this change should have no impact on users. See `Bug #2059809
|
|
<https://bugs.launchpad.net/cinder/+bug/2059809>`_ for details.
|
|
fixes:
|
|
- |
|
|
`Bug #2059809 <https://bugs.launchpad.net/cinder/+bug/2059809>`_:
|
|
Fixed issue where a qcow2 format image with an external data file
|
|
could expose host information. Such an image is now rejected with
|
|
an ``ImageUnacceptable`` error if it is used to create a volume.
|
|
Given that qcow2 external data files were never supported by
|
|
Cinder, the only use for such an image previously was to attempt
|
|
to steal host information, and hence this change should have no
|
|
impact on users.
|